Use a common set of exploit protection settings
Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured.
There are some prerequisites before you can enable this setting:
- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in Windows Security.
- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security.
- Place the generated XML file in a shared or local path.
Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied.
Enabled
Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
- C:\MitigationSettings\Config.XML
- \\Server\Share\Config.xml
- https://localhost:8080/Config.xml
The settings in the XML file will be applied to the endpoint.
Disabled
Common settings will not be applied, and the locally configured settings will be used instead.
Not configured
Same as Disabled.
Supported on: At least Windows Server, Windows 10 Version 1709
Type the location (local path, UNC path, or URL) of the mitigation settings configuration XML file:
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection |
| Value Name | ExploitProtectionSettings |
| Value Type | REG_SZ |
| Default Value |
exploitguard.admx
- Control Panel
- Personalization
- Do not display the lock screen
- Force a specific background and accent color
- Force a specific default lock screen and logon image
- Force a specific Start background
- Prevent changing lock screen and logon image
- Prevent changing start menu background
- Prevent enabling lock screen camera
- Prevent enabling lock screen slide show
- Prevent lock screen background motion
- Regional and Language Options
- Handwriting personalization
- Allow users to enable online speech recognition services
- Block clean-up of unused language packs
- Force selected system UI language to overwrite the user UI language
- Restrict Language Pack and Language Feature Installation
- Restricts the UI language Windows uses for all logged users
- User Accounts
- Allow Online Tips
- Settings Page Visibility
- Personalization
- Network
- Background Intelligent Transfer Service (BITS)
- Allow BITS Peercaching
- Do not allow the BITS client to use Windows Branch Cache
- Do not allow the computer to act as a BITS Peercaching client
- Do not allow the computer to act as a BITS Peercaching server
- Limit the age of files in the BITS Peercache
- Limit the BITS Peercache size
- Limit the maximum BITS job download time
- Limit the maximum network bandwidth for BITS background transfers
- Limit the maximum network bandwidth used for Peercaching
- Limit the maximum number of BITS jobs for each user
- Limit the maximum number of BITS jobs for this computer
- Limit the maximum number of files allowed in a BITS job
- Limit the maximum number of ranges that can be added to the file in a BITS job
- Set default download behavior for BITS jobs on costed networks
- Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers
- Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers
- Timeout for inactive BITS jobs
- BranchCache
- Configure BranchCache for network files
- Configure Client BranchCache Version Support
- Configure Hosted Cache Servers
- Enable Automatic Hosted Cache Discovery by Service Connection Point
- Set age for segments in the data cache
- Set BranchCache Distributed Cache mode
- Set BranchCache Hosted Cache mode
- Set percentage of disk space used for client computer cache
- Turn on BranchCache
- DirectAccess Client Experience Settings
- DNS Client
- Allow DNS suffix appending to unqualified multi-label name queries
- Allow NetBT queries for fully qualified domain names
- Configure DNS over HTTPS (DoH) name resolution
- Connection-specific DNS suffix
- DNS servers
- DNS suffix search list
- Dynamic update
- IDN mapping
- Prefer link local responses over DNS when received over a network with higher precedence
- Primary DNS suffix devolution level
- Primary DNS suffix devolution
- Primary DNS suffix
- Register DNS records with connection-specific DNS suffix
- Register PTR records
- Registration refresh interval
- Replace addresses in conflicts
- TTL value for A and PTR records
- Turn off IDN encoding
- Turn off multicast name resolution
- Turn off smart multi-homed name resolution
- Turn off smart protocol reordering
- Update security level
- Update top level domain zones
- Fonts
- Hotspot Authentication
- Lanman Server
- Lanman Workstation
- Link-Layer Topology Discovery
- Microsoft Peer-to-Peer Networking Services
- Peer Name Resolution Protocol
- Global Clouds
- Link-Local Clouds
- Site-Local Clouds
- Disable password strength validation for Peer Grouping
- Turn off Microsoft Peer-to-Peer Networking Services
- Peer Name Resolution Protocol
- Network Connections
- Windows Defender Firewall
- Domain Profile
- Windows Defender Firewall: Allow ICMP exceptions
- Windows Defender Firewall: Allow inbound file and printer sharing exception
- Windows Defender Firewall: Allow inbound remote administration exception
- Windows Defender Firewall: Allow inbound Remote Desktop exceptions
- Windows Defender Firewall: Allow inbound UPnP framework exceptions
- Windows Defender Firewall: Allow local port exceptions
- Windows Defender Firewall: Allow local program exceptions
- Windows Defender Firewall: Allow logging
- Windows Defender Firewall: Define inbound port exceptions
- Windows Defender Firewall: Define inbound program exceptions
- Windows Defender Firewall: Do not allow exceptions
- Windows Defender Firewall: Prohibit notifications
- Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
- Windows Defender Firewall: Protect all network connections
- Standard Profile
- Windows Defender Firewall: Allow ICMP exceptions
- Windows Defender Firewall: Allow inbound file and printer sharing exception
