• Configure security policy processing

This policy setting determines when security policies are updated.

This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings.

This policy setting overrides customized settings that the program implementing the security policy set when it was installed.

If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.

The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.

The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.

user rights assignment admx

  • Administrative Templates (Computers)
  • Do not display the lock screen
  • Force a specific background and accent color
  • Force a specific default lock screen and logon image
  • Force a specific Start background
  • Prevent changing lock screen and logon image
  • Prevent changing start menu background
  • Prevent enabling lock screen camera
  • Prevent enabling lock screen slide show
  • Turn off automatic learning
  • Allow users to enable online speech recognition services
  • Block clean-up of unused language packs
  • Force selected system UI language to overwrite the user UI language
  • Restricts the UI language Windows uses for all logged users
  • Apply the default user logon picture to all users
  • Allow Online Tips
  • Settings Page Visibility
  • Allow BITS Peercaching
  • Do not allow the BITS client to use Windows Branch Cache
  • Do not allow the computer to act as a BITS Peercaching client
  • Do not allow the computer to act as a BITS Peercaching server
  • Limit the age of files in the BITS Peercache
  • Limit the BITS Peercache size
  • Limit the maximum BITS job download time
  • Limit the maximum network bandwidth for BITS background transfers
  • Limit the maximum network bandwidth used for Peercaching
  • Limit the maximum number of BITS jobs for each user
  • Limit the maximum number of BITS jobs for this computer
  • Limit the maximum number of files allowed in a BITS job
  • Limit the maximum number of ranges that can be added to the file in a BITS job
  • Set default download behavior for BITS jobs on costed networks
  • Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers
  • Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers
  • Timeout for inactive BITS jobs
  • Configure BranchCache for network files
  • Configure Client BranchCache Version Support
  • Configure Hosted Cache Servers
  • Enable Automatic Hosted Cache Discovery by Service Connection Point
  • Set age for segments in the data cache
  • Set BranchCache Distributed Cache mode
  • Set BranchCache Hosted Cache mode
  • Set percentage of disk space used for client computer cache
  • Turn on BranchCache
  • Corporate Resources
  • Custom Commands
  • DirectAccess Passive Mode
  • Friendly Name
  • IPsec Tunnel Endpoints
  • Prefer Local Names Allowed
  • Support Email Address
  • User Interface
  • Allow DNS suffix appending to unqualified multi-label name queries
  • Allow NetBT queries for fully qualified domain names
  • Connection-specific DNS suffix
  • DNS servers
  • DNS suffix search list
  • Dynamic update
  • IDN mapping
  • Prefer link local responses over DNS when received over a network with higher precedence
  • Primary DNS suffix devolution level
  • Primary DNS suffix devolution
  • Primary DNS suffix
  • Register DNS records with connection-specific DNS suffix
  • Register PTR records
  • Registration refresh interval
  • Replace addresses in conflicts
  • TTL value for A and PTR records
  • Turn off IDN encoding
  • Turn off multicast name resolution
  • Turn off smart multi-homed name resolution
  • Turn off smart protocol reordering
  • Update security level
  • Update top level domain zones
  • Enable Font Providers
  • Enable Hotspot Authentication
  • Cipher suite order
  • Hash Publication for BranchCache
  • Hash Version support for BranchCache
  • Honor cipher suite order
  • Enable insecure guest logons
  • Handle Caching on Continuous Availability Shares
  • Offline Files Availability on Continuous Availability Shares
  • Turn on Mapper I/O (LLTDIO) driver
  • Turn on Responder (RSPNDR) driver
  • Set PNRP cloud to resolve only
  • Set the Seed Server
  • Turn off Multicast Bootstrap
  • Turn off PNRP cloud creation
  • Disable password strength validation for Peer Grouping
  • Turn off Microsoft Peer-to-Peer Networking Services
  • Windows Defender Firewall: Allow ICMP exceptions
  • Windows Defender Firewall: Allow inbound file and printer sharing exception
  • Windows Defender Firewall: Allow inbound remote administration exception
  • Windows Defender Firewall: Allow inbound Remote Desktop exceptions
  • Windows Defender Firewall: Allow inbound UPnP framework exceptions
  • Windows Defender Firewall: Allow local port exceptions
  • Windows Defender Firewall: Allow local program exceptions
  • Windows Defender Firewall: Allow logging
  • Windows Defender Firewall: Define inbound port exceptions
  • Windows Defender Firewall: Define inbound program exceptions
  • Windows Defender Firewall: Do not allow exceptions
  • Windows Defender Firewall: Prohibit notifications
  • Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
  • Windows Defender Firewall: Protect all network connections
  • Windows Defender Firewall: Allow authenticated IPsec bypass
  • Do not show the "local access only" network icon
  • Prohibit installation and configuration of Network Bridge on your DNS domain network
  • Prohibit use of Internet Connection Firewall on your DNS domain network
  • Prohibit use of Internet Connection Sharing on your DNS domain network
  • Require domain users to elevate when setting a network's location
  • Route all traffic through the internal network
  • Specify corporate DNS probe host address
  • Specify corporate DNS probe host name
  • Specify corporate site prefix list
  • Specify corporate Website probe URL
  • Specify domain location determination URL
  • Specify global DNS
  • Specify passive polling
  • Domains categorized as both work and personal
  • Enterprise resource domains hosted in the cloud
  • Internet proxy servers for apps
  • Intranet proxy servers for apps
  • Private network ranges for apps
  • Proxy definitions are authoritative
  • Subnet definitions are authoritative
  • Hardened UNC Paths
  • Action on server disconnect
  • Allow or Disallow use of the Offline Files feature
  • At logoff, delete local copy of user's offline files
  • Configure Background Sync
  • Configure slow-link mode
  • Configure Slow link speed
  • Default cache size
  • Enable file screens
  • Enable file synchronization on costed networks
  • Enable Transparent Caching
  • Encrypt the Offline Files cache
  • Event logging level
  • Files not cached
  • Initial reminder balloon lifetime
  • Limit disk space used by Offline Files
  • Non-default server disconnect actions
  • Prevent use of Offline Files folder
  • Prohibit user configuration of Offline Files
  • Reminder balloon frequency
  • Reminder balloon lifetime
  • Remove "Make Available Offline" command
  • Remove "Make Available Offline" for these files and folders
  • Remove "Work offline" command
  • Specify administratively assigned Offline Files
  • Subfolders always available offline
  • Synchronize all offline files before logging off
  • Synchronize all offline files when logging on
  • Synchronize offline files before suspend
  • Turn off reminder balloons
  • Turn on economical application of administratively assigned Offline Files
  • Best effort service type
  • Controlled load service type
  • Guaranteed service type
  • Network control service type
  • Qualitative service type
  • Non-conforming packets
  • Limit outstanding packets
  • Limit reservable bandwidth
  • Set timer resolution
  • Communities
  • Permitted Managers
  • Traps for public community
  • ECC Curve Order
  • SSL Cipher Suite Order
  • Set 6to4 Relay Name
  • Set 6to4 Relay Name Resolution Interval
  • Set 6to4 State
  • Set IP-HTTPS State
  • Set ISATAP Router Name
  • Set ISATAP State
  • Set Teredo Client Port
  • Set Teredo Default Qualified
  • Set Teredo Refresh Rate
  • Set Teredo Server Name
  • Set Teredo State
  • Set IP Stateless Autoconfiguration Limits State
  • Set Window Scaling Heuristics State
  • Disable power management in connected standby mode
  • Enable Windows to soft-disconnect a computer from a network
  • Minimize the number of simultaneous connections to the Internet or a Windows Domain
  • Prohibit connection to non-domain networks when connected to domain authenticated network
  • Prohibit connection to roaming Mobile Broadband networks
  • Configuration of wireless settings using Windows Connect Now
  • Prohibit access of the Windows Connect Now wizards
  • Prefer PIN pairing
  • Require PIN pairing
  • Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services
  • Let Windows apps access cellular data
  • Set 3G Cost
  • Set 4G Cost
  • Set Per-App Cellular Access UI Visibility
  • Sets how often a DFS Client discovers DC's
  • Activate Internet printing
  • Add Printer wizard - Network scan page (Managed network)
  • Add Printer wizard - Network scan page (Unmanaged network)
  • Allow job name in event logs
  • Allow printers to be published
  • Allow Print Spooler to accept client connections
  • Allow pruning of published printers
  • Always rasterize content to be printed using a software rasterizer
  • Always render print jobs on the server
  • Automatically publish new printers in Active Directory
  • Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)
  • Check published state
  • Computer location
  • Custom support URL in the Printers folder's left pane
  • Directory pruning interval
  • Directory pruning priority
  • Directory pruning retry
  • Disallow installation of printers using kernel-mode drivers
  • Do not allow v4 printer drivers to show printer extensions
  • Enable Device Control Printing Restrictions
  • Execute print drivers in isolated processes
  • Extend Point and Print connection to search Windows Update
  • Isolate print drivers from applications
  • Limits print driver installation to Administrators
  • List of Approved USB-connected print devices
  • Log directory pruning retry events
  • Only use Package Point and print
  • Override print driver execution compatibility setting reported by print driver
  • Package Point and print - Approved servers
  • Point and Print Restrictions
  • Pre-populate printer search location text
  • Printer browsing
  • Prune printers that are not automatically republished
  • Disable context menus in the Start Menu
  • Pin Apps to Start when installed
  • Remove "Recently added" list from Start Menu
  • Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands
  • Show or hide "Most used" list from Start menu
  • Start Layout
  • Customize message for Access Denied errors
  • Enable access-denied assistance on client for all file types
  • Microsoft Customer Experience Improvement Program (CEIP)
  • Enable Migration Mode
  • Integration Root Global
  • Integration Root User
  • Roaming File Exclusions
  • Roaming Registry Exclusions
  • Enable automatic cleanup of unused appv packages
  • Enable background sync to server when on battery power
  • Enable Publishing Refresh UX
  • Publishing Server 1 Settings
  • Publishing Server 2 Settings
  • Publishing Server 3 Settings
  • Publishing Server 4 Settings
  • Publishing Server 5 Settings
  • Reporting Server
  • Enable Package Scripts
  • Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
  • Certificate Filter For Client SSL
  • Enable Support for BranchCache
  • Location Provider
  • Package Installation Root
  • Package Source Root
  • Reestablishment Interval
  • Reestablishment Retries
  • Require Publish As Admin
  • Shared Content Store (SCS) mode
  • Specify what to load in background (aka AutoLoad)
  • Verify certificate revocation list
  • Enable Dynamic Virtualization
  • Virtual Component Process Allow List
  • Enable App-V Client
  • Include command line in process creation events
  • Allow delegating default credentials
  • Allow delegating default credentials with NTLM-only server authentication
  • Allow delegating fresh credentials
  • Allow delegating fresh credentials with NTLM-only server authentication
  • Allow delegating saved credentials
  • Allow delegating saved credentials with NTLM-only server authentication
  • Deny delegating default credentials
  • Deny delegating fresh credentials
  • Deny delegating saved credentials
  • Encryption Oracle Remediation
  • Remote host allows delegation of non-exportable credentials
  • Restrict delegation of credentials to remote servers
  • Deploy Windows Defender Application Control
  • Turn On Virtualization Based Security
  • Enable Device Health Attestation Monitoring and Reporting
  • Allow administrators to override Device Installation Restriction policies
  • Allow installation of devices that match any of these device IDs
  • Allow installation of devices that match any of these device instance IDs
  • Allow installation of devices using drivers that match these device setup classes
  • Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
  • Display a custom message title when device installation is prevented by a policy setting
  • Display a custom message when installation is prevented by a policy setting
  • Prevent installation of devices not described by other policy settings
  • Prevent installation of devices that match any of these device IDs
  • Prevent installation of devices that match any of these device instance IDs
  • Prevent installation of devices using drivers that match these device setup classes
  • Prevent installation of removable devices
  • Time (in seconds) to force reboot when required for policy changes to take effect
  • Allow remote access to the Plug and Play interface
  • Configure device installation time-out
  • Do not send a Windows error report when a generic driver is installed on a device
  • Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
  • Prevent device metadata retrieval from the Internet
  • Prevent Windows from sending an error report when a device driver requests additional software during installation
  • Prioritize all digitally signed drivers equally during the driver ranking and selection process
  • Specify search order for device driver source locations
  • Specify the search server for device driver updates
  • Turn off "Found New Hardware" balloons during device installation
  • Prevent redirection of devices that match any of these device Ids
  • Prevent redirection of USB devices
  • Turn Off Boot and Resume Optimizations
  • Turn Off Cache Power Mode
  • Turn Off Non Volatile Cache Feature
  • Turn Off Solid State Mode
  • Apply policy to removable media
  • Default quota limit and warning level
  • Enable disk quotas
  • Enforce disk quota limit
  • Log event when quota limit exceeded
  • Log event when quota warning level exceeded
  • Configure Per-Process System DPI settings
  • Turn off GdiDPIScaling for applications
  • Turn on GdiDPIScaling for applications
  • Allow local activation security check exemptions
  • Define Activation Security Check exemptions
  • Allow non-administrators to install drivers for these device setup classes
  • Turn off Windows Update device driver search prompt
  • Boot-Start Driver Initialization Policy
  • Allow only USB root hub connected Enhanced Storage devices
  • Configure list of Enhanced Storage devices usable on your computer
  • Configure list of IEEE 1667 silos usable on your computer
  • Do not allow non-Enhanced Storage removable devices
  • Do not allow password authentication of Enhanced Storage devices
  • Do not allow Windows to activate Enhanced Storage devices
  • Lock Enhanced Storage when the computer is locked
  • File Classification Infrastructure: Display Classification tab in File Explorer
  • File Classification Infrastructure: Specify classification properties list
  • Configure maximum age of file server shadow copies
  • Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.
  • Do not allow compression on all NTFS volumes
  • Do not allow encryption on all NTFS volumes
  • Enable / disable TXF deprecated features
  • Enable NTFS pagefile encryption
  • Short name creation options
  • Disable delete notifications on all volumes
  • Enable Win32 long paths
  • Selectively allow the evaluation of a symbolic link
  • Redirect folders on primary computers only
  • Use localized subfolder names when redirecting Start Menu and My Documents
  • Configure Applications preference logging and tracing
  • Configure Data Sources preference logging and tracing
  • Configure Devices preference logging and tracing
  • Configure Drive Maps preference logging and tracing
  • Configure Environment preference logging and tracing
  • Configure Files preference logging and tracing
  • Configure Folder Options preference logging and tracing
  • Configure Folders preference logging and tracing
  • Configure Ini Files preference logging and tracing
  • Configure Internet Settings preference logging and tracing
  • Configure Local Users and Groups preference logging and tracing
  • Configure Network Options preference logging and tracing
  • Configure Network Shares preference logging and tracing
  • Configure Power Options preference logging and tracing
  • Configure Printers preference logging and tracing
  • Configure Regional Options preference logging and tracing
  • Configure Registry preference logging and tracing
  • Configure Scheduled Tasks preference logging and tracing
  • Configure Services preference logging and tracing
  • Configure Shortcuts preference logging and tracing
  • Configure Start Menu preference logging and tracing
  • Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services
  • Allow cross-forest user policy and roaming user profiles
  • Always use local ADM files for Group Policy Object Editor
  • Change Group Policy processing to run asynchronously when a slow network connection is detected.
  • Configure Applications preference extension policy processing
  • Configure Data Sources preference extension policy processing
  • Configure Devices preference extension policy processing
  • Configure Direct Access connections as a fast network connection
  • Configure disk quota policy processing
  • Configure Drive Maps preference extension policy processing
  • Configure EFS recovery policy processing
  • Configure Environment preference extension policy processing
  • Configure Files preference extension policy processing
  • Configure Folder Options preference extension policy processing
  • Configure folder redirection policy processing
  • Configure Folders preference extension policy processing
  • Configure Group Policy Caching
  • Configure Group Policy slow link detection
  • Configure Ini Files preference extension policy processing
  • Configure Internet Explorer Maintenance policy processing
  • Configure Internet Settings preference extension policy processing
  • Configure IP security policy processing
  • Configure Local Users and Groups preference extension policy processing
  • Configure Logon Script Delay
  • Configure Network Options preference extension policy processing
  • Configure Network Shares preference extension policy processing
  • Configure Power Options preference extension policy processing
  • Configure Printers preference extension policy processing
  • Configure Regional Options preference extension policy processing
  • Configure registry policy processing
  • Configure Registry preference extension policy processing
  • Configure Scheduled Tasks preference extension policy processing
  • Configure scripts policy processing
  • Configure Services preference extension policy processing
  • Configure Shortcuts preference extension policy processing
  • Configure software Installation policy processing
  • Configure Start Menu preference extension policy processing
  • Configure user Group Policy loopback processing mode
  • Configure web-to-app linking with app URI handlers
  • Configure wired policy processing
  • Configure wireless policy processing
  • Continue experiences on this device
  • Determine if interactive users can generate Resultant Set of Policy data
  • Enable AD/DFS domain controller synchronization during policy refresh
  • Enable Group Policy Caching for Servers
  • Phone-PC linking on this device
  • Remove users' ability to invoke machine policy refresh
  • Set Group Policy refresh interval for computers
  • Set Group Policy refresh interval for domain controllers
  • Specify startup policy processing wait time
  • Specify workplace connectivity wait time for policy processing
  • Turn off background refresh of Group Policy
  • Turn off Group Policy Client Service AOAC optimization
  • Turn off Local Group Policy Objects processing
  • Turn off Resultant Set of Policy logging
  • Turn off access to all Windows Update features
  • Turn off access to the Store
  • Turn off Automatic Root Certificates Update
  • Turn off downloading of print drivers over HTTP
  • Turn off Event Viewer "Events.asp" links
  • Turn off handwriting personalization data sharing
  • Turn off handwriting recognition error reporting
  • Turn off Help and Support Center "Did you know?" content
  • Turn off Help and Support Center Microsoft Knowledge Base search
  • Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
  • Turn off Internet download for Web publishing and online ordering wizards
  • Turn off Internet File Association service
  • Turn off printing over HTTP
  • Turn off Registration if URL connection is referring to Microsoft.com
  • Turn off Search Companion content file updates
  • Turn off the "Order Prints" picture task
  • Turn off the "Publish to Web" task for files and folders
  • Turn off the Windows Messenger Customer Experience Improvement Program
  • Turn off Windows Customer Experience Improvement Program
  • Turn off Windows Error Reporting
  • Turn off Windows Network Connectivity Status Indicator active tests
  • Turn off Windows Update device driver searching
  • Restrict Internet communication
  • Do not allow additional session logins
  • Do not allow changes to initiator iqn name
  • Do not allow changes to initiator CHAP secret
  • Do not allow connections without IPSec
  • Do not allow sessions without mutual CHAP
  • Do not allow sessions without one way CHAP
  • Do not allow adding new targets via manual configuration
  • Do not allow manual configuration of discovered targets
  • Do not allow manual configuration of iSNS servers
  • Do not allow manual configuration of target portals
  • KDC support for claims, compound authentication and Kerberos armoring
  • KDC support for PKInit Freshness Extension
  • Provide information about previous logons to client computers
  • Request compound authentication
  • Use forest search order
  • Warning for large Kerberos tickets
  • Allow retrieving the cloud kerberos ticket during the logon
  • Always send compound authentication first
  • Define host name-to-Kerberos realm mappings
  • Define interoperable Kerberos V5 realm settings
  • Disable revocation checking for the SSL certificate of KDC proxy servers
  • Fail authentication requests when Kerberos armoring is not available
  • Kerberos client support for claims, compound authentication and Kerberos armoring
  • Require strict KDC validation
  • Require strict target SPN match on remote procedure calls
  • Set maximum Kerberos SSPI context token buffer size
  • Specify KDC proxy servers for Kerberos clients
  • Support compound authentication
  • Support device authentication using certificate
  • Enumeration policy for external devices incompatible with Kernel DMA Protection
  • Disallow changing of geographic location
  • Disallow copying of user input methods to the system account for sign-in
