-->
-->
![Procedure Procedure](/uploads/1/2/6/0/126087100/943304972.png)
![Procedures Procedures](/uploads/1/2/6/0/126087100/181381888.jpg)
- Microsoft Policies And Procedures Template
- Microsoft Policies And Procedures List
- Microsoft Policy And Procedure Templates
- Microsoft Policies And Procedures Form
In order to document your policies and procedures it is helpful to have a standard format that you follow. Vlc media player installation. This can simply be a Word document or database application that you develop. Whatever the approach, you should establish a standard template for documentation. Here is a simple format that can be used to document your policy and procedures.
This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the Policy configuration service provider (CSP).
AboveLock
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowActionCenterNotifications | Allow Action Center notifications above the device lock screen. | X | ||||
AllowToasts | Allow toast notifications above the device lock screen. | X | X |
Accounts
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAddingNonMicrosoftAccountManually | Whether users can add non-Microsoft email accounts | X | X | |||
AllowMicrosoftAccountConnection | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | X | ||
AllowMicrosoftAccountSigninAssistant | Disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service | X | X | |||
DomainNamesForEmailSync | List of domains that are allowed to sync email on the devices | X | X |
ApplicationDefaults
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
DefaultAssociationsConfiguration | Set default file type and protocol associations | X |
ApplicationManagement
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAllTrustedApps | Whether non-Microsoft Store apps are allowed | X | X | X | ||
AllowAppStoreAutoUpdate | Whether automatic update of apps from Microsoft Store is allowed | X | X | X | ||
AllowDeveloperUnlock | Whether developer unlock of device is allowed | X | X | X | X | X |
AllowGameDVR | Whether DVR and broadcasting is allowed | X | ||||
AllowSharedUserAppData | Whether multiple users of the same app can share data | X | X | |||
AllowStore | Whether app store is allowed at device | X | ||||
ApplicationRestrictions | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | x | ||||
LaunchAppAfterLogOn | Whether to launch an app or apps when the user signs in. | X | ||||
RestrictAppDataToSystemVolume | Whether app data is restricted to the system drive | X | X | X | ||
RestrictAppToSystemVolume | Whether the installation of apps is restricted to the system drive | X | X | X |
Authentication
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowFastReconnect | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
EnableFastFirstSignin | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | X | X | X | X | |
EnableWebSignin | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | X | X | X | X | |
PreferredAadTenantDomainName | Specifies the preferred domain among available domains in the Azure AD tenant. | X | X | X | X |
BitLocker
Microsoft Policies And Procedures Template
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
EncryptionMethod | Specify BitLocker drive encryption method and cipher strength | X | X |
Bluetooth
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAdvertising | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
AllowDiscoverableMode | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
AllowPrepairing | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X |
LocalDeviceName | Set the local Bluetooth device name | X | X | X | X | X |
ServicesAllowedList | Set a list of allowable services and profiles | X | X | X | X | X |
Browser
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAddressBarDropdown | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | ||||
AllowAutofill | Specify whether autofill on websites is allowed. | X | X | X | X | |
AllowBrowser | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | X | X | |||
AllowConfigurationUpdateForBooksLibrary | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | X | |||
AllowCookies | Specify whether cookies are allowed. | X | X | X | X | |
AllowDeveloperTools | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | ||||
AllowDoNotTrack | Specify whether Do Not Track headers are allowed. | X | X | X | X | |
AllowExtensions | Specify whether Microsoft Edge extensions are allowed. | X | ||||
AllowFlash | Specify whether Adobe Flash can run in Microsoft Edge. | X | ||||
AllowFlashClickToRun | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | ||||
AllowFullScreenMode | Specify whether full-screen mode is allowed. | X | X | X | X | |
AllowInPrivate | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | X | |
AllowMicrosoftCompatibilityList | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | X | |
AllowPasswordManager | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | X | |
AllowPopups | Specify whether pop-up blocker is allowed or enabled. | X | X | |||
AllowPrelaunch | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | X | ||||
AllowPrinting | Specify whether users can print web content in Microsoft Edge. | X | X | X | X | |
AllowSavingHistory | Specify whether Microsoft Edge saves the browsing history. | X | ||||
AllowSearchEngineCustomization | Allow search engine customization for MDM-enrolled devices. | X | X | X | X | |
AllowSearchSuggestionsinAddressBar | Specify whether search suggestions are allowed in the address bar. | X | X | X | X | |
AllowSideloadingOfExtensions | Specify whether extensions can be sideloaded in Microsoft Edge. | X | ||||
AllowSmartScreen | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | X |
AllowTabPreloading | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | X | ||||
AllowWebContentOnNewTabPage | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | X | |
AlwaysEnableBooksLibrary | Always show the Books Library in Microsoft Edge. | X | X | |||