- Windows Defender Firewall: Allow inbound remote administration exception
- Windows Defender Firewall: Allow inbound Remote Desktop exceptions
- Windows Defender Firewall: Allow inbound UPnP framework exceptions
- Windows Defender Firewall: Allow local port exceptions
- Windows Defender Firewall: Allow local program exceptions
- Windows Defender Firewall: Allow logging
- Windows Defender Firewall: Define inbound port exceptions
- Windows Defender Firewall: Define inbound program exceptions
- Windows Defender Firewall: Do not allow exceptions
- Windows Defender Firewall: Prohibit notifications
- Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
- Windows Defender Firewall: Protect all network connections
- Windows Defender Firewall: Allow authenticated IPsec bypass
- Domain Profile
- Do not show the "local access only" network icon
- Prohibit installation and configuration of Network Bridge on your DNS domain network
- Prohibit use of Internet Connection Firewall on your DNS domain network
- Require domain users to elevate when setting a network's location
- Route all traffic through the internal network
- Windows Defender Firewall
- Network Connectivity Status Indicator
- Network Isolation
- Network Provider
- Offline Files
- Action on server disconnect
- Allow or Disallow use of the Offline Files feature
- At logoff, delete local copy of user's offline files
- Configure Background Sync
- Configure slow-link mode
- Configure Slow link speed
- Default cache size
- Enable file screens
- Enable file synchronization on costed networks
- Enable Transparent Caching
- Encrypt the Offline Files cache
- Event logging level
- Files not cached
- Initial reminder balloon lifetime
- Limit disk space used by Offline Files
- Non-default server disconnect actions
- Prevent use of Offline Files folder
- Prohibit user configuration of Offline Files
- Reminder balloon frequency
- Reminder balloon lifetime
- Remove "Make Available Offline" command
- Remove "Make Available Offline" for these files and folders
- Remove "Work offline" command
- Specify administratively assigned Offline Files
- Subfolders always available offline
- Synchronize all offline files before logging off
- Synchronize all offline files when logging on
- Synchronize offline files before suspend
- Turn off reminder balloons
- Turn on economical application of administratively assigned Offline Files
- QoS Packet Scheduler
- DSCP value of conforming packets
- DSCP value of non-conforming packets
- Layer-2 priority value
- Limit outstanding packets
- Limit reservable bandwidth
- Set timer resolution
- SNMP
- SSL Configuration Settings
- TCPIP Settings
- IPv6 Transition Technologies
- Parameters
- Windows Connection Manager
- Disable power management in connected standby mode
- Enable Windows to soft-disconnect a computer from a network
- Minimize the number of simultaneous connections to the Internet or a Windows Domain
- Prohibit connection to non-domain networks when connected to domain authenticated network
- Prohibit connection to roaming Mobile Broadband networks
- Windows Connect Now
- Wireless Display
- WLAN Service
- WWAN Service
- Cellular Data Access
- WWAN Media Cost
- WWAN UI Settings
- Sets how often a DFS Client discovers DC's
- Background Intelligent Transfer Service (BITS)
- Printers
- Activate Internet printing
- Add Printer wizard - Network scan page (Managed network)
- Add Printer wizard - Network scan page (Unmanaged network)
- Allow job name in event logs
- Allow printers to be published
- Allow Print Spooler to accept client connections
- Allow pruning of published printers
- Always rasterize content to be printed using a software rasterizer
- Always render print jobs on the server
- Automatically publish new printers in Active Directory
- Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)
- Check published state
- Computer location
- Custom support URL in the Printers folder's left pane
- Directory pruning interval
- Directory pruning priority
- Directory pruning retry
- Disallow installation of printers using kernel-mode drivers
- Do not allow v4 printer drivers to show printer extensions
- Enable Device Control Printing Restrictions
- Execute print drivers in isolated processes
- Extend Point and Print connection to search Windows Update
- Isolate print drivers from applications
- List of Approved USB-connected print devices
- Log directory pruning retry events
- Only use Package Point and print
- Override print driver execution compatibility setting reported by print driver
- Package Point and print - Approved servers
- Point and Print Restrictions
- Pre-populate printer search location text
- Printer browsing
- Prune printers that are not automatically republished
- Start Menu and Taskbar
- Notifications
- Disable context menus in the Start Menu
- Do not keep history of recently opened documents
- Force Start to be either full screen size or menu size
- Pin Apps to Start when installed
- Remove "Recently added" list from Start Menu
- Remove All Programs list from the Start menu
- Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands
- Remove frequent programs list from the Start Menu
- Show or hide "Most used" list from Start menu
- Start Layout
- System
- Access-Denied Assistance
- App-V
- CEIP
- Client Coexistence
- Integration
- PackageManagement
- PowerManagement
- Publishing
- Reporting
- Scripting
- Streaming
- Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
- Certificate Filter For Client SSL
- Enable Support for BranchCache
- Location Provider
- Package Installation Root
- Package Source Root
- Reestablishment Interval
- Reestablishment Retries
- Require Publish As Admin