  • Disallow selection of Custom Locales
  • Disallow user override of locale settings
  • Restrict system locales
  • Restrict user locales
  • Allow users to select when a password is required when resuming from connected standby
  • Always use classic logon
  • Always use custom logon background
  • Always wait for the network at computer startup and logon
  • Assign a default credential provider
  • Assign a default domain for logon
  • Block user from showing account details on sign-in
  • Configure Dynamic Lock
  • Do not display network selection UI
  • Do not display the Getting Started welcome screen at logon
  • Do not enumerate connected users on domain-joined computers
  • Do not process the legacy run list
  • Do not process the run once list
  • Enumerate local users on domain-joined computers
  • Exclude credential providers
  • Hide entry points for Fast User Switching
  • Run these programs at user logon
  • Show clear logon background
  • Show first sign-in animation
  • Turn off app notifications on the lock screen
  • Turn off picture password sign-in
  • Turn off Windows Startup sound
  • Turn on convenience PIN sign-in
  • Turn on security key sign-in
  • Process Mitigation Options
  • Untrusted Font Blocking
  • Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names
  • Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails
  • Force Rediscovery Interval
  • Return domain controller address type
  • Set Priority in the DC Locator DNS SRV records
  • Set TTL in the DC Locator DNS Records
  • Set Weight in the DC Locator DNS SRV records
  • Specify address lookup behavior for DC locator ping
  • Specify DC Locator DNS records not registered by the DCs
  • Specify dynamic registration of the DC Locator DNS Records
  • Specify Refresh Interval of the DC Locator DNS records
  • Specify sites covered by the application directory partition DC Locator DNS SRV records
  • Specify sites covered by the DC Locator DNS SRV records
  • Specify sites covered by the GC Locator DNS SRV Records
  • Try Next Closest Site
  • Use automated site coverage by the DC Locator DNS SRV Records
  • Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.
  • Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC
  • Allow cryptography algorithms compatible with Windows NT 4.0
  • Contact PDC on logon failure
  • Set Netlogon share compatibility
  • Set scavenge interval
  • Set SYSVOL share compatibility
  • Specify expected dial-up delay on logon
  • Specify log file debug output level
  • Specify maximum log file size
  • Specify negative DC Discovery cache setting
  • Specify positive periodic DC Cache refresh for non-background callers
  • Specify site name
  • Use final DC discovery retry setting for background callers
  • Use initial DC discovery retry setting for background callers
  • Use maximum DC discovery retry interval setting for background callers
  • Use positive periodic DC cache refresh for background callers
  • Use urgent mode when pinging domain controllers
  • Allow Clipboard History
  • Allow Clipboard synchronization across devices
  • Allow publishing of User Activities
  • Allow upload of User Activities
  • Enables Activity Feed
  • Select the lid switch action (on battery)
  • Select the lid switch action (plugged in)
  • Select the Power button action (on battery)
  • Select the Power button action (plugged in)
  • Select the Sleep button action (on battery)
  • Select the Sleep button action (plugged in)
  • Select the Start menu Power button action (on battery)
  • Select the Start menu Power button action (plugged in)
  • Energy Saver Battery Threshold (on battery)
  • Energy Saver Battery Threshold (plugged in)
  • Turn Off the hard disk (on battery)
  • Turn Off the hard disk (plugged in)
  • Critical battery notification action
  • Critical battery notification level
  • Low battery notification action
  • Low battery notification level
  • Reserve battery notification level
  • Turn off low battery user notification
  • Turn off Power Throttling
  • Allow applications to prevent automatic sleep (on battery)
  • Allow applications to prevent automatic sleep (plugged in)
  • Allow automatic sleep with Open Network Files (on battery)
  • Allow automatic sleep with Open Network Files (plugged in)
  • Allow network connectivity during connected-standby (on battery)
  • Allow network connectivity during connected-standby (plugged in)
  • Allow standby states (S1-S3) when sleeping (on battery)
  • Allow standby states (S1-S3) when sleeping (plugged in)
  • Require a password when a computer wakes (on battery)
  • Require a password when a computer wakes (plugged in)
  • Specify the system hibernate timeout (on battery)
  • Specify the system hibernate timeout (plugged in)
  • Specify the system sleep timeout (on battery)
  • Specify the system sleep timeout (plugged in)
  • Specify the unattended sleep timeout (on battery)
  • Specify the unattended sleep timeout (plugged in)
  • Turn off hybrid sleep (on battery)
  • Turn off hybrid sleep (plugged in)
  • Turn on the ability for applications to prevent sleep transitions (on battery)
  • Turn on the ability for applications to prevent sleep transitions (plugged in)
  • Reduce display brightness (on battery)
  • Reduce display brightness (plugged in)
  • Specify the display dim brightness (on battery)
  • Specify the display dim brightness (plugged in)
  • Turn off adaptive display timeout (on battery)
  • Turn off adaptive display timeout (plugged in)
  • Turn off the display (on battery)
  • Turn off the display (plugged in)
  • Turn on desktop background slideshow (on battery)
  • Turn on desktop background slideshow (plugged in)
  • Select an active power plan
  • Specify a custom active power plan
  • Allow restore of system to default state
  • Allow only Vista or later connections
  • Customize Warning Messages
  • Offer Remote Assistance
  • Solicited Remote Assistance
  • Turn on bandwidth optimization
  • Turn on session logging
  • Ignore Delegation Failure
  • Minimum Idle Connection Timeout for RPC/HTTP connections
  • Propagation of extended error information
  • Restrictions for Unauthenticated RPC clients
  • RPC Endpoint Mapper Client Authentication
  • RPC Troubleshooting State Information
  • All Removable Storage: Allow direct access in remote sessions
  • All Removable Storage classes: Deny all access
  • CD and DVD: Deny execute access
  • CD and DVD: Deny read access
  • CD and DVD: Deny write access
  • Custom Classes: Deny read access
  • Custom Classes: Deny write access
  • Floppy Drives: Deny execute access
  • Floppy Drives: Deny read access
  • Floppy Drives: Deny write access
  • Removable Disks: Deny execute access
  • Removable Disks: Deny read access
  • Removable Disks: Deny write access
  • Tape Drives: Deny execute access
  • Tape Drives: Deny read access
  • Tape Drives: Deny write access
  • Time (in seconds) to force reboot
  • WPD Devices: Deny read access
  • WPD Devices: Deny write access
  • Allow logon scripts when NetBIOS or WINS is disabled
  • Maximum wait time for Group Policy scripts
  • Run logon scripts synchronously
  • Run shutdown scripts visible
  • Run startup scripts asynchronously
  • Run startup scripts visible
  • Run Windows PowerShell scripts first at computer startup, shutdown
  • Run Windows PowerShell scripts first at user logon, logoff
  • Configure the refresh interval for Server Manager
  • Do not display Initial Configuration Tasks window automatically at logon
  • Do not display Server Manager automatically at logon
  • Enable svchost.exe mitigation options
  • Require use of fast startup
  • Turn off automatic termination of applications that block or cancel shutdown
  • Allow downloading updates to the Disk Failure Prediction Model
  • Allow Storage Sense
  • Allow Storage Sense Temporary Files cleanup
  • Configure Storage Sense cadence
  • Configure Storage Sense Cloud Content dehydration threshold
  • Configure Storage Sense Recycle Bin cleanup threshold
  • Configure Storage Storage Downloads cleanup threshold
  • Turn off Configuration
  • Turn off System Restore
  • Detect application failures caused by deprecated COM objects
  • Detect application failures caused by deprecated Windows DLLs
  • Detect application installers that need to be run as administrator
  • Detect application install failures
  • Detect applications unable to launch installers under UAC
  • Detect compatibility issues for applications and drivers
  • Notify blocked drivers
  • Configure Corrupted File Recovery Behavior
  • Disk Diagnostic: Configure custom alert text
  • Disk Diagnostic: Configure execution level
  • Configure Scenario Execution Level
  • Microsoft Support Diagnostic Tool: Configure execution level
  • Microsoft Support Diagnostic Tool: Restrict tool download
  • Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
  • Troubleshooting: Allow users to access recommended troubleshooting for known problems
  • Configure MSI Corrupted File Recovery Behavior
  • Configure Scheduled Maintenance Behavior
  • Configure Security Policy for Scripted Diagnostics
  • Troubleshooting: Allow users to access and run Troubleshooting Wizards
  • Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)
  • Enable/Disable PerfTrack
  • Diagnostics: Configure scenario execution level
  • Diagnostics: Configure scenario retention
  • Configure the level of TPM owner authorization information available to the operating system
  • Configure the list of blocked TPM commands
  • Configure the system to clear the TPM if it is not in a ready state.
  • Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
  • Ignore the default list of blocked TPM commands
  • Ignore the local list of blocked TPM commands
  • Standard User Individual Lockout Threshold
  • Standard User Lockout Duration
  • Standard User Total Lockout Threshold
  • Turn on TPM backup to Active Directory Domain Services
  • Add the Administrators security group to roaming user profiles
  • Control slow network connection timeout for user profiles
  • Delete cached copies of roaming profiles
  • Delete user profiles older than a specified number of days on system restart
  • Disable detection of slow network connections
  • Do not check for user ownership of Roaming Profile Folders
  • Do not forcefully unload the users registry at user logoff
  • Do not log users on with temporary profiles
  • Download roaming profiles on primary computers only
  • Establish timeout value for dialog boxes
  • Leave Windows Installer and Group Policy Software Installation Data
  • Maximum retries to unload and update user profile
  • Only allow local user profiles
  • Prevent Roaming Profile changes from propagating to the server
  • Prompt user when a slow network connection is detected
  • Set maximum wait time for the network if a user has a roaming user profile or remote home directory
  • Set roaming profile path for all users logging onto this computer
  • Set the schedule for background upload of a roaming user profile's registry file while user is logged on
  • Set user home folder
  • Turn off the advertising ID
  • User management of sharing user name, account picture, and domain information with apps (not desktop apps)
  • Wait for remote user profile
  • Hide the file scan progress window
  • Limit Windows File Protection cache size
  • Set Windows File Protection scanning
  • Specify Windows File Protection cache location
  • Configure Windows NTP Client
  • Enable Windows NTP Client
  • Enable Windows NTP Server
  • Global Configuration Settings
  • Activate Shutdown Event Tracker System State Data feature
  • Allow Distributed Link Tracking clients to use domain resources
  • Display highly detailed status messages
  • Display Shutdown Event Tracker
  • Do not automatically encrypt files moved to encrypted folders
  • Do not display Manage Your Server page at logon
  • Do not turn off system power after a Windows system shutdown has occurred.
  • Download missing COM components
  • Enable Persistent Time Stamp
  • Remove Boot / Shutdown / Logon / Logoff status messages
  • Restrict potentially unsafe HTML Help functions to specified folders
  • Restrict these programs from being launched from Help
  • Specify settings for optional component installation and component repair
  • Specify Windows installation file location
  • Specify Windows Service Pack installation file location
  • Turn off Data Execution Prevention for HTML Help Executible
  • ActiveX installation policy for sites in Trusted zones
  • Approved Installation Sites for ActiveX Controls
  • Prevent the wizard from running.
  • Prevent access to 16-bit applications
  • Remove Program Compatibility Property Page
  • Turn off Application Compatibility Engine
  • Turn off Application Telemetry
  • Turn off Inventory Collector
  • Turn off Program Compatibility Assistant
  • Turn off Steps Recorder
  • Turn off SwitchBack Compatibility Engine
  • Allow all trusted apps to install
  • Allow a Windows app to share application data between users
  • Allow deployment operations in special profiles
  • Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
  • Disable installing Windows apps on non-system volumes
  • Prevent non-admin users from installing packaged Windows apps
  • Prevent users' app data from being stored on non-system volumes
  • Let Windows apps access account information
  • Let Windows apps access an eye tracker device
  • Let Windows apps access call history
  • Let Windows apps access contacts
  • Let Windows apps access diagnostic information about other apps
  • Let Windows apps access email
  • Let Windows apps access location
  • Let Windows apps access messaging
  • Let Windows apps access motion
  • Let Windows apps access notifications
  • Let Windows apps access Tasks
  • Let Windows apps access the calendar
  • Let Windows apps access the camera
  • Let Windows apps access the microphone
  • Let Windows apps access trusted devices
  • Let Windows apps access user movements while running in the background
  • Let Windows apps activate with voice
  • Let Windows apps activate with voice while the system is locked
  • Let Windows apps communicate with unpaired devices
  • Let Windows apps control radios
  • Let Windows apps make phone calls
  • Let Windows apps run in the background
  • Allow Microsoft accounts to be optional
  • Block launching desktop apps associated with a file.
  • Block launching desktop apps associated with a URI scheme
  • Block launching Universal Windows apps with Windows Runtime API access from hosted content.
  • Turn on dynamic Content URI Rules for Windows store apps
  • Default behavior for AutoRun
  • Don't set the always do this checkbox
  • Turn off Autoplay for non-volume devices
  • Turn off Autoplay
  • Prevent backing up to local disks
  • Prevent backing up to network location
  • Prevent backing up to optical media (CD/DVD)
  • Prevent the user from running the Backup Status and Configuration program
  • Turn off restore functionality
  • Turn off the ability to back up data files
  • Turn off the ability to create a system image
  • Allow only system backup
  • Disallow locally attached storage as backup target
  • Disallow network as backup target
  • Disallow optical media as backup target
  • Disallow run-once backups
  • Configure enhanced anti-spoofing
  • Allow domain users to log on using biometrics
  • Allow the use of biometrics
  • Allow users to log on using biometrics
  • Specify timeout for fast user switching events
  • Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
  • Choose how BitLocker-protected fixed drives can be recovered
  • Configure use of hardware-based encryption for fixed data drives
  • Configure use of passwords for fixed data drives
  • Configure use of smart cards on fixed data drives
  • Deny write access to fixed drives not protected by BitLocker
  • Enforce drive encryption type on fixed data drives
  • Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
  • Allow enhanced PINs for startup
  • Allow network unlock at startup
  • Allow Secure Boot for integrity validation
  • Choose how BitLocker-protected operating system drives can be recovered
  • Configure minimum PIN length for startup
  • Configure pre-boot recovery message and URL
  • Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
  • Configure TPM platform validation profile for BIOS-based firmware configurations
  • Configure TPM platform validation profile for native UEFI firmware configurations
  • Configure use of hardware-based encryption for operating system drives
  • Configure use of passwords for operating system drives
  • Disallow standard users from changing the PIN or password
  • Enable use of BitLocker authentication requiring preboot keyboard input on slates
  • Enforce drive encryption type on operating system drives
  • Require additional authentication at startup (Windows Server 2008 and Windows Vista)
  • Require additional authentication at startup
  • Reset platform validation data after BitLocker recovery
  • Use enhanced Boot Configuration Data validation profile
  • Allow access to BitLocker-protected removable data drives from earlier versions of Windows
  • Choose how BitLocker-protected removable drives can be recovered
  • Configure use of hardware-based encryption for removable data drives
  • Configure use of passwords for removable data drives
  • Configure use of smart cards on removable data drives
  • Control use of BitLocker on removable drives
  • Deny write access to removable drives not protected by BitLocker
  • Enforce drive encryption type on removable data drives
  • Choose default folder for recovery password
  • Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])
  • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
  • Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
  • Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
  • Disable new DMA devices when this computer is locked
  • Prevent memory overwrite on restart
  • Provide the unique identifiers for your organization
  • Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
  • Validate smart card certificate usage rule compliance
  • Allow Use of Camera
  • Do not show Windows tips
  • Turn off cloud optimized content
  • Turn off Microsoft consumer experiences
  • Don't allow this PC to be projected to
  • Require pin for pairing
  • Do not display the password reveal button
  • Enumerate administrator accounts on elevation
  • Prevent the use of security questions for local accounts
  • Require trusted path for credential entry
  • Allow commercial data pipeline
  • Allow Desktop Analytics Processing
  • Allow device name to be sent in Windows diagnostic data
  • Allow Telemetry
  • Allow Update Compliance Processing
  • Allow WUfB Cloud Processing
  • Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
  • Configure collection of browsing data for Desktop Analytics
  • Configure Connected User Experiences and Telemetry
  • Configure diagnostic data upload endpoint for Desktop Analytics
  • Configure telemetry opt-in change notifications.
  • Configure telemetry opt-in setting user interface.
  • Configure the Commercial ID
  • Disable deleting diagnostic data
  • Disable diagnostic data viewer.
  • Disable OneSettings Downloads
  • Disable pre-release features or settings
  • Do not show feedback notifications
  • Enable OneSettings Auditing
  • Limit Enhanced diagnostic data to the minimum required by Windows Analytics
  • Toggle user control over Insider builds
  • Absolute Max Cache Size (in GB)
  • Allow uploads while the device is on battery while under set Battery level (percentage)
  • Cache Server Hostname
  • Cache Server Hostname Source
  • Delay Background download Cache Server fallback (in seconds)
  • Delay background download from http (in secs)
  • Delay Foreground download Cache Server fallback (in seconds)
  • Delay Foreground download from http (in secs)
  • Download Mode
  • Enable Peer Caching while the device connects via VPN
  • Max Cache Age (in seconds)
  • Max Cache Size (percentage)
  • Maximum Background Download Bandwidth (in KB/s)
  • Maximum Background Download Bandwidth (percentage)
  • Maximum Download Bandwidth (in KB/s)
  • Maximum Download Bandwidth (percentage)
  • Maximum Foreground Download Bandwidth (in KB/s)
  • Maximum Foreground Download Bandwidth (percentage)
  • Max Upload Bandwidth (in KB/s)
  • Minimum Background QoS (in KB/s)
  • Minimum disk size allowed to use Peer Caching (in GB)
  • Minimum Peer Caching Content File Size (in MB)
  • Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
  • Modify Cache Drive
  • Monthly Upload Data Cap (in GB)
  • Select a method to restrict Peer Selection
  • Select the source of Group IDs
  • Set Business Hours to Limit Background Download Bandwidth
  • Set Business Hours to Limit Foreground Download Bandwidth
  • Restrict unpacking and installation of gadgets that are not digitally signed.
  • Turn off desktop gadgets
  • Turn Off user-installed desktop gadgets
  • Do not allow color changes
  • Specify a default color
  • Do not allow Flip3D invocation
  • Do not allow window animations
  • Use solid color for Start background
  • Device compatibility settings
  • Driver compatibility settings
  • Register domain joined computers as devices
  • Do not allow Digital Locker to run
  • Allow edge swipe
  • Disable help tips
  • Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager
  • ForwarderResourceUsage
  • Enable Protected Event Logging
  • Back up log automatically when full
  • Configure log access (legacy)
  • Configure log access
  • Control Event Log behavior when the log file reaches its maximum size
  • Control the location of the log file
  • Specify the maximum log file size (KB)
  • Turn on logging
  • Events.asp program command line parameters
  • Events.asp program
  • Events.asp URL
  • Hide previous versions list for local files
  • Hide previous versions list for remote files
  • Hide previous versions of files on backup location
  • Prevent restoring local previous versions
  • Prevent restoring previous versions from backups
  • Prevent restoring remote previous versions
  • Allow the use of remote paths in file shortcut icons
  • Configure Windows Defender SmartScreen
  • Disable binding directly to IPropertySetStorage without intermediate layers.
  • Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time
  • Do not show the 'new application installed' notification
  • Location where all default Library definition files for users/machines reside.
  • Set a default associations configuration file
  • Set a support web page link
  • Show hibernate in the power options menu
  • Show lock in the user tile menu
  • Show sleep in the power options menu
  • Start File Explorer with ribbon minimized
  • Turn off Data Execution Prevention for Explorer
  • Turn off heap termination on corruption
  • Turn off numerical sorting in File Explorer
  • Turn off shell protocol protected mode
  • Verify old and new Folder Redirection targets point to the same share before redirecting
  • Turn off File History
  • Turn On/Off Find My Device
  • Turn off downloading of game information
  • Turn off game updates
  • Turn off tracking of last play time of games in the Games folder
  • Handwriting Panel Default Mode Docked
  • Prevent the computer from joining a homegroup
  • Add default Accelerators
  • Add non-default Accelerators
  • Restrict Accelerators to those deployed through Group Policy
  • Turn off Accelerators
  • Bypass prompting for Clipboard access for scripts running in any process
  • Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
  • Define applications and processes that can access the Clipboard without prompting