ClearBrowsingDataOnExit | Specify whether to clear browsing data when exiting Microsoft Edge. | X | ||||
ConfigureAdditionalSearchEngines | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | X | X | X | X | |
ConfigureFavoritesBar | Specify whether the Favorites bar is shown or hidden on all pages. | X | ||||
ConfigureHomeButton | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the SetHomeButtonURL setting. To configure this setting and also allow users to make changes to the Home button, see the UnlockHomeButton setting. | X | ||||
ConfigureKioskMode | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | ||||
ConfigureKioskResetAfterIdleTimeout | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | X | ||||
ConfigureOpenMicrosoftEdgeWith | Specify which pages should load when Microsoft Edge opens. You should also configure the ConfigureStartPages setting and DisableLockdownOfStartPages setting. | X | ||||
ConfigureTelemetryForMicrosoft365Analytics | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | X | ||||
DisableLockdownOfStartPages | Specify whether the lockdown on the Start pages is disabled. | X | ||||
EnableExtendedBooksTelemetry | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | X | |||
EnterpriseModeSiteList | Allow the user to specify a URL of an enterprise site list. | X | ||||
EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by Browser/EnterpriseModeSiteList. | X | ||||
FirstRunURL | Specify the URL that Microsoft Edge will use when it is opened for the first time. | X | X | |||
HomePages | Specify your Start pages for MDM-enrolled devices. | X | ||||
LockdownFavorites | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | X | |||
PreventAccessToAboutFlagsInMicrosoftEdge | Specify whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. | X | X | X | X | |
PreventCertErrorOverrides | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | X | |
PreventFirstRunPage | Specify whether to enable or disable the First Run webpage. | X | ||||
PreventLiveTileDataCollection | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | X | |
PreventSmartScreenPromptOverride | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | X | |
PreventSmartScreenPromptOverrideForFiles | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | X | |
PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | ||||
PreventTurningOffRequiredExtensions | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | ||||
PreventUsingLocalHostIPAddressForWebRTC | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | X | |
ProvisionFavorites | Configure a default set of favorites which will appear for employees. | X | X | |||
SendIntranetTraffictoInternetExplorer | Specify whether to send intranet traffic to Internet Explorer. | X | ||||
SetDefaultSearchEngine | Configure the default search engine for your employees. | X | X | X | X | |
SetHomeButtonURL | Specify a custom URL for the Home button. You should also enable the ConfigureHomeButton setting and select the Show the home button; clicking the home button loads a specific URL option. | X | ||||
SetNewTabPageURL | Specify a custom URL for a New tab page. | X | ||||
ShowMessageWhenOpeningSitesInInternetExplorer | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | ||||
SyncFavoritesBetweenIEAndMicrosoftEdge | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | ||||
UnlockHomeButton | Specify whether users can make changes to the Home button. | X | ||||
UseSharedFolderForBooks | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | X |
Camera
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowCamera | Disable or enable the camera. | X | X | X |
Connectivity
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowBluetooth | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | X |
AllowCellularData | Allow the cellular data channel on the device. | X | X | X | X | |
AllowCellularDataRoaming | Allow or disallow cellular data roaming on the device. | X | X | X | X | |
AllowConnectedDevices | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | X | |
AllowNFC | Allow or disallow near field communication (NFC) on the device. | X | X | |||
AllowUSBConnection | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | X | X | |||
AllowVPNOverCellular | Specify what type of underlyinng connections VPN is allowed to use. | X | X | X | X | |
AllowVPNRoamingOverCellular | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | X | |
HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | X | |
HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | X |
CredentialProviders
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
DisableAutomaticReDeploymentCredentials | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X |
Cryptography
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowFipsAlgorithmPolicy | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | |||
TLSCiperSuites | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X |
Defender
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowArchiveScanning | Allow or disallow scanning of archives. | X | ||||
AllowBehaviorMonitoring | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | ||||
AllowCloudProtection | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | ||||
AllowEmailScanning | Allow or disallow scanning of email. | X | ||||
AllowFullScanOnMappedNetworkDrives | Allow or disallow a full scan of mapped network drives. | X | ||||
AllowFullScanRemovableDriveScanning | Allow or disallow a full scan of removable drives. | X | ||||
AllowIntrusionPreventionSystem | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | ||||
AllowIOAVProtection | Allow or disallow Windows Defender IOAVP Protection functionality. | X | ||||
AllowOnAccessProtection | Allow or disallow Windows Defender On Access Protection functionality. | X | ||||
AllowRealtimeMonitoring | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | ||||
AllowScanningNetworkFiles | Allow or disallow scanning of network files. | X | ||||