  • Turn off Print Menu
  • Turn off the ability to launch report site problems using a menu option
  • Include updated website lists from Microsoft
  • Turn off Compatibility View button
  • Turn off Compatibility View
  • Turn on Internet Explorer 7 Standards Mode
  • Turn on Internet Explorer Standards Mode for local intranet
  • Use Policy List of Internet Explorer 7 sites
  • Use Policy List of Quirks Mode sites
  • Prevent specifying the code download path for each computer
  • Allow deleting browsing history on exit
  • Disable "Configuring History"
  • Prevent access to Delete Browsing History
  • Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track data
  • Prevent deleting cookies
  • Prevent deleting download history
  • Prevent deleting favorites site data
  • Prevent deleting form data
  • Prevent deleting InPrivate Filtering data
  • Prevent deleting passwords
  • Prevent deleting temporary Internet files
  • Prevent deleting websites that the user has visited
  • Prevent the deletion of temporary Internet files and cookies
  • Allow active content from CDs to run on user machines
  • Allow Install On Demand (except Internet Explorer)
  • Allow Install On Demand (Internet Explorer)
  • Allow Internet Explorer to use the HTTP2 network protocol
  • Allow Internet Explorer to use the SPDY/3 network protocol
  • Allow software to run or install even if the signature is invalid
  • Allow third-party browser extensions
  • Always send Do Not Track header
  • Automatically check for Internet Explorer updates
  • Check for server certificate revocation
  • Check for signatures on downloaded programs
  • Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
  • Do not allow resetting Internet Explorer settings
  • Do not save encrypted pages to disk
  • Empty Temporary Internet Files folder when browser is closed
  • Play animations in web pages
  • Play sounds in web pages
  • Play videos in web pages
  • Turn off ClearType
  • Turn off encryption support
  • Turn off loading websites and content in the background to optimize performance
  • Turn off Profile Assistant
  • Turn off sending UTF-8 query strings for URLs
  • Turn off the flip ahead with page prediction feature
  • Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
  • Turn on Caret Browsing support
  • Turn on Enhanced Protected Mode
  • Use HTTP 1.1 through proxy connections
  • Use HTTP 1.1
  • Show Content Advisor on Internet Options
  • Allow websites to store application caches on client computers
  • Allow websites to store indexed databases on client computers
  • Set application caches expiration time limit for individual domains
  • Set application cache storage limits for individual domains
  • Set default storage limits for websites
  • Set indexed database storage limits for individual domains
  • Set maximum application cache individual resource size
  • Set maximum application cache resource list size
  • Set maximum application caches storage limit for all domains
  • Set maximum indexed database storage limit for all domains
  • Start Internet Explorer with tabs from last browsing session
  • Access data sources across domains
  • Allow active content over restricted protocols to access my computer
  • Allow active scripting
  • Allow binary and script behaviors
  • Allow cut, copy or paste operations from the clipboard via script
  • Allow drag and drop or copy and paste files
  • Allow file downloads
  • Allow font downloads
  • Allow installation of desktop items
  • Allow loading of XAML Browser Applications
  • Allow loading of XAML files
  • Allow loading of XPS files
  • Allow META REFRESH
  • Allow only approved domains to use ActiveX controls without prompt
  • Allow only approved domains to use the TDC ActiveX control
  • Allow OpenSearch queries in File Explorer
  • Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
  • Allow script-initiated windows without size or position constraints
  • Allow scripting of Internet Explorer WebBrowser controls
  • Allow scriptlets
  • Allow updates to status bar via script
  • Allow VBScript to run in Internet Explorer
  • Allow video and animation on a webpage that uses an older media player
  • Allow websites to open windows without status bar or Address bar
  • Allow websites to prompt for information by using scripted windows
  • Automatic prompting for ActiveX controls
  • Automatic prompting for file downloads
  • Display mixed content
  • Don't run antimalware programs against ActiveX controls
  • Do not prompt for client certificate selection when no certificates or only one certificate exists.
  • Download signed ActiveX controls
  • Download unsigned ActiveX controls
  • Enable dragging of content from different domains across windows
  • Enable dragging of content from different domains within a window
  • Enable MIME Sniffing
  • Include local path when user is uploading files to a server
  • Initialize and script ActiveX controls not marked as safe
  • Java permissions
  • Launching applications and files in an IFRAME
  • Logon options
  • Navigate windows and frames across different domains
  • Render legacy filters
  • Run .NET Framework-reliant components not signed with Authenticode
  • Run .NET Framework-reliant components signed with Authenticode
  • Run ActiveX controls and plugins
  • Script ActiveX controls marked safe for scripting
  • Scripting of Java applets
  • Show security warning for potentially unsafe files
  • Software channel permissions
  • Submit non-encrypted form data
  • Turn off .NET Framework Setup
  • Turn off first-run prompt
  • Turn on Cross-Site Scripting Filter
  • Turn on Protected Mode
  • Turn on SmartScreen Filter scan
  • Use Pop-up Blocker
  • Userdata persistence
  • Web sites in less privileged Web content zones can navigate into this zone
  • Internet Zone Template
  • Intranet Sites: Include all local (intranet) sites not listed in other zones
  • Intranet Sites: Include all network paths (UNCs)
  • Intranet Sites: Include all sites that bypass the proxy server
  • Intranet Zone Template
  • Local Machine Zone Template
  • Locked-Down Internet Zone Template
  • Locked-Down Intranet Zone Template
  • Locked-Down Local Machine Zone Template
  • Locked-Down Restricted Sites Zone Template
  • Locked-Down Trusted Sites Zone Template
  • Restricted Sites Zone Template
  • Site to Zone Assignment List
  • Trusted Sites Zone Template
  • Turn on automatic detection of intranet
  • Turn on certificate address mismatch warning
  • Turn on Notification bar notification for intranet content
  • Disable the Advanced page
  • Disable the Connections page
  • Disable the Content page
  • Disable the General page
  • Disable the Privacy page
  • Disable the Programs page
  • Disable the Security page
  • Prevent ignoring certificate errors
  • Send internationalized domain names
  • Use UTF-8 for mailto links
  • Go to an intranet site for a one-word entry in the Address bar
  • Turn off phone number detection
  • Allow Internet Explorer to play media files that use alternative codecs
  • Prevent configuration of search on Address bar
  • Prevent configuration of top-result search on Address bar
  • Turn off URL Suggestions
  • Turn off Windows Search AutoComplete
  • Prevent specifying cipher strength update information URLs
  • Prevent changing the URL for checking updates to Internet Explorer and Internet Tools
  • Prevent specifying the update check interval (in days)
  • Open Internet Explorer tiles on the desktop
  • Set how links are opened in Internet Explorer
  • Establish InPrivate Filtering threshold
  • Establish Tracking Protection threshold
  • Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
  • Turn off collection of InPrivate Filtering data
  • Turn off InPrivate Browsing
  • Turn off InPrivate Filtering
  • Turn off Tracking Protection
  • Add-on List
  • All Processes
  • Deny all add-ons unless specifically allowed in the Add-on List
  • Process List
  • Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
  • Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects
  • Turn off blocking of outdated ActiveX controls for Internet Explorer
  • Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
  • Turn on ActiveX control logging in Internet Explorer
  • Allow native XMLHTTP support
  • Change the maximum number of connections per host (HTTP 1.1)
  • Maximum number of connections per server (HTTP 1.0)
  • Set the maximum number of WebSocket connections per server
  • Turn off cross-document messaging
  • Turn off the WebSocket Object
  • Turn off the XDomainRequest object
  • Admin-approved behaviors
  • Install binaries signed by MD2 and MD4 signing technologies
  • Internet Explorer Processes
  • Internet Zone Restricted Protocols
  • Intranet Zone Restricted Protocols
  • Local Machine Zone Restricted Protocols
  • Restricted Sites Zone Restricted Protocols
  • Trusted Sites Zone Restricted Protocols
  • Allow fallback to SSL 3.0 (Internet Explorer)
  • Do not display the reveal password button
  • Turn off Data Execution Prevention
  • Turn off Data URI support
  • Customize command labels
  • Display tabs on a separate row
  • Hide the Command bar
  • Hide the status bar
  • Lock all toolbars
  • Lock location of Stop and Refresh buttons
  • Turn off Developer Tools
  • Turn off toolbar upgrade tool
  • Use large icons for command buttons
  • Add a specific list of search providers to the user's list of search providers
  • Allow "Save Target As" in Internet Explorer mode
  • Allow Internet Explorer 8 shutdown behavior
  • Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
  • Automatically activate newly installed add-ons
  • Configure which channel of Microsoft Edge to use for opening redirected sites
  • Customize user agent string
  • Disable Automatic Install of Internet Explorer components
  • Disable changing Automatic Configuration settings
  • Disable changing connection settings
  • Disable changing secondary home page settings
  • Disable Import/Export Settings wizard
  • Disable Internet Explorer 11 as a standalone browser
  • Disable Periodic Check for Internet Explorer software updates
  • Disable showing the splash screen
  • Disable software update shell notifications on program launch
  • Do not allow users to enable or disable add-ons
  • Enable extended hot keys in Internet Explorer mode
  • Enable global window list in Internet Explorer mode
  • Enforce full-screen mode
  • Hide Internet Explorer 11 retirement notification
  • Install new versions of Internet Explorer automatically
  • Keep all intranet sites in Internet Explorer
  • Let users turn on and use Enterprise Mode from the Tools menu
  • Limit Site Discovery output by Domain
  • Limit Site Discovery output by Zone
  • Make proxy settings per-machine (rather than per-user)
  • Pop-up allow list
  • Prevent "Fix settings" functionality
  • Prevent access to Internet Explorer Help
  • Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
  • Prevent bypassing SmartScreen Filter warnings
  • Prevent changing pop-up filter level
  • Prevent changing proxy settings
  • Prevent changing the default search provider
  • Prevent configuration of how windows open
  • Prevent configuration of new tab creation
  • Prevent Internet Explorer Search box from appearing
  • Prevent managing pop-up exception list
  • Prevent managing SmartScreen Filter
  • Prevent managing the phishing filter
  • Prevent participation in the Customer Experience Improvement Program
  • Prevent per-user installation of ActiveX controls
  • Prevent running First Run wizard
  • Reset zoom to default for HTML dialogs in Internet Explorer mode
  • Restrict search providers to a specific list
  • Security Zones: Do not allow users to add/delete sites
  • Security Zones: Do not allow users to change policies
  • Security Zones: Use only machine settings
  • Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.
  • Set tab process growth
  • Show message when opening sites in Microsoft Edge using Enterprise Mode
  • Specify default behavior for a new tab
  • Specify use of ActiveX Installer Service for installation of ActiveX controls
  • Turn off ability to pin sites in Internet Explorer on the desktop
  • Turn off ActiveX Opt-In prompt
  • Turn off add-on performance notifications
  • Turn off Automatic Crash Recovery
  • Turn off browser geolocation
  • Turn off configuration of pop-up windows in tabbed browsing
  • Turn off Crash Detection
  • Turn off Favorites bar
  • Turn off Managing SmartScreen Filter for Internet Explorer 8
  • Turn off page-zooming functionality
  • Turn off pop-up management
  • Turn off Quick Tabs functionality
  • Turn off Reopen Last Browsing Session
  • Turn off suggestions for all user-installed providers
  • Turn off tabbed browsing
  • Turn off the auto-complete feature for web addresses
  • Turn off the quick pick menu
  • Turn off the Security Settings Check feature
  • Turn on ActiveX Filtering
  • Turn on compatibility logging
  • Turn on menu bar by default
  • Turn on Site Discovery WMI output
  • Turn on Site Discovery XML output
  • Turn on Suggested Sites
  • Use the Enterprise Mode IE website list
  • Prevent IIS installation
  • Turn off Windows Location Provider
  • Turn off location
  • Turn off location scripting
  • Turn off sensors
  • Automatic Maintenance Activation Boundary
  • Automatic Maintenance Random Delay
  • Automatic Maintenance WakeUp Policy
  • Turn off Automatic Download and Update of Map Data
  • Turn off unsolicited network traffic on the Offline Maps settings page
  • Disable MDM Enrollment
  • Enable automatic MDM enrollment using default Azure AD credentials
  • Allow Message Service Cloud Sync
  • Block all consumer Microsoft account user authentication
  • Display additional text to clients when they need to perform an action
  • Enable headless UI mode
  • Suppress all notifications
  • Suppresses reboot notifications
  • Define device control policy groups
  • Define device control policy rules
  • Extension Exclusions
  • Path Exclusions
  • Process Exclusions
  • Turn off Auto Exclusions
  • Configure local setting override for reporting to Microsoft MAPS
  • Configure the 'Block at First Sight' feature
  • Join Microsoft MAPS
  • Send file samples when further analysis is required
  • Configure Attack Surface Reduction rules
  • Exclude files and paths from Attack Surface Reduction Rules
  • Configure allowed applications
  • Configure Controlled folder access
  • Configure protected folders
  • Prevent users and apps from accessing dangerous websites
  • Configure extended cloud check
  • Enable file hash computation feature
  • Select cloud protection level
  • IP address range Exclusions
  • Port number Exclusions
  • Process Exclusions for outbound traffic
  • Threat ID Exclusions
  • Define the rate of detection events for logging
  • Specify additional definition sets for network traffic inspection
  • Turn on definition retirement
  • Turn on protocol recognition
  • Configure local setting override for the removal of items from Quarantine folder
  • Configure removal of items from Quarantine folder
  • Configure local setting override for monitoring file and program activity on your computer
  • Configure local setting override for monitoring for incoming and outgoing file activity
  • Configure local setting override for scanning all downloaded files and attachments
  • Configure local setting override for turn on behavior monitoring
  • Configure local setting override to turn off Intrusion Prevention System
  • Configure local setting override to turn on real-time protection
  • Configure monitoring for incoming and outgoing file and program activity
  • Define the maximum size of downloaded files and attachments to be scanned
  • Monitor file and program activity on your computer
  • Scan all downloaded files and attachments
  • Turn off real-time protection
  • Turn on behavior monitoring
  • Turn on Information Protection Control
  • Turn on network protection against exploits of known vulnerabilities
  • Turn on process scanning whenever real-time protection is enabled
  • Turn on raw volume write notifications
  • Configure local setting override for the time of day to run a scheduled full scan to complete remediation
  • Specify the day of the week to run a scheduled full scan to complete remediation
  • Specify the time of day to run a scheduled full scan to complete remediation
  • Configure time out for detections in critically failed state
  • Configure time out for detections in non-critical failed state
  • Configure time out for detections in recently remediated state
  • Configure time out for detections requiring additional action
  • Configure Watson events
  • Configure Windows software trace preprocessor components
  • Configure WPP tracing level
  • Turn off enhanced notifications
  • Allow users to pause scan
  • Check for the latest virus and spyware security intelligence before running a scheduled scan
  • Configure local setting override for maximum percentage of CPU utilization
  • Configure local setting override for scheduled quick scan time
  • Configure local setting override for scheduled scan time
  • Configure local setting override for schedule scan day
  • Configure local setting override for the scan type to use for a scheduled scan
  • Configure low CPU priority for scheduled scans
  • Create a system restore point
  • Define the number of days after which a catch-up scan is forced
  • Run full scan on mapped network drives
  • Scan archive files
  • Scan network files
  • Scan packed executables
  • Scan removable drives
  • Specify the day of the week to run a scheduled scan
  • Specify the interval to run quick scans per day
  • Specify the maximum depth to scan archive files
  • Specify the maximum percentage of CPU utilization during a scan
  • Specify the maximum size of archive files to be scanned
  • Specify the scan type to use for a scheduled scan
  • Specify the time for a daily quick scan
  • Specify the time of day to run a scheduled scan
  • Start the scheduled scan only when computer is on but not in use
  • Turn on catch-up full scan
  • Turn on catch-up quick scan
  • Turn on e-mail scanning
  • Turn on heuristics
  • Turn on removal of items from scan history folder
  • Turn on reparse point scanning
  • Allow notifications to disable security intelligence based reports to Microsoft MAPS
  • Allow real-time security intelligence updates based on reports to Microsoft MAPS
  • Allow security intelligence updates from Microsoft Update
  • Allow security intelligence updates when running on battery power
  • Check for the latest virus and spyware security intelligence on startup
  • Define file shares for downloading security intelligence updates
  • Define security intelligence location for VDI clients.
  • Define the number of days after which a catch-up security intelligence update is required
  • Define the number of days before spyware security intelligence is considered out of date
  • Define the number of days before virus security intelligence is considered out of date
  • Define the order of sources for downloading security intelligence updates
  • Initiate security intelligence update on startup
  • Specify the day of the week to check for security intelligence updates
  • Specify the interval to check for security intelligence updates
  • Specify the time to check for security intelligence updates
  • Turn on scan after security intelligence update
  • Specify threat alert levels at which default action should not be taken when detected
  • Specify threats upon which default action should not be taken when detected
  • Allow antimalware service to remain running always
  • Allow antimalware service to startup with normal priority
  • Configure detection for potentially unwanted applications
  • Configure local administrator merge behavior for lists
  • Define addresses to bypass proxy server
  • Define proxy auto-config (.pac) for connecting to the network
  • Define proxy server for connecting to the network
  • Randomize scheduled task times
  • Turn off Microsoft Defender Antivirus
  • Turn off routine remediation
  • Allow auditing events in Microsoft Defender Application Guard
  • Allow camera and microphone access in Microsoft Defender Application Guard
  • Allow data persistence for Microsoft Defender Application Guard
  • Allow files to download and save to the host operating system from Microsoft Defender Application Guard
  • Allow hardware-accelerated rendering for Microsoft Defender Application Guard
  • Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device
  • Allow users to trust files that open in Windows Defender Application Guard
  • Configure additional sources for untrusted files in Windows Defender Application Guard.
  • Configure Microsoft Defender Application Guard clipboard settings
  • Configure Microsoft Defender Application Guard print settings
  • Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
  • Turn on Microsoft Defender Application Guard in Managed Mode
  • Use a common set of exploit protection settings
  • Allow Address bar drop-down list suggestions
  • Allow Adobe Flash
  • Allow a shared Books folder
  • Allow clearing browsing data on exit
  • Allow configuration updates for the Books Library
  • Allow Developer Tools
  • Allow extended telemetry for the Books tab
  • Allow Extensions
  • Allow FullScreen Mode
  • Allow InPrivate browsing
  • Allow Microsoft Compatibility List
  • Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
  • Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
  • Allow printing
  • Allow Saving History
  • Allow search engine customization
  • Allow Sideloading of extension
  • Allow web content on New Tab page
  • Always show the Books Library in Microsoft Edge
  • Configure additional search engines
  • Configure Autofill
  • Configure cookies
  • Configure Do Not Track
  • Configure Favorites Bar
  • Configure Favorites
  • Configure Home Button
  • Configure kiosk mode
  • Configure kiosk reset after idle timeout
  • Configure Open Microsoft Edge With
  • Configure Password Manager
  • Configure Pop-up Blocker
  • Configure search suggestions in Address bar
  • Configure Start pages
  • Configure the Adobe Flash Click-to-Run setting
  • Configure the Enterprise Mode Site List
  • Disable lockdown of Start pages
  • For PDF files that have both landscape and portrait pages, print each in its own orientation.
  • Keep favorites in sync between Internet Explorer and Microsoft Edge
  • Prevent access to the about:flags page in Microsoft Edge
  • Prevent bypassing Windows Defender SmartScreen prompts for files
  • Prevent bypassing Windows Defender SmartScreen prompts for sites
  • Prevent certificate error overrides
  • Prevent changes to Favorites on Microsoft Edge
  • Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
  • Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
  • Prevent the First Run webpage from opening on Microsoft Edge
  • Prevent turning off required extensions
  • Prevent using Localhost IP address for WebRTC
  • Provision Favorites
  • Send all intranet sites to Internet Explorer 11
  • Set default search engine
  • Set Home Button URL
  • Set New Tab page URL
  • Show message when opening sites in Internet Explorer
  • Suppress the display of Edge Deprecation Notification
  • Unlock Home Button
  • Enable usage of FIDO devices to sign on
  • Allow companion device for secondary authentication
  • Access 2013 backup only
  • Access 2016 backup only
  • Common 2013 backup only
  • Common 2016 backup only
  • Excel 2013 backup only
  • Excel 2016 backup only
  • InfoPath 2013 backup only
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Internet Explorer Common Settings