AllowScriptScanning | Allow or disallow Windows Defender Script Scanning functionality. | X | ||||
AllowUserUIAccess | Allow or disallow user access to the Windows Defender UI. | X | ||||
AvgCPULoadFactor | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | ||||
DaysToRetainCleanedMalware | Specify time period (in days) that quarantine items will be stored on the system. | X | ||||
ExcludedExtensions | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using |. | X | ||||
ExcludedPaths | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using |. | X | ||||
ExcludedProcesses | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using |. The process itself is not excluded from the scan, but can be excluded by using the Defender/ExcludedPaths policy to exclude its path. | X | ||||
RealTimeScanDirection | Control which sets of files should be monitored. | X | ||||
ScanParameter | Select whether to perform a quick scan or full scan. | X | ||||
ScheduleQuickScanTime | Specify the time of day that Windows Defender quick scan should run. | X | ||||
ScheduleScanDay | Select the day that Windows Defender scan should run. | X | ||||
ScheduleScanTime | Select the time of day that the Windows Defender scan should run. | X | ||||
SignatureUpdateInterval | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | ||||
SubmitSamplesConsent | Checks for the user consent level in Windows Defender to send data. | X | ||||
ThreatSeverityDefaultAction | Specify any valid threat severity levels and the corresponding default action ID to take. | X |
DeliveryOptimization
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
DOAbsoluteMaxCacheSize | Specify the maximum size in GB of Delivery Optimization cache. | X | ||||
DOAllowVPNPeerCaching | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | ||||
DODelayBackgroundDownloadFromHttp | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | X | ||||
DODelayForegroundDownloadFromHttp | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | X | ||||
DODownloadMode | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | ||||
DOGroupId | Specify an arbitrary group ID that the device belongs to. | X | ||||
DOGroupIdSource | Set this policy to restrict peer selection to a specific source | X | ||||
DOMaxCacheAge | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | ||||
DOMaxCacheSize | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | ||||
DOMaxDownloadBandwidth | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | ||||
DOMaxUploadBandwidth | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | ||||
DOMinBackgroundQos | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | ||||
DOMinBatteryPercentageAllowedToUpload | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | ||||
DOMinDiskSizeAllowedToPeer | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | ||||
DOMinFileSizeToCache | Specify the minimum content file size in MB enabled to use Peer Caching. | X | ||||
DOMinRAMAllowedToPeer | Specify the minimum RAM size in GB requried to use Peer Caching. | X | ||||
DOModifyCacheDrive | Specify the drive that Delivery Optimization should use for its cache. | X | ||||
DOMonthlyUploadDataCap | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | ||||
DOPercentageMaxBackDownloadBandwidth | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | ||||
DOPercentageMaxDownloadBandwidth | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | ||||
DOPercentageMaxForeDownloadBandwidth | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | ||||
DORestrictPeerSelectionBy | Set this policy to restrict peer selection by the selected option. | X | ||||
DOSetHoursToLimitBackgroundDownloadBandwidth | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | ||||
DOSetHoursToLimitForegroundDownloadBandwidth | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X |
DeviceGuard
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
EnableVirtualizationBasedSecurity | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | X |
DeviceLock
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowIdleReturnWithoutPassword | Specify whether the user must input a PIN or password when the device resumes from an idle state. | X | ||||
AllowScreenTimeoutWhileLockedUserConfig | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | X | ||||
AllowSimpleDevicePassword | Specify whether PINs or passwords such as '1111' or '1234' are allowed. For the desktop, it also controls the use of picture passwords. | X | X | X | ||
AlphanumericDevicePasswordRequired | Select the type of PIN or password required. | X | X | X | ||
DevicePasswordEnabled | Specify whether device password is enabled. | X | X | X | ||
DevicePasswordExpiration | Specify when the password expires (in days). | X | X | X | ||
DevicePasswordHistory | Specify how many passwords can be stored in the history that can't be reused. | X | X | X | ||
MaxDevicePasswordFailedAttempts | Specify the number of authentication failures allowed before the device will be wiped. | X | X | X | ||
MaxInactivityTimeDeviceLock | Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | X | ||
MinDevicePasswordComplexCharacters | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | X | ||
MinDevicePasswordLength | Specify the minimum number or characters required in the PIN or password. | X | X | X | ||
ScreenTimeoutWhileLocked | Specify the duration in seconds for the screen timeout while on the lock screen. | X |
DeviceManagement
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | X |
Experience
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowCopyPaste | Specify whether copy and paste is allowed. | X | ||||
AllowCortana | Specify whether Cortana is allowed on the device. | X | X | X | ||
AllowDeviceDiscovery | Allow users to turn device discovery on or off in the UI. | X | X | |||
AllowFindMyDevice | Turn on Find my device feature. | X | X | |||
AllowManualMDMUnenrollment | Specify whether the user is allowed to delete the workplace account. | X | X | X | ||
AllowScreenCapture | Specify whether screen capture is allowed. | X | ||||