  • Lync 2013 backup only
  • Lync 2016 backup only
  • Microsoft Access 2010
  • Microsoft Access 2013
  • Microsoft Access 2016
  • Microsoft Excel 2010
  • Microsoft Excel 2013
  • Microsoft Excel 2016
  • Microsoft InfoPath 2010
  • Microsoft InfoPath 2013
  • Microsoft Lync 2010
  • Microsoft Lync 2013
  • Microsoft Lync 2016
  • Microsoft Office 365 Access 2013
  • Microsoft Office 365 Access 2016
  • Microsoft Office 365 Common 2013
  • Microsoft Office 365 Common 2016
  • Microsoft Office 365 Excel 2013
  • Microsoft Office 365 Excel 2016
  • Microsoft Office 365 InfoPath 2013
  • Microsoft Office 365 Lync 2013
  • Microsoft Office 365 Lync 2016
  • Microsoft Office 365 OneNote 2013
  • Microsoft Office 365 OneNote 2016
  • Microsoft Office 365 Outlook 2013
  • Microsoft Office 365 Outlook 2016
  • Microsoft Office 365 PowerPoint 2013
  • Microsoft Office 365 PowerPoint 2016
  • Microsoft Office 365 Project 2013
  • Microsoft Office 365 Project 2016
  • Microsoft Office 365 Publisher 2013
  • Microsoft Office 365 Publisher 2016
  • Microsoft Office 365 SharePoint Designer 2013
  • Microsoft Office 365 Visio 2013
  • Microsoft Office 365 Visio 2016
  • Microsoft Office 365 Word 2013
  • Microsoft Office 365 Word 2016
  • Microsoft Office 2010 Common Settings
  • Microsoft Office 2013 Common Settings
  • Microsoft Office 2013 Upload Center
  • Microsoft Office 2016 Common Settings
  • Microsoft Office 2016 Upload Center
  • Microsoft OneDrive for Business 2013
  • Microsoft OneDrive for Business 2016
  • Microsoft OneNote 2010
  • Microsoft OneNote 2013
  • Microsoft OneNote 2016
  • Microsoft Outlook 2010
  • Microsoft Outlook 2013
  • Microsoft Outlook 2016
  • Microsoft PowerPoint 2010
  • Microsoft PowerPoint 2013
  • Microsoft PowerPoint 2016
  • Microsoft Project 2010
  • Microsoft Project 2013
  • Microsoft Project 2016
  • Microsoft Publisher 2010
  • Microsoft Publisher 2013
  • Microsoft Publisher 2016
  • Microsoft SharePoint Designer 2010
  • Microsoft SharePoint Designer 2013
  • Microsoft SharePoint Workspace 2010
  • Microsoft Visio 2010
  • Microsoft Visio 2013
  • Microsoft Visio 2016
  • Microsoft Word 2010
  • Microsoft Word 2013
  • Microsoft Word 2016
  • OneNote 2013 backup only
  • OneNote 2016 backup only
  • Outlook 2013 backup only
  • Outlook 2016 backup only
  • PowerPoint 2013 backup only
  • PowerPoint 2016 backup only
  • Project 2013 backup only
  • Project 2016 backup only
  • Publisher 2013 backup only
  • Publisher 2016 backup only
  • SharePoint Designer 2013 backup only
  • Visio 2013 backup only
  • Visio 2016 backup only
  • Word 2013 backup only
  • Word 2016 backup only
  • Configure Sync Method
  • Contact IT Link Text
  • Contact IT URL
  • Do not synchronize Windows Apps
  • First Use Notification
  • Ping the settings storage location before sync
  • Settings package size warning threshold
  • Settings storage path
  • Settings template catalog path
  • Synchronization timeout
  • Synchronize Windows settings
  • Sync settings over metered connections even when roaming
  • Sync settings over metered connections
  • Sync Unlisted Windows Apps
  • Use User Experience Virtualization (UE-V)
  • VDI Configuration
  • Disable remote Desktop Sharing
  • Enable news and interests on the taskbar
  • Prevent OneDrive files from syncing over metered connections
  • Prevent OneDrive from generating network traffic until the user signs in to OneDrive
  • Prevent the usage of OneDrive for file storage
  • Prevent the usage of OneDrive for file storage on Windows 8.1
  • Save documents to OneDrive by default
  • Turn off Active Help
  • Don't launch privacy settings experience on user logon
  • Make Parental Controls control panel visible on a Domain
  • Allow hibernate (S4) when starting from a Windows To Go workspace
  • Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace
  • Windows To Go Default Startup Options
  • Turn off Windows presentation settings
  • Turn off Push To Install service
  • License server security group
  • Prevent license upgrade
  • Allow RDP redirection of other supported RemoteFX USB devices from this computer
  • Allow .rdp files from unknown publishers
  • Allow .rdp files from valid publishers and user's default .rdp settings
  • Configure server authentication for client
  • Do not allow hardware accelerated decoding
  • Do not allow passwords to be saved
  • Prompt for credentials on the client computer
  • Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
  • Turn Off UDP On Client
  • Do not use Remote Desktop Session Host server IP address when virtual IP address is not available
  • Select the network adapter to be used for Remote Desktop IP Virtualization
  • Turn off Windows Installer RDS Compatibility
  • Turn on Remote Desktop IP Virtualization
  • Allow remote start of unlisted programs
  • Allow users to connect remotely by using Remote Desktop Services
  • Automatic reconnection
  • Configure keep-alive connection interval
  • Deny logoff of an administrator logged in to the console session
  • Limit number of connections
  • Restrict Remote Desktop Services users to a single Remote Desktop Services session
  • Select network detection on the server
  • Select RDP transport protocols
  • Set rules for remote control of Remote Desktop Services user sessions
  • Suspend user sign-in to complete app registration
  • Turn off Fair Share CPU Scheduling
  • Allow audio and video playback redirection
  • Allow audio recording redirection
  • Allow time zone redirection
  • Do not allow Clipboard redirection
  • Do not allow COM port redirection
  • Do not allow drive redirection
  • Do not allow LPT port redirection
  • Do not allow smart card device redirection
  • Do not allow supported Plug and Play device redirection
  • Do not allow video capture redirection
  • Limit audio playback quality
  • Hide notifications about RD Licensing problems that affect the RD Session Host server
  • Set the Remote Desktop licensing mode
  • Use the specified Remote Desktop license servers
  • Do not allow client printer redirection
  • Do not set default client printer to be default printer in a session
  • Redirect only the default client printer
  • Specify RD Session Host server fallback printer driver behavior
  • Use Remote Desktop Easy Print printer driver first
  • Limit the size of the entire roaming user profile cache
  • Set path for Remote Desktop Services Roaming User Profile
  • Set Remote Desktop Services User Home Directory
  • Use mandatory profiles on the RD Session Host server
  • Configure RD Connection Broker farm name
  • Configure RD Connection Broker server name
  • Join RD Connection Broker
  • Use IP Address Redirection
  • Use RD Connection Broker load balancing
  • Configure RemoteFX
  • Optimize visual experience for Remote Desktop Service Sessions
  • Optimize visual experience when using RemoteFX
  • Allow desktop composition for remote desktop sessions
  • Always show desktop on connection
  • Configure compression for RemoteFX data
  • Configure H.264/AVC hardware encoding for Remote Desktop Connections
  • Configure image quality for RemoteFX Adaptive Graphics
  • Configure RemoteFX Adaptive Graphics
  • Do not allow font smoothing
  • Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
  • Enforce Removal of Remote Desktop Wallpaper
  • Limit maximum color depth
  • Limit maximum display resolution
  • Limit number of monitors
  • Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections
  • Remove "Disconnect" option from Shut Down dialog
  • Remove Windows Security item from Start menu
  • Start a program on connection
  • Use advanced RemoteFX graphics for RemoteApp
  • Use hardware graphics adapters for all Remote Desktop Services sessions
  • Use the hardware default graphics adapter for all Remote Desktop Services sessions
  • Use WDDM graphics display driver for Remote Desktop Connections
  • Always prompt for password upon connection
  • Do not allow local administrators to customize permissions
  • Require secure RPC communication
  • Require use of specific security layer for remote (RDP) connections
  • Require user authentication for remote connections by using Network Level Authentication
  • Server authentication certificate template
  • Set client connection encryption level
  • End session when time limits are reached
  • Set time limit for active but idle Remote Desktop Services sessions
  • Set time limit for active Remote Desktop Services sessions
  • Set time limit for disconnected sessions
  • Set time limit for logoff of RemoteApp sessions
  • Do not delete temp folders upon exit
  • Do not use temporary folders per session
  • Prevent access to feed list
  • Prevent automatic discovery of feeds and Web Slices
  • Prevent downloading of enclosures
  • Prevent subscribing to or deleting a feed or a Web Slice
  • Turn off background synchronization for feeds and Web Slices
  • Turn on Basic feed authentication over HTTP
  • Force TIFF IFilter to perform OCR for every page in a TIFF document
  • Select OCR language from a code page
  • Select OCR language
  • Add primary intranet search location
  • Add secondary intranet search locations
  • Allow Cloud Search
  • Allow Cortana above lock screen
  • Allow Cortana
  • Allow Cortana Page in OOBE on an AAD account
  • Allow indexing of encrypted files
  • Allow search and Cortana to use location
  • Allow search highlights
  • Allow use of diacritics
  • Always use automatic language detection when indexing content and properties
  • Control rich previews for attachments
  • Default excluded paths
  • Default indexed paths
  • Disable indexer backoff
  • Don't search the web or display web results in Search
  • Don't search the web or display web results in Search over metered connections
  • Do not allow locations on removable drives to be added to libraries
  • Do not allow web search
  • Enable indexing of online delegate mailboxes
  • Enable indexing uncached Exchange folders
  • Enable throttling for online mail indexing
  • Indexer data location
  • Prevent adding UNC locations to index from Control Panel
  • Prevent adding user-specified locations to the All Locations menu
  • Prevent automatically adding shared folders to the Windows Search index
  • Prevent clients from querying the index remotely
  • Prevent customization of indexed locations in Control Panel
  • Prevent indexing certain paths
  • Prevent indexing e-mail attachments
  • Prevent indexing files in offline files cache
  • Prevent indexing Microsoft Office Outlook
  • Prevent indexing of certain file types
  • Prevent indexing public folders
  • Prevent indexing when running on battery power to conserve energy
  • Prevent the display of advanced indexing options for Windows Search in the Control Panel
  • Prevent unwanted iFilters and protocol handlers
  • Preview pane location
  • Set large or small icon view in desktop search results
  • Set the SafeSearch setting for Search
  • Set what information is shared in Search
  • Stop indexing in the event of limited hard drive space
  • Turn on Security Center (Domain PCs only)
  • Timeout for hung logon sessions during shutdown
  • Turn off legacy remote shutdown interface
  • Allow certificates with no extended key usage certificate attribute
  • Allow ECC certificates to be used for logon and authentication
  • Allow Integrated Unblock screen to be displayed at the time of logon
  • Allow signature keys valid for Logon
  • Allow time invalid certificates
  • Allow user name hint
  • Configure root certificate clean up
  • Display string when smart card is blocked
  • Filter duplicate logon certificates
  • Force the reading of all certificates from the smart card
  • Notify user of successful smart card driver installation
  • Prevent plaintext PINs from being returned by Credential Manager
  • Reverse the subject name stored in a certificate when displaying
  • Turn on certificate propagation from smart card
  • Turn on root certificate propagation from smart card
  • Turn on Smart Card Plug and Play service
  • Control Device Reactivation for Retail devices
  • Turn off KMS Client Online AVS Validation
  • Do not allow Sound Recorder to run
  • Allow Automatic Update of Speech Data
  • Disable all apps from Microsoft Store
  • Only display the private store within the Microsoft Store
  • Turn off Automatic Download and Install of updates
  • Turn off Automatic Download of updates on Win8 machines
  • Turn off the offer to update to the latest version of Windows
  • Turn off the Store application
  • Do not sync app settings
  • Do not sync Apps
  • Do not sync browser settings
  • Do not sync desktop personalization
  • Do not sync
  • Do not sync on metered connections
  • Do not sync other Windows settings
  • Do not sync passwords
  • Do not sync personalize
  • Do not sync start settings
  • Do not allow Inkball to run
  • Do not allow printing to Journal Note Writer
  • Do not allow Snipping Tool to run
  • Do not allow Windows Journal to be run
  • Turn off pen feedback
  • Prevent Back-ESC mapping
  • Prevent launch an application
  • Prevent press and hold
  • Turn off hardware buttons
  • Disable text prediction
  • For tablet pen input, don't show the Input Panel icon
  • For touch input, don't show the Input Panel icon
  • Include rarely used Chinese, Kanji, or Hanja characters
  • Prevent Input Panel tab from appearing
  • Turn off AutoComplete integration with Input Panel
  • Turn off password security in Input Panel
  • Turn off tolerant and Z-shaped scratch-out gestures
  • Prevent Flicks Learning Mode
  • Prevent flicks
  • Turn off Tablet PC Pen Training
  • Turn off Tablet PC touch input
  • Turn off Touch Panning
  • Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
  • Hide Property Pages
  • Prevent Task Run or End
  • Prohibit Browse
  • Prohibit Drag-and-Drop
  • Prohibit New Task Creation
  • Prohibit Task Deletion
  • Cloud Policy Details
  • Allow uninstallation of language features when a language is uninstalled
  • Improve inking and typing recognition
  • Turn off Windows Calendar
  • Prohibit installing or uninstalling color profiles
  • Allow Corporate redirection of Customer Experience Improvement uploads
  • Tag Windows Customer Experience Improvement data with Study Identifier
  • Configure App Install Control
  • Configure Corporate Windows Error Reporting
  • Configure Report Archive
  • Configure Report Queue
  • Default application reporting settings
  • List of applications to always report errors for
  • List of applications to be excluded
  • List of applications to never report errors for
  • Report operating system errors
  • Report unplanned shutdown events
  • Configure Default consent
  • Customize consent settings
  • Ignore custom consent settings
  • Automatically send memory dumps for OS-generated error reports
  • Configure Error Reporting
  • Disable logging
  • Disable Windows Error Reporting
  • Display Error Notification
  • Do not send additional data
  • Do not throttle additional data
  • Prevent display of the user interface for critical errors
  • Send additional data when on battery power
  • Send data when on connected to a restricted/costed network
  • Enables or disables Windows Game Recording and Broadcasting
  • Use phone sign-in
  • Maximum PIN length
  • Minimum PIN length
  • Require digits
  • Require lowercase letters
  • Require special characters
  • Require uppercase letters
  • Allow enumeration of emulated smart card for all users
  • Configure device unlock factors
  • Configure dynamic lock factors
  • Turn off smart card emulation
  • Use a hardware security device
  • Use biometrics
  • Use certificate for on-premises authentication
  • Use cloud trust for on-premises authentication
  • Use PIN Recovery
  • Use Windows Hello for Business certificates as smart card certificates
  • Use Windows Hello for Business
  • Allow suggested apps in Windows Ink Workspace
  • Allow Windows Ink Workspace
  • Allow user control over installs
  • Allow users to browse for source while elevated
  • Allow users to patch elevated products
  • Allow users to use media source while elevated
  • Always install with elevated privileges
  • Control maximum size of baseline file cache
  • Enforce upgrade component rules
  • Prevent embedded UI
  • Prevent Internet Explorer security prompt for Windows Installer scripts
  • Prevent users from using Windows Installer to install updates and upgrades
  • Prohibit flyweight patching
  • Prohibit non-administrators from applying vendor signed updates
  • Prohibit removal of updates
  • Prohibit rollback
  • Prohibit use of Restart Manager
  • Prohibit User Installs
  • Remove browse dialog box for new source
  • Save copies of transform files in a secure location on workstation
  • Specify the types of events Windows Installer records in its transaction log
  • Turn off creation of System Restore checkpoints
  • Turn off logging via package settings
  • Turn off shared components
  • Turn off Windows Installer
  • Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
  • Disable or enable software Secure Attention Sequence
  • Display information about previous logons during user logon
  • Report when logon server was not available during user logon
  • Sign-in and lock last interactive user automatically after a restart
  • Turn off the communities features
  • Turn off Windows Mail application
  • Do not allow Windows Media Center to run
  • Prevent Windows Media DRM Internet Access
  • Do Not Show First Use Dialog Boxes
  • Prevent Automatic Updates
  • Prevent Desktop Shortcut Creation
  • Prevent Media Sharing
  • Prevent Quick Launch Toolbar Shortcut Creation
  • Prevent Video Smoothing
  • Do not allow Windows Messenger to be run
  • Do not automatically start Windows Messenger initially
  • Turn off Windows Mobility Center
  • Set the default source path for Update-Help
  • Turn on Module Logging
  • Turn on PowerShell Script Block Logging
  • Turn on PowerShell Transcription
  • Turn on Script Execution
  • Configure Reliability WMI Providers
  • Allow Basic authentication
  • Allow CredSSP authentication
  • Allow unencrypted traffic
  • Disallow Digest authentication
  • Disallow Kerberos authentication
  • Disallow Negotiate authentication
  • Trusted Hosts
  • Allow remote server management through WinRM
  • Disallow WinRM from storing RunAs credentials
  • Specify channel binding token hardening level
  • Turn On Compatibility HTTP Listener
  • Turn On Compatibility HTTPS Listener
  • Allow Remote Shell Access
  • MaxConcurrentUsers
  • Specify idle Timeout
  • Specify maximum amount of memory in MB per Shell
  • Specify maximum number of processes per Shell
  • Specify maximum number of remote shells per user
  • Specify Shell Timeout
  • Hide the Account protection area
  • Hide the App and browser protection area
  • Prevent users from modifying settings
  • Hide the Device performance and health area
  • Disable the Clear TPM button
  • Hide the Device security area
  • Hide the Secure boot area
  • Hide the Security processor (TPM) troubleshooter page
  • Hide the TPM Firmware Update recommendation.
  • Configure customized contact information
  • Configure customized notifications
  • Specify contact company name
  • Specify contact email address or Email ID
  • Specify contact phone number or Skype ID
  • Specify contact website
  • Hide the Family options area
  • Hide the Firewall and network protection area
  • Hide all notifications
  • Hide non-critical notifications
  • Hide Windows Security Systray
  • Hide the Ransomware data recovery area
  • Hide the Virus and threat protection area
  • Disable safeguards for Feature Updates
  • Manage preview builds
  • Select the target Feature Update version
  • Select when Preview Builds and Feature Updates are received
  • Select when Quality Updates are received
  • Allow Automatic Updates immediate installation
  • Allow non-administrators to receive update notifications
  • Allow signed updates from an intranet Microsoft update service location
  • Allow updates to be downloaded automatically over metered connections
  • Always automatically restart at the scheduled time
  • Automatic Updates detection frequency
  • Configure auto-restart reminder notifications for updates
  • Configure auto-restart required notification for updates
  • Configure auto-restart warning notifications schedule for updates
  • Configure Automatic Updates
  • Defer Upgrades and Updates
  • Delay Restart for scheduled installations
  • Display options for update notifications
  • Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
  • Do not allow update deferral policies to cause scans against Windows Update
  • Do not connect to any Windows Update Internet locations
  • Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
  • Do not include drivers with Windows Updates
  • Enable client-side targeting
  • Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
  • No auto-restart with logged on users for scheduled automatic updates installations
  • Re-prompt for restart with scheduled installations
  • Remove access to "Pause updates" feature
  • Remove access to use all Windows Update features
  • Reschedule Automatic Updates scheduled installations
  • Specify active hours range for auto-restarts
  • Specify deadline before auto-restart for update installation
  • Specify deadlines for automatic updates and restarts
  • Specify Engaged restart transition and notification schedule for updates
  • Specify intranet Microsoft update service location
  • Specify source service for specific classes of Windows Updates
  • Turn off auto-restart for updates during active hours
  • Turn off auto-restart notifications for update installations
  • Turn on recommended updates via Automatic Updates
  • Turn on Software Notifications
  • Update Power Policy for Cart Restarts
  • Force automatic setup for all users
  • Administrative Templates (Users)
  • User State Management Client Side Extension
  • Go directly to Components Wizard
  • Hide Add/Remove Windows Components page
  • Hide Add New Programs page
  • Hide Change or Remove Programs page
  • Hide the "Add a program from CD-ROM or floppy disk" option
  • Hide the "Add programs from Microsoft" option
  • Hide the "Add programs from your network" option
  • Hide the Set Program Access and Defaults page
  • Remove Add or Remove Programs
  • Remove Support Information
  • Specify default category for Add New Programs
  • Disable the Display Control Panel
  • Hide Settings tab
  • Enable screen saver
  • Force a specific visual style file or force Windows Classic
  • Force specific screen saver
  • Load a specific theme
  • Password protect the screen saver
  • Prevent changing color and appearance
  • Prevent changing color scheme
  • Prevent changing desktop background
  • Prevent changing desktop icons
  • Prevent changing mouse pointers
  • Prevent changing screen saver
  • Prevent changing sounds
  • Prevent changing theme
  • Prevent changing visual style for windows and buttons
  • Prohibit selection of visual style font size
  • Screen saver timeout
  • Browse a common web site to find printers
  • Browse the network to find printers
  • Default Active Directory path when searching for printers
  • Prevent addition of printers
  • Prevent deletion of printers
  • Turn off Windows default printer management
  • Hide "Get Programs" page
  • Hide "Installed Updates" page
  • Hide "Programs and Features" page
  • Hide "Set Program Access and Computer Defaults" page
  • Hide "Windows Features"
  • Hide "Windows Marketplace"
  • Hide the Programs Control Panel
  • Hide Regional and Language Options administrative options
  • Hide the geographic location option
  • Hide the select language group options
  • Hide user locale selection and customization options
  • Restrict selection of Windows menus and dialogs language
  • Restricts the UI languages Windows should use for the selected user
  • Turn off autocorrect misspelled words
  • Turn off highlight misspelled words
  • Turn off insert a space after selecting a text prediction
  • Turn off offer text predictions as I type
  • Always open All Control Panel Items when opening Control Panel
  • Hide specified Control Panel items
  • Prohibit access to Control Panel and PC settings
  • Show only specified Control Panel items
  • Enable filter in Find dialog box
  • Hide Active Directory folder
  • Maximum size of Active Directory searches
  • Add/Delete items
  • Allow only bitmapped wallpaper
  • Desktop Wallpaper
  • Disable Active Desktop
  • Disable all items
  • Enable Active Desktop
  • Prohibit adding items
  • Prohibit changes
  • Prohibit closing items
  • Prohibit deleting items
  • Prohibit editing items
  • Don't save settings at exit
  • Do not add shares of recently opened documents to Network Locations
  • Hide and disable all items on the desktop
  • Hide Internet Explorer icon on desktop
  • Hide Network Locations icon on desktop
  • Prevent adding, dragging, dropping and closing the Taskbar's toolbars
  • Prohibit adjusting desktop toolbars
  • Prohibit User from manually redirecting Profile Folders
  • Remove Computer icon on the desktop
  • Remove My Documents icon on the desktop
  • Remove Properties from the Computer icon context menu
  • Remove Properties from the Documents icon context menu
  • Remove Properties from the Recycle Bin context menu
  • Remove Recycle Bin icon from desktop
  • Remove the Desktop Cleanup Wizard
  • Turn off Aero Shake window minimizing mouse gesture
  • Ability to change properties of an all user remote access connection
  • Ability to delete all user remote access connections
  • Ability to Enable/Disable a LAN connection
  • Ability to rename all user remote access connections
  • Ability to rename LAN connections
  • Ability to rename LAN connections or remote access connections available to all users
  • Enable Windows 2000 Network Connections settings for Administrators
  • Prohibit access to properties of a LAN connection
  • Prohibit access to properties of components of a LAN connection
  • Prohibit access to properties of components of a remote access connection
  • Prohibit access to the Advanced Settings item on the Advanced menu
  • Prohibit access to the New Connection Wizard
  • Prohibit access to the Remote Access Preferences item on the Advanced menu
  • Prohibit adding and removing components for a LAN or remote access connection
  • Prohibit changing properties of a private remote access connection
  • Prohibit connecting and disconnecting a remote access connection
  • Prohibit deletion of remote access connections
  • Prohibit Enabling/Disabling components of a LAN connection
  • Prohibit renaming private remote access connections
  • Prohibit TCP/IP advanced configuration
  • Prohibit viewing of status for an active connection
  • Turn off notifications when a connection has only limited or no connectivity
  • Allow DFS roots to be published
  • Allow shared folders to be published
  • Set the time Quiet Hours begins each day
  • Set the time Quiet Hours ends each day
  • Turn off calls during Quiet Hours
  • Turn off notification mirroring
  • Turn off notifications network usage
  • Turn off Quiet Hours
  • Turn off tile notifications
  • Turn off toast notifications
  • Turn off toast notifications on the lock screen
  • Turn on multiple expanded toast notifications in action center
  • Add "Run in Separate Memory Space" check box to Run dialog box
  • Add Logoff to the Start Menu
  • Add Search Internet link to Start Menu
  • Add the Run command to the Start Menu
  • Change Start Menu power button
  • Clear history of recently opened documents on exit
  • Clear the recent programs list for new users
  • Clear tile notifications during log on
  • Disable showing balloon notifications as toasts.
  • Do not allow pinning items in Jump Lists
  • Do not allow pinning programs to the Taskbar
  • Do not allow pinning Store app to the Taskbar
  • Do not allow taskbars on more than one display
  • Do not display any custom toolbars in the taskbar
  • Do not display or track items in Jump Lists from remote locations
  • Do not keep history of recently opened documents
  • Do not search communications
  • Do not search for files
  • Do not search Internet
  • Do not search programs and Control Panel items
  • Do not use the search-based method when resolving shell shortcuts
  • Do not use the tracking-based method when resolving shell shortcuts
  • Force classic Start Menu
  • Force Start to be either full screen size or menu size
  • Go to the desktop instead of Start when signing in
  • Gray unavailable Windows Installer programs Start Menu shortcuts
  • Hide the notification area
  • List desktop apps first in the Apps view
  • Lock all taskbar settings
  • Lock the Taskbar
  • Prevent changes to Taskbar and Start Menu Settings
  • Prevent grouping of taskbar items
  • Prevent users from adding or removing toolbars
  • Prevent users from customizing their Start Screen
  • Prevent users from moving taskbar to another screen dock location
  • Prevent users from rearranging toolbars
  • Prevent users from resizing the taskbar
  • Prevent users from uninstalling applications from Start
  • Remove access to the context menus for the taskbar
  • Remove All Programs list from the Start menu
  • Remove Balloon Tips on Start Menu items
  • Remove Clock from the system notification area
  • Remove common program groups from Start Menu
  • Remove Default Programs link from the Start menu.
  • Remove Documents icon from Start Menu
  • Remove Downloads link from Start Menu
  • Remove Favorites menu from Start Menu
  • Remove frequent programs list from the Start Menu
  • Remove Games link from Start Menu
  • Remove Help menu from Start Menu
  • Remove Homegroup link from Start Menu
  • Remove links and access to Windows Update
  • Remove Logoff on the Start Menu
  • Remove Music icon from Start Menu
  • Remove Network Connections from Start Menu
  • Remove Network icon from Start Menu
  • Remove Notifications and Action Center
  • Remove Pictures icon from Start Menu
  • Remove pinned programs from the Taskbar
  • Remove pinned programs list from the Start Menu
  • Remove programs on Settings menu
  • Remove Recent Items menu from Start Menu
  • Remove Recorded TV link from Start Menu
  • Remove Run menu from Start Menu
  • Remove Search Computer link
  • Remove Search link from Start Menu
  • Remove See More Results / Search Everywhere link
  • Remove the "Undock PC" button from the Start Menu
  • Remove the battery meter
  • Remove the Meet Now icon
  • Remove the networking icon
  • Remove the People Bar from the taskbar
  • Remove the Security and Maintenance icon
  • Remove the volume control icon
  • Remove user's folders from the Start Menu
  • Remove user folder link from Start Menu
  • Remove user name from Start Menu
  • Remove Videos link from Start Menu
  • Search just apps from the Apps view
  • Show "Run as different user" command on Start
  • Show additional calendar
  • Show QuickLaunch on Taskbar
  • Show Start on the display the user is using when they press the Windows logo key
  • Show the Apps view automatically when the user goes to Start
  • Show Windows Store apps on the taskbar
  • Turn off all balloon notifications
  • Turn off automatic promotion of notification icons to the taskbar
  • Turn off feature advertisement balloon notifications
  • Turn off notification area cleanup
  • Turn off personalized menus
  • Turn off taskbar thumbnails
  • Turn off user tracking
  • Remove Change Password
  • Remove Lock Computer
  • Remove Logoff
  • Remove Task Manager
  • Code signing for driver packages
  • Configure driver search locations
  • Do not automatically make all redirected folders available offline
  • Do not automatically make specific redirected folders available offline
  • Enable optimized move of contents in Offline Files cache on Folder Redirection server path change
  • Configure Group Policy domain controller selection
  • Create new Group Policy Object links disabled by default
  • Enforce Show Policies Only
  • Set default name for new Group Policy objects
  • Set Group Policy refresh interval for users
  • Turn off automatic update of ADM files
  • Turn off Help Experience Improvement Program
  • Turn off Help Ratings
  • Turn off Windows Online
  • Prompt for password on resume from hibernate/suspend
  • Run legacy logon scripts hidden
  • Run logoff scripts visible
  • Run logon scripts visible
  • Connect home directory to root of the share
  • Exclude directories in roaming profile
  • Limit profile size
  • Specify network directories to sync at logon/logoff time only
  • Century interpretation for Year 2000
  • Custom User Interface
  • Don't run specified Windows applications
  • Prevent access to registry editing tools
  • Prevent access to the command prompt
  • Run only specified Windows applications
  • Windows Automatic Updates
  • Default risk level for file attachments
  • Do not preserve zone information in file attachments
  • Hide mechanisms to remove zone information
  • Inclusion list for high risk file types
  • Inclusion list for low file types
  • Inclusion list for moderate risk file types
  • Notify antivirus programs when opening attachments
  • Trust logic for file attachments
  • Allow Graphing Calculator
  • Configure Windows spotlight on lock screen
  • Do not suggest third-party content in Windows spotlight
  • Do not use diagnostic data for tailored experiences
  • Turn off all Windows spotlight features
  • Turn off the Windows Welcome Experience
  • Turn off Windows Spotlight on Action Center
  • Turn off Windows Spotlight on Settings
  • Do not show recent apps when the mouse is pointing to the upper-left corner of the screen
  • Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key+X
  • Search, Share, Start, Devices, and Settings don't appear when the mouse is pointing to the upper-right corner of the screen
  • Turn off switching between recent apps
  • Turn off tracking of app usage
  • Hide the common dialog back button
  • Hide the common dialog places bar
  • Hide the dropdown list of recent files
  • Items displayed in Places Bar
  • Turn off Preview Pane
  • Turn on or off details pane
  • Allow only per user or approved shell extensions
  • Disable Known Folders
  • Display confirmation dialog when deleting files
  • Display the menu bar in File Explorer
  • Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon
  • Do not display the Welcome Center at user logon
  • Do not move deleted files to the Recycle Bin
  • Do not request alternate credentials
  • Do not track Shell shortcuts during roaming
  • Hides the Manage item on the File Explorer context menu
  • Hide these specified drives in My Computer
  • Maximum allowed Recycle Bin size
  • Maximum number of recent documents
  • No Computers Near Me in Network Locations
  • No Entire Network in Network Locations
  • Pin Internet search sites to the "Search again" links and the Start menu
  • Pin Libraries or Search Connectors to the "Search again" links and the Start menu
  • Prevent access to drives from My Computer
  • Prevent users from adding files to the root of their Users Files folder.
  • Remove "Map Network Drive" and "Disconnect Network Drive"
  • Remove CD Burning features
  • Remove DFS tab
  • Remove File Explorer's default context menu
  • Remove File menu from File Explorer
  • Remove Hardware tab
  • Remove Search button from File Explorer
  • Remove Security tab
  • Remove Shared Documents from My Computer
  • Remove the Search the Internet "Search again" link
  • Remove UI to change keyboard navigation indicator setting
  • Remove UI to change menu animation setting
  • Request credentials for network installations
  • Turn off caching of thumbnail pictures
  • Turn off common control and window animations
  • Turn off display of recent search entries in the File Explorer search box
  • Turn off the caching of thumbnails in hidden thumbs.db files
  • Turn off the display of snippets in Content view mode
  • Turn off the display of thumbnails and only display icons.
  • Turn off the display of thumbnails and only display icons on network folders
  • Turn off Windows Key hotkeys
  • Turn off Windows Libraries features that rely on indexed file data
  • Turn on Classic Shell
  • Allow Windows Runtime apps to revoke enterprise data
  • Configure Japanese IME version
  • Configure Simplified Chinese IME version
  • Configure Traditional Chinese IME version
  • Do not include Non-Publishing Standard Glyph in the candidate list
  • Restrict character code range of conversion
  • Turn off custom dictionary
  • Turn off history-based predictive input
  • Turn off Internet search integration
  • Turn off Open Extended Dictionary
  • Turn off saving auto-tuning data to file
  • Turn on cloud candidate for CHS
  • Turn on cloud candidate
  • Turn on lexicon update
  • Turn on Live Sticker
  • Turn on misconversion logging for misconversion report
  • Custom Instant Search Internet search provider
  • Audio/Video Player
  • DHTML Edit Control
  • Menu Controls
  • Microsoft Agent
  • Microsoft Chat
  • Microsoft Scriptlet Component
  • Microsoft Survey Control
  • NetShow File Transfer Control
  • Shockwave Flash
  • Disable Open in New Window menu option
  • Disable Save this program to disk option
  • File menu: Disable closing the browser and Explorer windows
  • File menu: Disable New menu option
  • File menu: Disable Open menu option
  • File menu: Disable Save As... menu option
  • File menu: Disable Save As Web Page Complete
  • Help menu: Remove 'For Netscape Users' menu option
  • Help menu: Remove 'Send Feedback' menu option
  • Help menu: Remove 'Tip of the Day' menu option
  • Help menu: Remove 'Tour' menu option
  • Hide Favorites menu
  • Tools menu: Disable Internet Options... menu option
  • Turn off Shortcut Menu
  • View menu: Disable Full Screen menu option
  • View menu: Disable Source menu option
  • Hide the button (next to the New Tab button) that opens Microsoft Edge
  • Turn off configuring underline links
  • Turn off details in messages about Internet connection problems
  • Turn off page transitions
  • Turn off smooth scrolling
  • Turn on script debugging
  • Turn on the display of script errors
  • Start the Internet Connection Wizard automatically
  • Allow the display of image download placeholders
  • Turn off automatic image resizing
  • Turn off image display
  • Turn off smart image dithering
  • Turn on printing of background colors and images
  • Turn on automatic signup
  • Turn off inline AutoComplete in File Explorer
  • Turn on inline AutoComplete
  • Prevent specifying background color
  • Prevent specifying text color
  • Prevent the use of Windows colors
  • Prevent specifying the color of links that have already been clicked
  • Prevent specifying the color of links that have not yet been clicked
  • Prevent specifying the hover color
  • Turn on the hover color option
  • Prevent choosing default text size
  • Turn off sending URL path as UTF-8
  • Disable adding channels
  • Disable adding schedules for offline pages
  • Disable all scheduled offline pages
  • Disable channel user interface completely
  • Disable downloading of site subscription content
  • Disable editing and creating of schedule groups
  • Disable editing schedules for offline pages
  • Disable offline page hit logging
  • Disable removing channels
  • Disable removing schedules for offline pages
  • Subscription Limits
  • File size limits for Internet zone
  • File size limits for Intranet zone
  • File size limits for Local Machine zone
  • File size limits for Restricted Sites zone
  • File size limits for Trusted Sites zone
  • Turn off automatic download of the ActiveX VersionList
  • Configure Toolbar Buttons
  • Disable customizing browser toolbar buttons
  • Disable customizing browser toolbars
  • Configure Media Explorer Bar
  • Configure Outlook Express
  • Disable AutoComplete for forms
  • Disable caching of Auto-Proxy scripts
  • Disable changing accessibility settings
  • Disable changing Advanced page settings
  • Disable changing Calendar and Contact settings
  • Disable changing certificate settings
  • Disable changing color settings
  • Disable changing default browser check
  • Disable changing font settings
  • Disable changing home page settings
  • Disable changing language settings
  • Disable changing link color settings
  • Disable changing Messaging settings
  • Disable changing Profile Assistant settings
  • Disable changing ratings settings
  • Disable changing Temporary Internet files settings
  • Disable external branding of Internet Explorer
  • Disable Internet Connection wizard
  • Disable the Reset Web Settings feature
  • Display error message on proxy script download failure
  • Identity Manager: Prevent users from using Identities
  • Notify users if Internet Explorer is not the default web browser
  • Position the menu bar above the navigation bar
  • Search: Disable Find Files via F3 within the browser
  • Search: Disable Search Customization
  • Turn off Tab Grouping
  • Turn on the auto-complete feature for user names and passwords on forms
  • Use Automatic Detection for dial-up connections
  • AppleTalk Routing
  • Authorization Manager
  • Certification Authority Policy Settings
  • Connection Sharing (NAT)
  • DCOM Configuration Extension
  • Device Manager
  • DFS Management Extension
  • DHCP Relay Management
  • Disk Management Extension
  • Event Viewer (Windows Vista)
  • Event Viewer
  • Extended View (Web View)
  • File Server Resource Manager Extension
  • IAS Logging
  • IGMP Routing
  • IPX RIP Routing
  • IPX Routing
  • IPX SAP Routing
  • Logical and Mapped Drives
  • OSPF Routing
  • Public Key Policies
  • RAS Dialin - User Node
  • Remote Access
  • Removable Storage
  • RIP Routing
  • Send Console Message
  • Service Dependencies
  • Share and Storage Management Extension
  • Shared Folders Ext
  • SMTP Protocol
  • Storage Manager for SANS Extension
  • System Properties
  • Folder Redirection
  • Internet Explorer Maintenance
  • IP Security Policy Management
  • NAP Client Configuration
  • Remote Installation Services
  • Scripts (Logon/Logoff)
  • Scripts (Startup/Shutdown)
  • Security Settings
  • Software Installation (Computers)
  • Software Installation (Users)
  • Windows Firewall with Advanced Security
  • Wired Network (IEEE 802.3) Policies
  • Wireless Network (IEEE 802.11) Policies
  • Permit use of Application snap-ins
  • Permit use of Applications preference extension
  • Permit use of Control Panel Settings (Computers)
  • Permit use of Control Panel Settings (Users)
  • Permit use of Data Sources preference extension
  • Permit use of Devices preference extension
  • Permit use of Drive Maps preference extension
  • Permit use of Environment preference extension
  • Permit use of Files preference extension
  • Permit use of Folder Options preference extension
  • Permit use of Folders preference extension
  • Permit use of Ini Files preference extension
  • Permit use of Internet Settings preference extension
  • Permit use of Local Users and Groups preference extension
  • Permit use of Network Options preference extension
  • Permit use of Network Shares preference extension
  • Permit use of Power Options preference extension
  • Permit use of Preferences tab
  • Permit use of Printers preference extension
  • Permit use of Regional Options preference extension
  • Permit use of Registry preference extension
  • Permit use of Scheduled Tasks preference extension
  • Permit use of Services preference extension
  • Permit use of Shortcuts preference extension
  • Permit use of Start Menu preference extension
  • Group Policy Management Editor
  • Group Policy Management
  • Group Policy Object Editor
  • Group Policy Starter GPO Editor
  • Group Policy tab for Active Directory Tools
  • Resultant Set of Policy snap-in
  • .Net Framework Configuration
  • Active Directory Domains and Trusts
  • Active Directory Sites and Services
  • Active Directory Users and Computers
  • ActiveX Control
  • Certificates
  • Certificate Templates
  • Certification Authority
  • Component Services
  • Computer Management
  • DFS Management
  • Disk Defragmenter
  • Disk Management
  • Distributed File System
  • Enterprise PKI
  • Failover Clusters Manager
  • FAX Service
  • File Server Resource Manager
  • FrontPage Server Extensions
  • Health Registration Authority (HRA)
  • Indexing Service
  • Internet Authentication Service (IAS)
  • Internet Information Services
  • IP Security Monitor
  • Link to Web Address
  • Local Users and Groups
  • Network Policy Server (NPS)
  • Online Responder
  • Performance Logs and Alerts
  • QoS Admission Control
  • Remote Desktop Services Configuration
  • Remote Desktops
  • Removable Storage Management
  • Routing and Remote Access
  • Security Configuration and Analysis
  • Security Templates
  • Server Manager
  • Share and Storage Management
  • Shared Folders
  • Storage Manager for SANs
  • System Information
  • TPM Management
  • Wireless Monitor
  • WMI Control
  • Restrict the user from entering author mode
  • Restrict users to the explicitly permitted list of snap-ins
  • Configure the inclusion of Microsoft Edge tabs into Alt-Tab
  • Disable application Sharing
  • Prevent Application Sharing in true color
  • Prevent Control
  • Prevent Desktop Sharing
  • Prevent Sharing Command Prompts
  • Prevent Sharing Explorer windows
  • Prevent Sharing
  • Disable Audio
  • Disable full duplex Audio
  • Limit the bandwidth of Audio and Video
  • Prevent changing DirectSound Audio setting
  • Prevent receiving Video
  • Prevent sending Video
  • Disable the Advanced Calling button
  • Hide the Audio page
  • Hide the General page
  • Hide the Security page
  • Hide the Video page
  • Allow persisting automatic acceptance of Calls
  • Disable Chat
  • Disable Directory services
  • Disable NetMeeting 2.x Whiteboard
  • Disable Whiteboard
  • Enable Automatic Configuration
  • Limit the size of sent files
  • Prevent adding Directory servers
  • Prevent automatic acceptance of Calls
  • Prevent changing Call placement method
  • Prevent receiving files
  • Prevent sending files
  • Prevent viewing Web directory
  • Set Call Security options
  • Set the intranet support Web page
  • Prevent users from sharing files within their profile.
  • Enable connection through RD Gateway
  • Set RD Gateway authentication method
  • Set RD Gateway server address
  • Specify default connection URL
  • Remove remote desktop wallpaper
  • Turn off storage and display of search history
  • Prevent removable media source for any installation
  • Specify the order in which Windows Installer searches for installation files
  • Remove logon hours expiration warnings
  • Set action to take when logon hours expire
  • Configure HTTP Proxy
  • Configure MMS Proxy
  • Configure Network Buffering
  • Configure RTSP Proxy
  • Hide Network Tab
  • Streaming Media Protocols
  • Allow Screen Saver
  • Prevent Codec Download
  • Do Not Show Anchor
  • Hide Privacy Tab
  • Hide Security Tab
  • Set and Lock Skin
  • Prevent CD and DVD Media Information Retrieval
  • Prevent Music File Media Information Retrieval
  • Prevent Radio Station Preset Retrieval
  • Enables the use of Token Broker for AD FS authentication
  • Specify Work Folders settings
  • Enable auto-subscription