AllowSIMErrorDialogPromptWhenNoSIM | Specify whether to display a dialog prompt when no SIM card is detected. | X | ||||
AllowSyncMySettings | Allow or disallow all Windows sync settings on the device. | X | X | |||
AllowTailoredExperiencesWithDiagnosticData | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | ||||
AllowTaskSwitcher | Allow or disallow task switching on the device. | X | ||||
AllowThirdPartySuggestionsInWindowsSpotlight | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | ||||
AllowVoiceRecording | Specify whether voice recording is allowed for apps. | X | ||||
AllowWindowsConsumerFeatures | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | ||||
AllowWindowsSpotlight | Specify whether to turn off all Windows Spotlight features at once. | X | ||||
AllowWindowsSpotlightOnActionCenter | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | ||||
AllowWindowsSpotlightWindowsWelcomeExperience | Turn off the Windows Spotlight Windows welcome experience feature. | X | ||||
AllowWindowsTips | Enable or disable Windows Tips. | X | ||||
ConfigureWindowsSpotlightOnLockScreen | Specify whether Spotlight should be used on the user's lock screen. | X |
ExploitGuard
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
ExploitProtectionSettings | See the explanation of ExploitProtectionSettings in the Policy CSP for instructions. In the ExploitProtectionSettings field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | X | X |
Games
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAdvancedGamingServices | Currently not supported. | X |
KioskBrowser
These settings apply to the Kiosk Browser app available in Microsoft Store. For more information, see Guidelines for web browsers.
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
BlockedUrlExceptions | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | ||||
BlockedUrls | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | ||||
DefaultURL | Configures the default URL kiosk browsers to navigate on launch and restart. | X | ||||
EnableEndSessionButton | Enable/disable kiosk browser's end session button. | X | ||||
EnableHomeButton | Enable/disable kiosk browser's home button. | X | ||||
EnableNavigationButtons | Enable/disable kiosk browser's navigation buttons (forward/back). | X | ||||
RestartOnIdleTime | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X |
To configure multiple URLs for Blocked URL Exceptions or Blocked URLs in Windows Configuration Designer:
- Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
- Open the customizations.xml file in the project folder (e.g C:UsersnameDocumentsWindows Imaging and Configuration Designer (WICD)Project_18).
- Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com).
- Save the XML file.
- Open the project again in Windows Configuration Designer.
- Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
LocalPoliciesSecurityOptions
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
InteractiveLogon_DoNotDisplayLastSignedIn | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | X | ||||
Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn | Specify whether a computer can be shut down without signing in. | X | ||||
UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers | Configure how an elevation prompt should behave for standard users. | X |
Location
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
EnableLocation | Do not use. |
Power
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowStandbyStatesWhenSleepingOnBattery | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | X | ||||
AllowStandbyWhenSleepingPluggedIn | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | X | ||||
DisplayOffTimeoutOnBattery | Specify the period of inactivity before Windows turns off the display while on battery. | X | ||||
DisplayOffTimeoutPluggedIn | Specify the period of inactivity before Windows turns off the display while plugged in. | X | ||||
EnergySaverBatteryThresholdOnBattery | Specify the battery charge level at which Energy Saver is turned on while on battery. | X | ||||
EnergySaverBatteryThresholdPluggedIn | Specify the battery charge level at which Energy Saver is turned on while plugged in. | X | ||||
HibernateTimeoutOnBattery | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | X | ||||
HibernateTimeoutPluggedIn | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | X | ||||
RequirePasswordWhenComputerWakesOnBattery | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | X | ||||
RequirePasswordWhenComputerWakesPluggedIn | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | X | ||||
SelectLidCloseActionBattery | Select the action to be taken when a user closes the lid on a mobile device while on battery. | X | ||||
SelectLidCloseActionPluggedIn | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | X | ||||
SelectPowerButtonActionOnBattery | Select the action to be taken when the user presses the power button while on battery. | X | ||||
SelectPowerButtonActionPluggedIn | Select the action to be taken when the user presses the power button while on plugged in. | X | ||||
SelectSleepButtonActionOnBattery | Select the action to be taken when the user presses the sleep button while on battery. | X | ||||
SelectSleepButtonActionPluggedIn | Select the action to be taken when the user presses the sleep button while plugged in. | X | ||||
StandbyTimeoutOnBattery | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | X | ||||
StandbyTimeoutPluggedIn | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | X | ||||
TurnOffHybridSleepOnBattery | Turn off hybrid sleep while on battery. | X | ||||
TurnOffHybridSleepPluggedIn | Turn off hybrid sleep while plugged in. | X | ||||
UnattendedSleepTimeoutOnBattery | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | X | ||||
UnattendedSleepTimeoutPluggedIn | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | X |
Privacy
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAutoAcceptPairingAndPrivacyConsentPrompts | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | X | ||||