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What are the defaults for the "user rights assignment" in an AD environment?

In a non-domain environment, gpedit.msc lets me associate various "user rights" (like "create a pagefile" or "create permanent shared objects") with users or accounts. This is in Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

Where exactly do I do this in AD? (Please don't just say e.g. "Group Policy Management Console". I've looked at all of the tools I can find, especially in GPMC, and I can't see it. I need either very explicit directions or screen snaps.

ADDED: Ok, I think I get it. You create a new GPO, click Edit, and this gets you to the Group Policy Management Editor where I find the familiar path. Then I link my new GPO to the domain or the OU or whatever where I want it to apply.

But I still have a question: none of the rights in the editor come pre-set to anything. Well, that makes sense because it's a brand new GPO. But is there any way to know what the defaults are, defaults that my new GPO will override? For example, what rights do members of the "Domain Admins" group get, by default?

  • active-directory

Jamie Hanrahan's user avatar

  • If the downvoter would like to explain the reason for the downvote, I'd love to read it. I've been looking for this answer for over an hour so "did not do any research" is not the case. –  Jamie Hanrahan Oct 17, 2018 at 20:10

2 Answers 2

The defaults are documented in:

Group Policy Settings Reference Spreadsheet https://www.microsoft.com/en-us/download/details.aspx?id=56946

On the Security tab. Covers all versions of Windows. (I don't believe it has been updated for 1809 yet).

Greg Askew's user avatar

It depends on what you're asking.

If you're asking for User Rights Assignment on a single computer, look for Local Security Policy.

If you're asking for User Rights Assignment as a group policy, well, it shows up just fine in my console. Are you using RSAT (Remote Server Administration Tools)? I'm using the RSAT available for Windows 10. Older versions of RSAT (or the version on the domain controller) may be missing some options.

enter image description here

  • Yeah... I finally realized (after asking the first form of the question) that you can only see them when you open the Editor. It's surprising to me though that the Default Domain Policy comes with everything "Not defined" and yet the defaults are certainly being applied. Thanks! –  Jamie Hanrahan Oct 17, 2018 at 21:32

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged active-directory ..

  • The Overflow Blog
  • How Stack Overflow is partnering with Google to encourage socially...
  • Featured on Meta
  • Our partnership with Google and commitment to socially responsible AI
  • Shifting the data dump schedule: A proposal

Hot Network Questions

  • Requires compile with msvc but rejected by gcc
  • "Little Pussy Malanga, sometimes confused with fellow reputed mobster Big Pussy Bonpensiero, ..." — What does "fellow reputed mobster" mean?
  • What was the total army strength of the Byzantine empire under Justinian?
  • Ex-advisor wants to publish my work in a journal I don't like
  • 江戸 ... is it pronounced Edo or Yeddo or both?
  • Is my queue table implementation race condition safe?
  • Wrong result for simple real-valued integral (spurious imaginary part)
  • Linking quaver and semiquaver beams over a rest with LilyPond
  • Is it fine to correct and extend texts of a late colleague when publishing them?
  • SSH parameterized config entries?
  • Was the Holtzman Shield gas permeable?
  • How many hours spending learning a day
  • Are there languages L1 ⊆ L2 ⊆ L3 when L1 and L3 are NP-Complete languages and L2 ∈ P?
  • Deleting Software I Wrote Upon Leaving Employment of a Company
  • Is there a plane of symmetry in [Ma3b2c]?
  • Would Lesser/Greater Restoration be able to cure a mental illness?
  • How much do we need to understand about finances in order to trust our fiduciary advisor's recommendations?
  • Quantum Superposition and the Possibility of Free Will
  • Zero set of prime ideal
  • What statistical analysis test can be used to find the direction of effect?
  • Chee Ops stations
  • Is utilizing a singleton for a cache an antipattern?
  • Is linear regression still relevant in a mid-level DS interview?
  • Adding up numbers

user rights assignment admx

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

user rights assignment admx

Restricting the local log on to specific users

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring such a whitelist with users that are allowed to log on locally on a Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.

Note : Keep in mind that this post is focussed on the local log on on Windows devices and not the remote log on.

Configuring the allow local log on setting

When looking at configuring the allow local log on configuration, the UserRights section in the Policy CSP is the place to look. That section contains many of the different policy settings of the User Rights Assignment Local Policies , including the Allow log on locally ( AllowLocalLogOn ) policy setting. That policy setting can be used to configure the users that are allowed to locally log on to the Windows device. Besides that, it’s also good to mention that with the latest Windows 11 Insider Preview Builds, this section of the Policy CSP, is getting more and more policy settings. Nearly all of the User Rights Assignment Local Policies are now available for configuration, including Logon as a service , Logon as a batch job , and many more. Maybe even better, all of these available policy settings – including the new policy settings that are currently still in preview – are now configurable via the Settings Catalog profile (as shown below in Figure 1).

user rights assignment admx

After being familiar with the available policy settings and the configuration profile, the configuration of those policy settings is pretty straight forward. The following eight steps walk through the creation of a  Settings Catalog  profile that contains the required setting to configure the local logon, by using the Allow log on locally policy setting.

  • Open the  Microsoft Intune admin center  portal and navigate to  Devices  >  Windows  >  Configuration profiles
  • On the  Windows | Configuration profiles  blade, click  Create profile
  • On the  Create a profile  blade, provide the following information and click  Create
  • Platform : Select  Windows 10 and later  to create a profile for Windows 10 and Windows 11 devices
  • Profile : Select  Settings catalog  to select the required setting from the catalog
  • On the  Basics  page, provide the following information and click  Next
  • Name : Provide a name for the profile to distinguish it from other similar profiles
  • Description : (Optional) Provide a description for the profile to further differentiate profiles
  • Platform : (Greyed out) Windows 10 and later
  • On the  Configuration settings  page, as shown below in Figure 2, perform the following actions
  • Select  User Rights  as category
  • Select  Allow Local Log On  as setting
  • Specify the required users and local groups – all on separate lines – and click  Next

user rights assignment admx

  • On the  Scope tags  page, configure the required scope tags and click  Next
  • On the  Assignments  page, configure the assignment and click  Next
  • On the  Review + create  page, verify the configuration and click  Create

Note : As these settings are now configurable via the Settings Catalog , that also takes away the challenges with multiple entries. No need to manually specify a delimiter, as Microsoft Intune takes care of that.

Experiencing the user rights configuration

After configuring the users that are allowed to log on locally to the Windows device, it’s pretty straight forward to experience the behavior. Simply try to log on to that device with a user account that is not allowed to log on locally. That will provide an experience as shown below in Figure 3. The user will receive the notification that the sign-in method is not allowed. Besides that, it’s also important to be familiar with the side effects of this configuration. The most important side effect is the impact on the self-service capabilities, like self-service PIN reset and self-service password reset. That’s simply because those capabilities rely on the temporary account defaultuser1 and that account won’t be able to log in, as only the specified users are allowed to locally log on to the Windows device. That experience is shown below in Figure 4. The user will either receive the status message of 0xc000015b , or will simply be switched back to the logon screen.

user rights assignment admx

Note : The failed log on information is registered in the Security log in the Event Viewer with Event ID 4625 .

More information

For more information about the user rights configuration options, refer to the following docs.

  • UserRights Policy CSP – Windows Client Management | Microsoft Learn
  • Self-service password reset for Windows devices – Microsoft Entra | Microsoft Learn

23 thoughts on “Restricting the local log on to specific users”

I’d like to contribute to this.

This method does not inherently allow you to specify an EntraID group of users that you wish to deny local logon (at least it didnt use to) however i’ve found that if you use “account protection” policies populate the local group “Guests” with users from an EntraID group you can use the above stated policy to in effect acheive deny local logon for an EntraID group of users. (Via denying the local group “guests” as stated in your blog)

I use this in production, works well

Thank you for that suggestion, Temilit. Regards, Peter

I have not been able to replicate this. I followed inthecloud247’s blog post on this, but the only SID I was able to add to the Guests local group was the SID of an AAD directory role, and not one of an AAD security group.

Which version of Windows are you using? Regards, Peter

  • Pingback: Microsoft Roadmap, messagecenter en blogs updates van 21-09-2023 - KbWorks

Can you use an AAD group here?

Not at this moment, Henrik. Regards, Peter

Is there currently a way to restrict interactive log in but allow elevation log in prompts? I would like to prevent Intune Admins from logging in locally but still allow elevation for installs/CMD.

Not sure you can achieve that with this policy, but I haven’t looked really deep in that use case yet. Regards, Peter

  • Pingback: Intune Newsletter - 22nd September 2023 - Andrew Taylor
  • Pingback: Enabling remote access for specific users on Azure AD joined devices – All about Microsoft Intune

Is there a way to specify an EntraID security group with this settings?

Hi Yoni, The last time I tried that was not possible yet. Regards, Peter

Is there a way sign in KioskUser0 automatically using User Rights?

Hi Mo, Can you provide some more details about what you’re trying to achieve? Regards, Peter

We have deployed Self-Deploy AutoPilot profile plus Kiosk Configuration Profile for single app and then assign to dynamic device group. The Self-Deploy AutoPilot process completes without any issues and Kiosk policy is applied to the device. However, the KioskUser0 should auto logging automatically after Self-Deploy AutoPilot process completes, but its not auto logging.

Any thought why KioskUser0 not auto logging automatically?

Hi Mo, That can be many things, but something I often see is the device lock configuration that is interfering. Regards, Peter

Hello Peter,

We have Azure AD Joined devices in our enviornment which are migrated from source tenant to target tenant as part of carve out project. Recently we observed that post autopilot build completition when user tried to sign in to device they were prompted error as Sign in method not allowed. However, if we tried to login to device with local admins then it allows.

Standard users not allowed to login, we do have AllowLocallyLogIn baseline policy deployed by security team but it contains Administrators and Users group both. Does on Azure AD joined devices this policy really gets validated when users trying to sign in with UPN ?

This issue is not for all users but 10% users are facing, as a workaround when we reimported hash of thier device again and reimaged device then sign in was allowed (bit strange).

Do you have any idea on this then please give some direction.

Hi Suraj, How did you migrate the devices from source tenant to the target tenant? Regards, Peter

I am seeing something similar for new devices. Again, not all, only a subset. quite often, the user can happily use the device for a period (a few days) then this occurs. LOgging onto the device locally, I am seeing the Allow Logon Locally being blank. very odd. This is using Windows 11 23H2

Hi Shaun, When that happens, do you see anything about (other) policies being applied and/or change? Regards, Peter

I tried to do the restriction as in your procedure, but I got the error 65000 in intune. Since then, it has been impossible to connect with ALL the accounts on the computer. Do you have a solution to go back?

Hi Simon, In that case, you should apply a counter policy with the default configuration. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

  • Home  / 
  • Uncategorized  / 

Configuring User Rights Policies in Intune via Custom Profile

' src=

To make a long story short: When configuring user rights policies in Intune with a device configuration (custom profile), you'll find that the sample provided in the docs won't fully work. It does the correct configuration on the clients, but it will show you a remediation error in the Intune portal, which is not very nice.

Credits: Big thanks to Mark Thomas , who helped me solving this one.

Note: There are upcoming changes to Intune announced that should simplify these configurations. Hopefully very soon.

Due to a bug in with the encoding of the delimiter used when following the CDATA syntax, the evaluation fails with an remediation failed error. The bug is due to the fact that the XML parser which handles the  delimiter only works for ADMX backed policies. Looking something like this:

user rights assignment admx

To workaround the issue until the bug is fixed, skip using the CDATA syntax for now. So instead of using this documented syntax to grant Administrators and Users permissions to for example the Allow local LogOn user right:

Use this syntax instead:

user rights assignment admx

Please note the  delimiter. To make sure you get the right character, go to https://coderstoolbox.net/string/#!encoding=xml&action=decode&charset=us_ascii and enter the below text in the input box and press enter.

user rights assignment admx

Johan Arwidmark

guest

I found it… 🙂 <Data></Data>

How is the format if you want to remove all assignments from a specific user right?

Using just <![CDATA[]]> works, but gives an error in Intune reports. According to your post, the CDATA should be left out, but then there is nothing left and a custom OMA URI does not accept an empty string value.

Session expired

Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications

Collection of Intune policies that could assist with implementing ACSC's Windows hardening guidance.

microsoft/Intune-ACSC-Windows-Hardening-Guidelines

Folders and files, repository files navigation, intune acsc windows hardening guidelines.

These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance . These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.

Additional Intune policies have been provided for organisations who are also required to comply with the ACSC's Office Hardening Guidance and the ACSC's Office Macro Security publication.

While the intent of these policies is to assist in an organisations compliance efforts, Microsoft does not represent that use of these policies will create compliance with the Australian Cyber Security Centre's guidance.

What's included?

There are four Windows hardening policies and a collection of scripts contained within this repository.

  • This Settings Catalog policy contains all currently available settings recommended by the ACSC for hardening Windows.
Important: some settings are not be available for configuration via Settings Catalog . Ensure that you verify this representation of the hardening guidance meets your requirements.
  • Microsoft provides a Windows Security Baseline, which is comprised of groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams within Microsoft. The Microsoft Security Baseline can be deployed with Intune .
  • This Microsoft Security Baseline has been modified so that its settings do not conflict with those of the ACSC Windows Hardening Guidelines. All non-conflicting settings have been left as-is.
  • This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
  • This Custom configuration profile configures specific User Rights Assignments to be blank, as recommended by the ACSC.
  • This PowerShell script removes PowerShell v2.0, .NET Framework 3.5 (and below) and Internet Explorer 11 (if on Windows 10).
  • A collection of PowerShell scripts that configures registry keys for settings that are currently unavailable to be configured via Settings Catalog .

Supplementary documentation has been provided for the ACSC Windows Hardening Guidelines policy, detailing each configured setting, description of the setting and a link to the corresponding Microsoft Docs page.

  • ACSC Windows Hardening Guidelines documentation

Microsoft 365 Apps for Enterprise

Organisations that are required to harden Microsoft 365 Apps for Enterprise (formerly known as Office 365 ProPlus) with the ACSC recommended hardening policies, including limiting the execution of macros to Trusted Publishers can use the supplied policies. See the Microsoft 365 Apps for Enterprise README for additional information and steps to import the policies.

Microsoft Edge

Organisations that are looking to harden only Microsoft Edge, without applying all additional Windows hardening recommended by the ACSC can use the supplied policy. See Microsoft Edge README for additional information and steps to import the policy.

What's not included?

Although the below settings are configured as a part of the ACSC Windows Hardening Guidelines, they have not been included in this version of the guidelines. It is still recommended to configure each of the settings below as a part of an end to end security strategy.

  • Organisations have unique Application Whitelisting requirements. Apply your organisations AppLocker policy via the AppLocker CSP . Consider the use of AaronLocker , which aims to make application control using AppLocker and Windows Defender Application Control (WDAC) as easy and practical as possible.
  • Manage disk encryption with a Disk Encryption Endpoint Security policy .
  • The configuration for Controlled Folder Access requires input that is unique to each organisation.
  • Configure Controlled Folder Access by creating an Attack surface reduction policy in the Microsoft Intune console , under Endpoint Security > Attack surface reduction
  • Intune provides the ability to enable and configure Microsoft Defender Application Guard . The configuration of Application Guard requires additional input from the organisation, such as a Windows network isolation policy.
  • Organisations typically standardise on a management platform that provides patching capabilities. Microsoft's recommendation is to move to Windows Update for Business .
  • If a setting does not have a corresponding Settings Catalog, Endpoint Security or device configuration setting, it was not configured.
  • A possible way to implement these settings would be with a PowerShell script, deployed via Intune.

Requirements

These policies were developed on Azure AD Joined Windows 10 & Windows 11 devices and can be deployed to either Operating System where Intune is providing the device configuration workload, regardless of join type. Ensure that devices are currently supported and the appropriate Microsoft Endpoint Manager licences have been assigned.

Ensure that KB5005565 has been installed, which was released as a part of the September 14th, 2021 quality updates. This KB contains updated Mobile Device Management policies. Without this update, the policies provided will not be applied successfully.

How to import the policies

To import the policies, use Graph Explorer . After running through the import instructions below, the following policies and profiles will be imported into the organisations Intune tenant.

Note: After importing the policies, the policies will need to be assigned to a group.
  • This Settings Catalog policy will be found in the Microsoft Intune console , under: Devices > Windows > Configuration profiles
  • This Security Baseline will be found in the Microsoft Intune console , under: Endpoint Security > Security Baselines > Security Baseline for Windows 10 and later
  • This Attack surface reduction policy will be found in the Microsoft Intune console , under: Endpoint Security > Attack surface reduction
  • This Custom configuration profile will be found in the Microsoft Intune console , under: Devices > Windows > Configuration profiles
  • This PowerShell script will be found in the Microsoft Intune console , under: Devices > Windows > PowerShell scripts
  • Multiple PowerShell scripts, each corresponding to the name of the registry key they configure
Note: When using Graph Explorer, you may need to consent to permissions if you have not done so before. For more information, please see Working with Graph Explorer .

ACSC Windows Hardening Guidelines (Settings Catalog)

  • Save the ACSC Windows Hardening Guidelines policy to your local device
  • Navigate to the Microsoft Intune console
  • Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
  • Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1

Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) (Windows Security Baseline)

  • Navigate to Graph Explorer and authenticate
  • Create a POST request, using the beta schema to the Windows Security Baseline policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/034ccd46-190c-4afc-adf1-ad7cc11262eb/createInstance
  • Copy the JSON in the Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) policy and paste it in the request body
  • (Optional) modify the name value if required

ACSC Windows Hardening Guidelines - Attack Surface Reduction Rules (Endpoint Security)

  • Create a POST request, using the beta schema to the Attack Surface Reduction policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance
  • Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction policy and paste it in the request body

ACSC Windows Hardening Guidelines - User Rights Assignment (Custom Configuration Profile)

  • Create a POST request, using the beta schema to the device configuration endpoint: https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
  • Copy the JSON in the ACSC Windows Hardening Guidelines-User Rights Assignment and paste it in the request body

UserApplicationHardening-RemoveFeatures (PowerShell script)

  • Name : UserApplicationHardening-RemoveFeatures
  • Run this script using the logged on credentials : No
  • Enforce script signature check : No
  • Run script in 64 bit PowerShell Host : No

Multiple PowerShell Scripts

For each PowerShell script in scripts :

  • Name : < name of the corresponding PowerShell script >

Additional Considerations

  • The setting 'Allow Telemetry' has been configured to: 'Security'. Keep in mind that other services require different telemetry settings, such as Update Compliance , which requires Basic telemetry .
  • The setting 'Disable One Drive File Sync' has been configured to: 'disable sync'. This disables OneDrive. Modify this setting to 'sync enabled' to enable OneDrive.

Windows 365 and Azure Virtual Desktop Considerations

As both Windows 365 and Azure Virtual Desktop rely on remote desktop connectivity to the endpoint, you will need to modify the following settings from the ACSC Windows Hardening Guidelines policy to enable remote connectivity.

  • Modify Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by using Remote Desktop Services from Disabled to Enabled
  • Remove the setting "Deny Access From Network"
  • Remove the setting "Deny Remote Desktop Services Log On"

For help and questions about using this project, please reach out to [email protected] . If you notice any discrepancies in the policies provided, please raise an issue as described in SUPPORT .

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com .

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct . For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines . Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Code of conduct

Security policy, contributors 4.

@midineenMSFT

  • PowerShell 100.0%

Marcin Szafrankiewicz

All about Microsoft 365 in Enterprise IT

Configuring User Rights via OMA-URI in Microsoft Intune

I’ve recently been implementing CIS Benchmark for Intune, and one of big chapters within it were Windows User Rights. Unfortunately, MS documentation was poorly written and confusing, to say the least.

Not only was it discussed here: Give an example how to give user rights with MDM Policy CSP · Issue #856 · MicrosoftDocs/windows-itpro-docs · GitHub but also a lot of questions have been raised directly in the benchmark discussion, so I’ve decided to show you how to do this properly.

First of all, in order to set up user rights, you either need to assign them to groups, or to SIDs of these groups. The latter is a better choice because you don’t have to worry about different OS languages.

  • Go to endpoint.microsoft.com and navigate to Devices -> Windows -> Configuration profiles -> Create profile -> Platform – Windows 10 and later, Profile type – Templates and select Custom
  • Fill out Name, Description, and OMA-URI for the User Rights you wish to configure. You can find OMA-URIs there https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-userrights

user rights assignment admx

  • Screenshot above shows that this setting has been deployed correctly. This is a proper way to deal with User Rights (unless for some reason you want to use Endpoint Protection policies). I’ve preferred to stick with ADMX and OMA-URIs for the CIS Benchmark as I think it looks tidier, rather than having policies all over the place 🙂

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

UCF STIG Viewer Logo

  • NIST 800-53
  • Common Controls Hub

The Restore files and directories user right must only be assigned to the Administrators group.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Walkthrough: Use the cloud to configure group policy on Windows 10/11 devices with ADMX templates and Microsoft Intune

  • 9 contributors

This walkthrough was created as a technical workshop for Microsoft Ignite. It has more prerequisites than typical walkthroughs, as it compares using and configuring ADMX policies in Intune and on-premises.

Group policy administrative templates, also known as ADMX templates, include settings you can configure on Windows client devices, including PCs. The ADMX template settings are available by different services. These settings are used by Mobile Device Management (MDM) providers, including Microsoft Intune. For example, you can turn on Design Ideas in PowerPoint, set a home page in Microsoft Edge, and more.

For an overview of ADMX templates in Intune, including the ADMX templates built-in to Intune, go to Use Windows 10/11 ADMX templates in Microsoft Intune .

For more information on ADMX policies, go to Understanding ADMX-backed policies .

These templates are built in to Microsoft Intune, and are available as Administrative templates profiles. In this profile, you configure the settings you want to include, and then "assign" this profile to your devices.

In this walkthrough, you will:

  • Get introduced to the Microsoft Intune admin center .
  • Create user groups and create device groups.
  • Compare the settings in Intune with on-premises ADMX settings.
  • Create different administrative templates, and configure the settings that target the different groups.

By the end of this lab, you can use Intune and Microsoft 365 to manage your users, and deploy administrative templates.

This feature applies to:

  • Windows 10 version 1709 and newer

There are two ways to create an administrative template: Using a template, or using the Settings Catalog. This article focuses on using the Administrative Templates template. The Settings Catalog has more Administrative Template settings available. For the specific steps to use the Settings Catalog, go to Use the settings catalog to configure settings .

Prerequisites

A Microsoft 365 E3 or E5 subscription, which includes Intune and Microsoft Entra ID P1 or P2. If you don't have an E3 or E5 subscription, try it for free .

For more information on what you get with the different Microsoft 365 licenses, go to Transform your Enterprise with Microsoft 365 .

Microsoft Intune is configured as the Intune MDM Authority . For more information, go to Set the mobile device management authority .

Screenshot that shows how to set the MDM authority to Microsoft Intune in your tenant status.

On an on-premises Active Directory domain controller (DC):

Copy the following Office and Microsoft Edge templates to the Central Store (sysvol folder) :

  • Office administrative templates
  • Microsoft Edge administrative templates > Policy file

Create a group policy to push these templates to a Windows 10/11 Enterprise administrator computer in the same domain as the DC. In this walkthrough:

  • The group policy we created with these templates is called OfficeandEdge . You'll see this name in the images.
  • The Windows 10/11 Enterprise administrator computer we use is called the Admin computer .

In some organizations, a domain administrator has two accounts:

  • A typical domain work account
  • A different domain administrator account used only for domain administrator tasks, such as group policy

The purpose of this Admin computer is for administrators to sign in with their domain administrator account, and access tools designed for managing group policy.

On this Admin computer :

Sign in with a Domain Administrator account.

Add the RSAT: Group Policy Management Tools :

Open the Settings app > System > Optional features > Add feature .

If you use a version older than Windows 10 22H2, go to Settings > Apps > Apps & features > Optional features > Add feature .

Select RSAT: Group Policy Management Tools > Add .

Wait while Windows adds the feature. When complete, it eventually shows in the Windows Administrative Tools app.

Screenshot that shows the Windows Administrative Tools apps, including the Group Policy Management app.

Be sure you have internet access and administrator rights to the Microsoft 365 subscription, which includes the Intune admin center.

Open the Intune admin center

Open a chromium web browser, such as Microsoft Edge version 77 and later.

Go to the Microsoft Intune admin center . Sign in with the following account:

User : Enter the administrator account of your Microsoft 365 tenant subscription. Password : Enter its password.

This admin center is focused on device management, and includes Azure services, such as Microsoft Entra ID and Intune. You might not see the Microsoft Entra ID and Intune branding, but you're using them.

You can also open the Intune admin center from the Microsoft 365 admin center :

Go to https://admin.microsoft.com .

Sign in with the administrator account of your Microsoft 365 tenant subscription.

Select Show all > All admin centers > Endpoint management . The Intune admin center opens.

Screenshot that shows all the admin centers in the Microsoft 365 admin center.

Create groups, and add users

On-premises policies are applied in the LSDOU order - local, site, domain, and organizational unit (OU). In this hierarchy, OU policies overwrite local policies, domain policies overwrite site policies, and so on.

In Intune, policies are applied to users and groups you create. There isn't a hierarchy. For example:

  • If two policies update the same setting, then the setting shows as a conflict.
  • If two compliance policies are in conflict, then the most restrictive policy applies.
  • If two configuration profiles are in conflict, then the setting isn't applied.

For more information, go to Common questions, issues, and resolutions with device policies and profiles .

In these next steps, you create security groups, and add users to these groups. You can add a user to multiple groups. For example, it's normal for a user to have multiple devices, such as a Surface Pro for work, and an Android mobile device for personal. And, it's normal for a person to access organizational resources from these multiple devices.

In the Intune admin center, select Groups > New group .

Enter the following settings:

Group type : Select Security .

  • Group name : Enter All Windows 10 student devices .
  • Membership type : Select Assigned .

Select Members , and add some devices.

Adding devices is optional. The goal is to practice creating groups, and knowing how to add devices. If you're using this walkthrough in a production environment, then be aware of what you're doing.

Select > Create to save your changes.

Don't see your group? Select Refresh .

Select New group , and enter the following settings:

Group name : Enter All Windows devices .

Membership type : Select Dynamic Device .

Dynamic device members : Select Add dynamic query , and configure your query:

  • Property : Select deviceOSType .