AllowInputPersonalization | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | X |
Search
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowCloudSearch | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | |||
AllowCortanaInAAD | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | ||||
AllowIndexingEncryptedStoresOrItems | Allow or disallow the indexing of items. | X | X | |||
AllowSearchToUseLocation | Specify whether search can use location information. | X | X | X | ||
AllowUsingDiacritics | Allow the use of diacritics. | X | X | |||
AllowWindowsIndexer | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files. - Off setting disables Windows indexer - EnterpriseSecure setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP) - Enterprise setting reduces potential network loads for enterprises - Standard setting is appropriate for consuemrs | X | X | |||
AlwaysUseAutoLangDetection | Specify whether to always use automatic language detection when indexing content and properties. | X | X | |||
DoNotUseWebResults | Specify whether to allow Search to perform queries on the web. | X | X | |||
DisableBackoff | If enabled, the search indexer backoff feature will be disabled. | X | X | |||
DisableRemovableDriveIndexing | Configure whether locations on removable drives can be added to libraries. | X | X | |||
PreventIndexingLowDiskSpaceMB | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | |||
PreventRemoteQueries | If enabled, clients will be unable to query this device's index remotely. | X | X | |||
SafeSearchPermissions | Specify the level of safe search (filtering adult content) required. | X |
Security
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAddProvisioningPackage | Specify whether to allow installation of provisioning packages. | X | X | X | X | |
AllowManualRootCertificateInstallation | Specify whether the user is allowed to manually install root and intermediate CA certificates. | X | ||||
AllowRemoveProvisioningPackage | Specify whether removal of provisioning packages is allowed. | X | X | X | X | |
AntiTheftMode | Allow or disallow Anti Theft Mode on the device. | X | ||||
RequireDeviceEncryption | Specify whether encryption is required. | X | X | X | X | X |
RequireProvisioningPackageSignature | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | X | |
RequireRetrieveHealthCertificateOnBoot | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X |
Settings
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAutoPlay | Allow the user to change AutoPlay settings. | X | ||||
AllowDataSense | Allow the user to change Data Sense settings. | X | ||||
AllowVPN | Allow the user to change VPN settings. | X | X | |||
ConfigureTaskbarCalendar | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | ||||
PageVisiblityList | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already published URIs, which is the URI minus the 'ms-settings:' prefix. For example, if the URI for a settings page is 'ms-settings:foo', the page identifier used in the policy will be just 'foo'. Multiple page identifiers are separated by semicolons. | X |
Start
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X | ||||
AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu. | X | ||||
AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu. | X | ||||
AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu. | X | ||||
AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu. | X | ||||
AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu. | X | ||||
AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu. | X | ||||
AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu. | X | ||||
AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu. | X | ||||
AllowPinnedFolderVideos | Control the visibility of the Videos shortcut on the Start menu. | X | ||||
DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | ||||
ForceStartSize | Force the size of the Start screen. | X | ||||
HideAppList | Collapse or remove the all apps list. | X | ||||
HideChangeAccountSettings | Hide Change account settings from appearing in the user tile. | X | ||||
HideFrequentlyUsedApps | Hide Most used section of Start. | X | ||||
HideHibernate | Prevent Hibernate option from appearing in the Power button. | X | ||||
HideLock | Prevent Lock from appearing in the user tile. | X | ||||
HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | ||||
HidePowerButton | Hide the Power button. | X | ||||
HideRecentJumplists | Hide jumplists of recently opened items. | X | ||||
HideRecentlyAddedApps | Hide Recently added section of Start. | X | ||||
HideRestart | Prevent Restart and Update and restart from appearing in the Power button. | X | ||||
HideShutDown | Prevent Shut down and Update and shut down from appearing in the Power button. | X | ||||
HideSignOut | Prevent Sign out from appearing in the user tile. | X | ||||
HideSleep | Prevent Sleep from appearing in the Power button. | X | ||||
HideSwitchAccount | Prevent Switch account from appearing in the user tile. | X | ||||
HideUserTile | Hide the user tile. | X | ||||
ImportEdgeAssets | Import Edge assets for secondary tiles. For more information, see Add image for secondary Microsoft Edge tiles. | X | ||||
NoPinningToTaskbar | Prevent users from pinning and unpinning apps on the taskbar. | X | ||||
StartLayout | Apply a custom Start layout. For more information, see Customize Windows 10 Start and taskbar with provisioning packages | X |
System
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowBuildPreview | Specify whether users can access the Insider build controls in the Advanced Options for Windows Update. | X | X | |||
AllowEmbeddedMode | Specify whether to set general purpose device to be in embedded mode. | X | X | X | X | |
AllowExperimentation | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | |||
AllowLocation | Specify whether to allow app access to the Location service. | X | X | X | X | X |
AllowStorageCard | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | X | |
AllowTelemetry | Allow the device to send diagnostic and usage data. | X | X | X | ||
AllowUserToResetPhone | Allow the user to factory reset the phone. | X | X | |||
ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | |||
ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | |||
DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | X | X | |||
DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | X | X | |||
DisableOneDriveFileSync | Prevent apps and features from working with files on OneDrive. | X | ||||
LimitEnhancedDiagnosticDataWindowsAnalytics | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in Windows 10, version 1703 basic level Windows diagnostic events and fields. Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X |
TextInput
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowIMELogging | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | ||||
AllowIMENetworkAccess | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | ||||
AllowInputPanel | Disable the touch/handwriting keyboard. | X | ||||
AllowJapaneseIMESurrogatePairCharacters | Allow the Japanese IME surrogate pair characters. | X | ||||
AllowJapaneseIVSCharacters | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | ||||
AllJapaneseNonPublishingStandardGlyph | All the Japanese non-publishing standard glyph. | X | ||||
AllowJapaneseUserDictionary | Allow the Japanese user dictionary. | X | ||||
AllowKeyboardTextSuggestions | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | ||||
AllowLanguageFeaturesUninstall | All language features to be uninstalled. | X | ||||
AllowUserInputsFromMiracastRecevier | Do not use. Instead, use WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver | |||||
ExcludeJapaneseIMEExceptISO208 | Allow users to restrict character code range of conversion by setting the character filter. | X | ||||
ExcludeJapaneseIMEExceptISO208andEUDC | Allow users to restrict character code range of conversion by setting the character filter. | X | ||||
ExcludeJapaneseIMEExceptShiftJIS | Allow users to restrict character code range of conversion by setting the character filter. | X |
TimeLanguageSettings
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowSet24HourClock | Configure the default clock setting to be the 24 hour format. | X |
Update
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
ActiveHoursEnd | Use with Update/ActiveHoursStart to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | |
ActiveHoursMaxRange | Specify the maximum active hours range. | X | X | X | X | |
ActiveHoursStart | Use with Update/ActiveHoursEnd to manage the range of active hours where update reboots are not scheduled. | X | X | X | X | |
AllowAutoUpdate | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
AllowAutoWindowsUpdateDownloadOverMeteredNetwork | Option to download updates automatically over metered connections (off by default). Enter 0 for not allowed, or 1 for allowed. | X | X | X | X | |
AllowMUUpdateService | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
AllowNonMicrosoftSignedUpdate | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | |
AllowUpdateService | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | |
AutoRestartDeadlinePeriodInDaysForFeatureUpdates | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | |
AutoRestartNotificationSchedule | Specify the period for auto-restart reminder notifications. | X | X | X | X | |
AutoRestartRequiredNotificationDismissal | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | |
BranchReadinessLevel | Select which branch a device receives their updates from. | X | X | X | X | X |
DeferFeatureUpdatesPeriodInDays | Defer Feature Updates for the specified number of days. | X | X | X | X | |
DeferQualityUpdatesPeriodInDays | Defer Quality Updates for the specified number of days. | X | X | X | X | |
DeferUpdatePeriod | Specify update delays for up to 4 weeks. | X | X | X | X | X |
DeferUpgradePeriod | Specify upgrade delays for up to 8 months. | X | X | X | X | X |
DetectionFrequency | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
DisableDualScan | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | X | |
EngagedRestartDeadline | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | |
EngagedRestartDeadlineForFeatureUpdates | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | |
EngagedRestartSnoozeSchedule | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | |
EngagedRestartSnoozeScheduleForFeatureUpdates | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | |
EngagedRestartTransitionSchedule | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | |
EngagedRestartTransitionScheduleForFeatureUpdates | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | |
ExcludeWUDriversInQualityUpdate | Exclude Windws Update (WU) drivers during quality updates. | X | X | X | ||
FillEmptyContentUrls | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | |
ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
PhoneUpdateRestrictions | Deprecated | X | ||||
RequireDeferUpgrade | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
ScheduledInstallDay | Schedule the day for update installation. | X | X | X | X | X |
ScheduledInstallEveryWeek | To schedule update installation every week, set the value as 1 . | X | X | X | X | X |
ScheduledInstallFirstWeek | To schedule update installation the first week of the month, see the value as 1 . | X | X | X | X | X |
ScheduledInstallFourthWeek | To schedule update installation the fourth week of the month, see the value as 1 . | X | X | X | X | X |
ScheduledInstallSecondWeek | To schedule update installation the second week of the month, see the value as 1 . | X | X | X | X | X |
ScheduledInstallThirdWeek | To schedule update installation the third week of the month, see the value as 1 . | X | X | X | X | X |
ScheduledInstallTime | Schedule the time for update installation. | X | X | X | X | X |
ScheduleImminentRestartWarning | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | |
ScheduleRestartWarning | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | |
SetAutoRestartNotificationDisable | Disable auto-restart notifications for update installations. | X | X | X | X | |
SetDisablePauseUXAccess | Disable access to scan Windows Update. | X | X | X | X | |
SetDisableUXWUAccess | Disable the Pause updates feature. | X | X | X | X | |
SetEDURestart | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | X | |
UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | X | |
UpdateServiceUrl | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X |
UpdateServiceUrlAlternate | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X |
WiFi
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowAutoConnectToWiFiSenseHotspots | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | |||
AllowInternetSharing | Allow Internet sharing. | X | X | |||
AllowManualWiFiConfiguration | Allow connecting to Wi-Fi outside of MDM server-installed networks. | X | ||||
AllowWiFi | Allow Wi-Fi connections. | X | ||||
WLANScanMode | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X |
WindowsInkWorkspace
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowSuggestedAppsInWindowsInkWorkspace | Show recommended app suggestions in the ink workspace. | X | ||||
AllowWindowsInkWorkspace | Specify whether to allow the user to access the ink workspace. | X |
WindowsLogon
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
HideFastUserSwitching | Hide the Switch account button on the sign-in screen, Start, and the Task Manager. | X |
WirelessDisplay
Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
---|---|---|---|---|---|---|
AllowUserInputFromWirelessDisplayReceiver | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X |
Note
If you enabled the org-wide app permission policy setting, Allow interaction with custom apps, you may not see app setup policies yet in the Microsoft Teams admin center. It's currently being rolled out and will be available soon in your organization.
As an admin, you can use app setup policies to customize Microsoft Teams to highlight the apps that are most important for your users. You choose the apps to pin and set the order that they appear. App setup policies let you showcase apps that users in your organization need, including those built by third parties or by developers in your organization. You can also use app setup policies to manage how built-in features appear.
Apps are pinned to the app bar. This is the bar on the side of the Teams desktop client and at the bottom of the Teams mobile clients (iOS and Android).
Teams desktop client | Teams mobile client |
---|---|
You manage app setup policies in the Microsoft Teams admin center. You can use the global (Org-wide default) policy or create custom policies and assign them to users. Users in your organization will automatically get the global policy unless you create and assign a custom policy.
You can edit the settings in the global policy to include the apps that you want. If you want to customize Teams for different groups of users in your organization, create and assign one or more custom policies. If a user is assigned a custom policy, that policy applies to the user. If a user isn't assigned a custom policy, the global policy applies to the user.
Note
If you have Teams for Education, it's important to know that the Assignments app is pinned by default in the global policy even though currently, you don't see it listed in the global policy. It will be the fourth app in the list of pinned apps on Teams clients.
Create a custom app setup policy
You can use the Microsoft Teams admin center to create a custom policy.
- In the left navigation of the Microsoft Teams admin center, go to Teams apps > Setup policies.
- Click Add.
- Enter a name and description for the policy, and then click Add apps.
- Turn on or turn off Allow uploading custom apps, depending on whether you want to let users upload custom apps to Teams. You won't be able to change this setting if Allow third-party or custom apps is turned off in org-wide app settings in app permission policies.
- In the Add pinned apps pane, search for the apps you want to add, and then click Add. You can also filter apps by app permission policy. When you've chosen your list of apps, click Add.
- Arrange the apps in the order that you want them to appear in Teams, and then click Save.
Edit an app setup policy
You can use the Microsoft Teams admin center to edit a policy, including the global (Org-wide default) policy and custom policies that you create.
- In the left navigation of the Microsoft Teams admin center, go to Teams apps > Setup policies.
- Select the policy by clicking to the left of the policy name, and then click Edit.
- From here, make the changes that you want. You can add, remove, and change the order of apps.
- Click Save.
Assign a custom app setup policy to users
Microsoft Policies And Procedures List
You can use the Microsoft Teams admin center to assign a custom policy to individual users or the Skype for Business PowerShell module to assign a custom policy to groups of users, such as a security group or distribution group.
Assign a custom app setup policy to users
- In the left navigation of the Microsoft Teams admin center, go to Users, and then click the user.
- Select the user by clicking to the left of the user name, and then click Edit settings.
- Under App setup policy, select the app setup policy you want to assign, and then click Apply.
To assign a policy to multiple users at a time, see Edit Teams user settings in bulk.
Or, you can also do the following:
- In the left navigation of the Microsoft Teams admin center, go to Teams apps > Setup policies.
- Select the policy by clicking to the left of the policy name.
- Select Manage users.
- In the Manage users pane, search for the user by display name or by user name, select the name, and then select Add. Repeat this step for each user that you want to add.
- When you're finished adding users, select Save.