Operator : Select Equals .

  • Value : Enter Windows .

Select Add expression . Your expression is shown in the Rule syntax :

Screenshot that shows how to create a dynamic query, and add expressions in a Microsoft Intune administrative template.

When users or devices meet the criteria you enter, they're automatically added to the dynamic groups. In this example, devices are automatically added to this group when the operating system is Windows. If you're using this walkthrough in a production environment, then be careful. The goal is to practice creating dynamic groups.

Save > Create to save your changes.

Create the All Teachers group with the following settings:

Group name : Enter All Teachers .

Membership type : Select Dynamic User .

Dynamic user members : Select Add dynamic query , and configure your query:

Property : Select department .

Value : Enter Teachers .

Select Add expression . Your expression is shown in the Rule syntax .

When users or devices meet the criteria you enter, they're automatically added to the dynamic groups. In this example, users are automatically added to this group when their department is Teachers. You can enter the department and other properties when users are added to your organization. If you're using this walkthrough in a production environment, then be careful. The goal is to practice creating dynamic groups.

Talking points

Dynamic groups are a feature in Microsoft Entra ID P1 or P2. If you don't have Microsoft Entra ID P1 or P2, then you're licensed to only create assigned groups. For more information on dynamic groups, go to:

  • Dynamic Group Membership in Microsoft Entra ID (Part 1)
  • Dynamic Group Membership in Microsoft Entra ID (Part 2)

Microsoft Entra ID P1 or P2 includes other services that are commonly used when managing apps and devices, including multifactor authentication (MFA) and conditional access .

Many administrators ask when to use user groups and when to use device groups. For some guidance, go to User groups vs. device groups .

Remember, a user can belong to multiple groups. Consider some of the other dynamic user and device groups you can create, such as:

  • All Students
  • All Android devices
  • All iOS/iPadOS devices
  • Human Resources
  • All Charlotte employees
  • All Redmond employees
  • West coast IT administrators
  • East coast IT administrators

The users and groups created are also seen in the Microsoft 365 admin center , Microsoft Entra ID in the Azure portal, and Microsoft Intune in the Azure portal . You can create and manage groups in all these areas for your tenant subscription. If your goal is device management, then use the Microsoft Intune admin center .

Review group membership

  • In the Intune admin center, select Users > All users > select the name of any existing user.
  • Review some of the information you can add or change. For example, look at the properties you can configure, such as Job Title, Department, City, Office location, and more. You can use these properties in your dynamic queries when creating dynamic groups.
  • Select Groups to see the membership of this user. You can also remove the user from a group.
  • Select some of the other options to see more information, and what you can do. For example, look at the assigned license, the user's devices, and more.

What did I just do?

In the Intune admin center, you created new security groups, and added existing users and devices to these groups. We use these groups in later steps in this tutorial.

Create a template in Intune

In this section, we create an administrative template in Intune, look at some settings in Group Policy Management , and compare the same setting in Intune. The goal is to show a setting in group policy, and show the same setting in Intune.

In the Intune admin center, select Devices > Configuration > Create .

Enter the following properties:

  • Platform : Select Windows 10 and later .
  • Profile type : Select Administrative Templates .

Select Create .

In Basics , enter the following properties:

  • Name : Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, enter Admin template - Windows 10 student devices .
  • Description : Enter a description for the profile. This setting is optional, but recommended.

Select Next .

In Configuration settings , All settings show an alphabetical list of all the settings. You can also filter settings that apply to devices ( Computer configuration ), and settings that apply to users ( User configuration ):

Screenshot that shows how to apply ADMX template settings to users and devices in Microsoft Intune.

Expand Computer configuration > Microsoft Edge > select SmartScreen settings . Notice the path to the policy, and all the available settings:

Screenshot that shows how to see the Microsoft Edge SmartScreen policy settings in ADMX templates in Microsoft Intune.

In search, enter download . Notice the policy settings are filtered:

Screenshot that shows how to filter the Microsoft Edge SmartScreen policy settings in a Microsoft Intune ADMX template.

Open Group Policy Management

In this section, we show a policy in Intune and its matching policy in Group Policy Management Editor.

Compare a device policy

On the Admin computer , open the Group Policy Management app.

This app gets installed with RSAT: Group Policy Management Tools , which is an optional feature you add on Windows. Prerequisites (in this article) lists the steps to install it.

Expand Domains > select your domain. For example, select contoso.net .

Right-click the OfficeandEdge policy > Edit . The Group Policy Management Editor app opens.

Screenshot that shows how to right-click the on-premises Office and Microsoft Edge ADMX group policy, and select Edit.

OfficeandEdge is a group policy that includes the Office and Microsoft Edge ADMX templates. This policy is described in prerequisites (in this article).

Expand Computer configuration > Policies > Administrative Templates > Control Panel > Personalization . Notice the available settings.

Screenshot that shows how to expand Computer Configuration in on-premises Group Policy Management Editor, and go to Personalization.

Double-click Prevent enabling lock screen camera , and see the available options:

Screenshot that shows how to see the on-premises Computer configuration setting options in group policy.

In the Intune admin center, go to your Admin template - Windows 10 student devices template.

Select Computer configuration > Control Panel > Personalization . Notice the available settings:

Screenshot that shows the personalization policy setting path in Microsoft Intune.

The setting type is Device , and the path is /Control Panel/Personalization . This path is similar to what you just saw in Group Policy Management Editor. If you open the Prevent enabling lock screen camera setting, you see the same Not configured , Enabled , and Disabled options you see in Group Policy Management Editor.

Compare a user policy

In your admin template, select Computer configuration > All settings , and search for inprivate browsing . Notice the path.

Do the same for User configuration . Select All settings , and search for inprivate browsing .

In Group Policy Management Editor , find the matching user and device settings:

  • Device: Expand Computer configuration > Policies > Administrative Templates > Windows components > Internet Explorer > Privacy > Turn off InPrivate Browsing .
  • User: Expand User configuration > Policies > Administrative Templates > Windows components > Internet Explorer > Privacy > Turn off InPrivate Browsing .

Screenshot that shows how to turn off InPrivate Browsing in Internet Explorer using ADMX template.

To see the built-in Windows policies, you can also use GPEdit ( Edit group policy app).

Compare a Microsoft Edge policy

Expand Computer configuration > Microsoft Edge > Startup, homepage and new tab page . Notice the available settings.

Do the same for User configuration .

In Group Policy Management Editor, find these settings:

  • Device: Expand Computer configuration > Policies > Administrative Templates > Microsoft Edge > Startup, homepage and new tab page .
  • User: Expand User configuration > Policies > Administrative Templates > Microsoft Edge > Startup, homepage and new tab page

You created an administrative template in Intune. In this template, we looked at some ADMX settings, and looked at the same ADMX settings in Group Policy Management.

Add settings to the Students admin template

In this template, we configure some Internet Explorer settings to lock down devices shared by multiple students.

In your Admin template - Windows 10 student devices , expand Computer configuration , select All settings , and search for Turn off InPrivate Browsing :

Screenshot that shows how to turn off InPrivate Browsing device policy in an administrative template in Microsoft Intune.

Select the Turn off InPrivate Browsing setting. In this window, notice the description and values you can set. These options are similar to what you see in group policy.

Select Enabled > OK to save your changes.

Also configure the following Internet Explorer settings. Be sure to select OK to save your changes.

Allow drag and drop or copy and paste files

  • Type : Device
  • Path : \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Value : Disabled

Prevent ignoring certificate errors

  • Path : \Windows Components\Internet Explorer\Internet Control Panel
  • Value : Enabled

Disable changing home page settings

  • Type : User
  • Path : \Windows Components\Internet Explorer
  • Home page : Enter a URL, such as contoso.com .

Clear your search filter. Notice the settings you configured are listed at the top:

Screenshot that shows the configured ADMX settings are listed at the top in Microsoft Intune.

Assign your template

In your template, select Next until you get to Assignments . Choose Select groups to include :

Screenshot that shows how to select your administrative template profile from the Device Configuration profiles list in Microsoft Intune.

A list of existing users and groups is shown. Select the All Windows 10 student devices group you created earlier > Select .

If you're using this walkthrough in a production environment, then consider adding groups that are empty. The goal is to practice assigning your template.

Select Next . In Review + create , select Create to save your changes.

As soon as the profile is saved, it applies to the devices when they check in with Intune. If the devices are connected to the internet, it can happen immediately. For more information on policy refresh times, go to How long does it take for devices to get a policy, profile, or app .

When assigning strict or restrictive policies and profiles, don't lock yourself out. Consider creating a group that's excluded from your policies and profiles. The idea is to have access to troubleshoot. Monitor this group to confirm it's being used as intended.

In the Intune admin center, you created an administrative template device configuration profile, and assigned this profile to a group you created.

Create a OneDrive template

In this section, you create a OneDrive admin template in Intune to control some settings. These specific settings are chosen because they're commonly used by organizations.

Create another profile ( Devices > Configuration > Create ).

  • Profile type : Select Administrative templates .
  • Name : Enter Admin template - OneDrive policies that apply to all Windows 10 users .

In Configuration settings , configure the following settings. Be sure to select OK to save your changes:

Computer configuration :

User configuration :

Your settings look similar to the following settings:

Screenshot that shows how to create a OneDrive administrative template in Microsoft Intune.

For more information on OneDrive client settings, go to Use Group Policy to control OneDrive sync client settings .

A list of existing users and groups is shown. Select the All Windows devices group you created earlier > Select .

At this point, you created some administrative templates, and assigned them to groups you created. The next step is to create an administrative template using Windows PowerShell and the Microsoft Graph API for Intune.

Optional: Create a policy using PowerShell and Graph API

This section uses the following resources. We install these resources in this section.

  • Intune PowerShell SDK
  • Microsoft Graph API for Intune

On the Admin computer , open Windows PowerShell as administrator:

  • In your search bar, enter powershell .
  • Right-click Windows PowerShell > Run as administrator .

Screenshot that shows how to run Windows PowerShell as an administrator.

Get and set the execution policy.

Enter: get-ExecutionPolicy

Write down what the policy is set to, which might be Restricted . When finished with the walkthrough, set it back to its original value.

Enter: Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Enter Y to change it.

PowerShell's execution policy helps prevent executing malicious scripts. For more information, go to About Execution Policies .

Enter: Install-Module -Name Microsoft.Graph.Intune

Enter Y if:

  • Asked to install the NuGet provider
  • Asked to install the modules from an untrusted repo

It can take several minutes to complete. When finished, a prompt similar to the following prompt is shown:

Screenshot that shows the Windows PowerShell prompt after installing a module.

In your web browser, go to https://github.com/Microsoft/Intune-PowerShell-SDK/releases , and select the Intune-PowerShell-SDK_v6.1907.00921.0001.zip file.

Select Save as , and select a folder you'll remember. c:\psscripts is a good choice.

Open your folder, right-click the .zip file > Extract all > Extract . Your folder structure looks similar to the following folder:

Screenshot that shows the Intune PowerShell SDK folder structure after being extracted.

On the View tab, check File name extensions :

Screenshot that shows how to select file name extensions on the view tab in Windows file explorer.

In your folder, and go to c:\psscripts\Intune-PowerShell-SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471 . Right-click every .dll > Properties > Unblock .

Screenshot that shows how to unblock the DLLs.

In your Windows PowerShell app, enter:

Enter R if prompted to run from the untrusted publisher.

Intune administrative templates use the beta version of Graph:

Enter: Update-MSGraphEnvironment -SchemaVersion 'beta'

Enter: Connect-MSGraph -AdminConsent

When prompted, sign in with the same Microsoft 365 administrator account. These cmdlets create the policy in your tenant organization.

Select Accept .

Create the Test Configuration configuration profile. Enter:

When these cmdlets succeed, the profile is created. To confirm, go to the Intune admin center > Devices > Configuration . Your Test Configuration profile should be listed.

Get all the SettingDefinitions. Enter:

Find the definition ID using the setting display name. Enter:

Configure a setting. Enter:

See your policy

  • In the Intune admin center > Devices > Configuration > Refresh .
  • Select your Test Configuration profile > Settings .
  • In the drop-down list, select All products .

You see the Silently sign in users to the OneDrive sync client with their Windows credentials setting is configured.

Policy best practices

When you create policies and profiles in Intune, there are some recommendations and best practices to consider. For more information, go to policy and profile best practices .

Clean up resources

When no longer needed, you can:

Delete the groups you created:

  • All Windows 10 student devices
  • All Windows devices
  • All Teachers

Delete the admin templates you created:

  • Admin template - Windows 10 student devices
  • Admin template - OneDrive policies that apply to all Windows 10 users
  • Test Configuration

Set the Windows PowerShell execution policy back to its original value. The following example sets the execution policy to Restricted:

In this tutorial, you got more familiar with the Microsoft Intune admin center , used the query builder to create dynamic groups, and created administrative templates in Intune to configure ADMX settings . You also compared using ADMX templates on-premises and in the cloud with Intune. As a bonus, you used PowerShell cmdlets to create an administrative template.

For more information on administrative templates in Intune, go to:

Use Windows 10/11 templates to configure group policy settings in Intune

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

IMAGES

  1. User Rights Assignment Policy

    user rights assignment admx

  2. Change User Rights Assignment Security Policy Settings in Windows 10

    user rights assignment admx

  3. Intune: Third-Party ADMX & OMA-URI

    user rights assignment admx

  4. User Rights Assignment

    user rights assignment admx

  5. Déployer une stratégie Microsoft Edge à l’aide d’un modèle ADMX dans

    user rights assignment admx

  6. Change the user rights assignment using administrative tools.avi

    user rights assignment admx

VIDEO

  1. User Rights for Visix DSC at UNC Pembroke

  2. How to manage Supplier access and Advance User rights

  3. Sumter County Florida got this poor man scared while I armed him with the 4th. #shorts #police

  4. CIS27 Lab 11: Computer Forensic and User Rights Assignment

  5. Windows 10 Training

  6. Human Rights Assignment Video video1353343938 1

COMMENTS

  1. Change User Rights Assignment Security Policy Settings in Windows 10

    1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3) 3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or ...

  2. User Rights Assignment

    User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy ...

  3. UserRights Policy CSP

    User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see Well-known SID structures.

  4. ADMX_UserProfiles Policy CSP

    This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. If you disable or don't configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy ...

  5. UserRights Policy Deployment Using Intune

    Administrative templates - Intune UserRights - UserRights Policy 1. I have two options to deploy UserRights settings: Group Policy if the device is domain joined or Hybrid Azure AD Joined. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Custom Windows 10 policy CSP using Intune for Azure AD ...

  6. Configure security policy processing

    This policy setting determines when security policies are updated. This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. This policy setting overrides customized settings that the program implementing the security policy set when it was installed.

  7. What are the defaults for the "user rights assignment" in an AD

    If you're asking for User Rights Assignment on a single computer, look for Local Security Policy. If you're asking for User Rights Assignment as a group policy, well, it shows up just fine in my console. Are you using RSAT (Remote Server Administration Tools)? I'm using the RSAT available for Windows 10.

  8. Deny and allow workstation logons with Group Policy

    The "Deny log on locally" specifies the users or groups that are not allowed to log into the local computer. This policy can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment > Deny log on locally. Deny log on locally Properties. In my example, I've created a special group just for ...

  9. Restricting the local log on to specific users

    Click Add settings and perform the following in Settings picker. Select User Rights as category. Select Allow Local Log On as setting. Specify the required users and local groups - all on separate lines - and click Next. Figure 2: Overview of the configuration of the required setting. On the Scope tags page, configure the required scope ...

  10. Windows Server 2016/2019 Group Policy security settings

    Both settings, when enabled, could lead to storage of sensitive data in users' OneDrive, Microsoft, or third-party servers. MS Security Guide. This section is not included in Group Policy by default; you have to download it from the Microsoft website. After downloading it, you can find the SecGuide.admx and SecGuide.adml files in the Templates ...

  11. Configuring User Rights Policies in Intune via Custom Profile

    To workaround the issue until the bug is fixed, skip using the CDATA syntax for now. So instead of using this documented syntax to grant Administrators and Users permissions to for example the Allow local LogOn user right: <![CDATA[*S-1-5-32-544 *S-1-5-32-545]]> Use this syntax instead: *S-1-5-32-544 *S-1-5-32-545 Using a simpler syntax

  12. Use ADMX templates on Windows 10/11 devices in Microsoft Intune

    This assignment happens if the ADMX setting is a computer configuration (HKEY_LOCAL_MACHINE), or a user configuration (HKEY_CURRENT_USER). With some settings, a computer setting assigned to a user can also affect the experience of other users on that device. For more information, see User groups vs. device groups when assigning policies. Select ...

  13. Policy CSP

    User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see Well-known SID structures. \n

  14. The Access this computer from the network user right must only be

    Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. - Administrators - Authenticated Users - Enterprise Domain Controllers

  15. microsoft/Intune-ACSC-Windows-Hardening-Guidelines

    ACSC Windows Hardening Guidelines-User Rights Assignment. This Custom configuration profile configures specific User Rights Assignments to be blank, as recommended by the ACSC. UserApplicationHardening-RemoveFeatures. This PowerShell script removes PowerShell v2.0, .NET Framework 3.5 (and below) and Internet Explorer 11 (if on Windows 10).

  16. Configuring User Rights via OMA-URI in Microsoft Intune

    Go to endpoint.microsoft.com and navigate to Devices -> Windows -> Configuration profiles -> Create profile -> Platform - Windows 10 and later, Profile type - Templates and select Custom. Fill out Name, Description, and OMA-URI for the User Rights you wish to configure.

  17. The Restore files and directories user right must only be assigned to

    Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Restore files and directories" user right, this is a finding: Administrators. Fix Text (F-69867r1_fix)

  18. User Rights Assignment

    Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant ...

  19. Understanding ADMX policies

    For more information about the Group Policy description format, see Administrative Template File (ADMX) format.Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see policy elements).. For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the Enabling a policy example and its corresponding ADMX policy definition in the appv ...

  20. Group Policy Administrative Templates

    Microsoft. DirectAccess Connectivity Assistant Disable SMB Compression Network Drive Mappings Microsoft Edge for Business Edge Chromium Blocker Toolkit Enhanced Mitigation Experience Toolkit Forefront Endpoint Protection 2010 Forefront Identity Manager 2010 R2 Group Policy Preference Client Side Extensions Azure Hybrid Connection Manager Hide ...

  21. Walkthrough

    Expand Computer configuration > Policies > Administrative Templates > Control Panel > Personalization. Notice the available settings. Double-click Prevent enabling lock screen camera, and see the available options: In the Intune admin center, go to your Admin template - Windows 10 student devices template.