Assign a custom app setup policy to users in a group
![Procedure Procedure](/uploads/1/2/6/0/126087100/943304972.png)
You may want to assign a custom app setup policy to multiple users that you’ve already identified. For example, you may want to assign a policy to all users in a security group. You can do this by connecting to the Azure Active Directory PowerShell for Graph module and the Skype for Business PowerShell module. For more information about using PowerShell to manage Teams, see Teams PowerShell Overview.
In this example, we assign a custom app setup policy called HR App Setup Policy to all users in the Contoso Pharmaceuticals HR Project group.
Note
Make sure you first connect to the Azure Active Directory PowerShell for Graph module and Skype for Business PowerShell module by following the steps in Connect to all Office 365 services in a single Windows PowerShell window.
SIMATIC STEP 7 V5.6 is the proven programming software for the controller families S7-300, S7-400, C7 and WinAC.Information on STEP 7 VersionsFor programming controllers of the latest generation S7-1200, S7-1500, ET 200SP CPU and S7-1500 Software Controller you need STEP 7 (TIA Portal) Engineering Software.Of course you can program the S7-300, S7-400 and SIMATIC WinAC controllers with this software as well.STEP 7 Professional 2017 includes the STEP 7 V5.6 basic software and additional editors. Step 7 software download. SIMATIC STEP 7 is the world's best known and most widely used engineering software in industrial automation. Whether for configuring hardware, establishing communications, programming, testing, commissioning and service, documentation and archiving, or operational and/or diagnostic functions, the software sets the benchmark in its field.
Get the GroupObjectId of the particular group.
Get the members of the specified group.
Assign all users in the group to a particular app setup policy. In this example, it's HR App Setup Policy.
Depending on the number of members in the group, this command may take several minutes to execute.
FAQ
Working with app setup policies
What built-in app setup policies are included in the Microsoft Teams admin center?
- Global (Org-wide default): This default policy applies to all users in your organization unless you assign another policy. Edit the global policy to pin apps that are most important for your users.
- FirstLineWorker: This policy is for firstline workers. You can assign it to firstline workers in your organization. It's important to know that like custom policies that you create, you have to assign the policy to users for the settings to be active. For more information, go to the Assign a custom app setup policy to users section of this article.
Why can't I find an app in the Add pinned apps pane?
Not all apps can be pinned to Teams through an app setup policy. Some apps may not support this functionality. To find apps that can be pinned, search for the app in the Add pinned apps pane. Tabs that have a personal scope (static tabs) and bots can be pinned to the Teams desktop client and these apps are available in the Add pinned apps pane.
Keep in mind that the Teams app store lists all Teams apps whereas the Add pinned apps pane includes only apps that can be pinned to Teams through a policy.
I'm a Teams for Education admin. What do I need to know about app setup policies in Teams for Education?
The Calling app isn't available in Teams for Education. When you create a new custom app setup policy, the Calling app is displayed in the list of apps. However, the app isn't pinned to Teams clients and Teams for Education users won't see the Calls app in Teams.
How many apps can be added to a policy?
A minimum of two apps must be pinned to the Teams mobile clients (iOS and Android). If a policy has less than two apps, the mobile clients won't reflect the policy settings and instead will continue to use the existing configuration.
There's no limit on the number of apps you can add to a policy.
Microsoft Policy And Procedure Templates
How long does it take for policy changes to take effect?
After you edit the global policy or assign a policy, it can take up to 24 hours for changes to take effect.
User experience
How can users see all their pinned apps in Teams?
To view all apps that are pinned for a user, users may have to do the following depending on the number of installed apps and the size of their Teams client window.
Teams desktop client | Teams mobile client |
---|---|
In the app bar on the side of Teams, click .. More apps. | In the app bar near the bottom of Teams, swipe up. |
What do I need to know about the Teams mobile experience?
The Teams mobile clients (iOS and Android) currently don't support personal apps with static tabs. Depending on the apps set in the policy, apps pinned to the Teams desktop client might not appear in the Teams mobile clients. Personal bots will still appear in Chat on mobile clients.
With the Teams mobile clients, users will see core Teams apps such as Activity, Chat, and Teams, and you can pin some first-party apps from Microsoft, such as Shifts.
Can users change the order of apps pinned through a policy?
Microsoft Policies And Procedures Form
Currently, users can change the order of their pinned apps on Teams mobile clients but not on the Teams desktop or web clients.
Custom Teams apps
![Procedures Procedures](/uploads/1/2/6/0/126087100/181381888.jpg)
My organization built a custom Teams app and published it, either to AppSource or the Tenant app catalog, but the app icon isn't displayed as expected when the app is pinned to the app bar in Teams. How do I fix it?
Make sure that you follow the logo guidelines before you submit the app. To learn more, see Checklist for Seller Dashboard submission.