- Specify what to load in background (aka AutoLoad)
- Verify certificate revocation list
- Virtualization
- Enable App-V Client
- Audit Process Creation
- Credentials Delegation
- Allow delegating default credentials
- Allow delegating default credentials with NTLM-only server authentication
- Allow delegating fresh credentials
- Allow delegating fresh credentials with NTLM-only server authentication
- Allow delegating saved credentials
- Allow delegating saved credentials with NTLM-only server authentication
- Deny delegating default credentials
- Deny delegating fresh credentials
- Deny delegating saved credentials
- Encryption Oracle Remediation
- Remote host allows delegation of non-exportable credentials
- Restrict delegation of credentials to remote servers
- Device Guard
- Device Health Attestation Service
- Device Installation
- Device Installation Restrictions
- Allow administrators to override Device Installation Restriction policies
- Allow installation of devices that match any of these device IDs
- Allow installation of devices that match any of these device instance IDs
- Allow installation of devices using drivers that match these device setup classes
- Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
- Display a custom message title when device installation is prevented by a policy setting
- Display a custom message when installation is prevented by a policy setting
- Prevent installation of devices not described by other policy settings
- Prevent installation of devices that match any of these device IDs
- Prevent installation of devices that match any of these device instance IDs
- Prevent installation of devices using drivers that match these device setup classes
- Prevent installation of removable devices
- Time (in seconds) to force reboot when required for policy changes to take effect
- Allow remote access to the Plug and Play interface
- Configure device installation time-out
- Do not send a Windows error report when a generic driver is installed on a device
- Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
- Prevent device metadata retrieval from the Internet
- Prevent Windows from sending an error report when a device driver requests additional software during installation
- Prioritize all digitally signed drivers equally during the driver ranking and selection process
- Specify search order for device driver source locations
- Specify the search server for device driver updates
- Turn off "Found New Hardware" balloons during device installation
- Device Installation Restrictions
- Disk NV Cache
- Disk Quotas
- Display
- Distributed COM
- Application Compatibility Settings
- Driver Installation
- Early Launch Antimalware
- Enhanced Storage Access
- Allow only USB root hub connected Enhanced Storage devices
- Configure list of Enhanced Storage devices usable on your computer
- Configure list of IEEE 1667 silos usable on your computer
- Do not allow non-Enhanced Storage removable devices
- Do not allow password authentication of Enhanced Storage devices
- Do not allow Windows to activate Enhanced Storage devices
- Lock Enhanced Storage when the computer is locked
- File Classification Infrastructure
- Filesystem
- NTFS
- Do not allow compression on all NTFS volumes
- Do not allow encryption on all NTFS volumes
- Enable / disable TXF deprecated features
- Enable NTFS non-paged pool usage
- Enable NTFS pagefile encryption
- NTFS default tier
- NTFS parallel flush threshold
- NTFS parallel flush worker threads
- Short name creation options
- Disable delete notifications on all volumes
- Enable Win32 long paths
- Selectively allow the evaluation of a symbolic link
- NTFS
- Folder Redirection
- Group Policy
- Logging and tracing
- Configure Applications preference logging and tracing
- Configure Data Sources preference logging and tracing
- Configure Devices preference logging and tracing
- Configure Drive Maps preference logging and tracing
- Configure Environment preference logging and tracing
- Configure Files preference logging and tracing
- Configure Folder Options preference logging and tracing
- Configure Folders preference logging and tracing
- Configure Ini Files preference logging and tracing
- Configure Internet Settings preference logging and tracing
- Configure Local Users and Groups preference logging and tracing
- Configure Network Options preference logging and tracing
- Configure Power Options preference logging and tracing
- Configure Printers preference logging and tracing
- Configure Regional Options preference logging and tracing
- Configure Registry preference logging and tracing
- Configure Scheduled Tasks preference logging and tracing
- Configure Services preference logging and tracing
- Configure Shortcuts preference logging and tracing
- Configure Start Menu preference logging and tracing
- Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services
- Allow cross-forest user policy and roaming user profiles
- Always use local ADM files for Group Policy Object Editor
- Change Group Policy processing to run asynchronously when a slow network connection is detected.
- Configure Applications preference extension policy processing
- Configure Data Sources preference extension policy processing
- Configure Devices preference extension policy processing
- Configure Direct Access connections as a fast network connection
- Configure disk quota policy processing
- Configure Drive Maps preference extension policy processing
- Configure EFS recovery policy processing
- Configure Environment preference extension policy processing
- Configure Files preference extension policy processing
- Configure Folder Options preference extension policy processing
- Configure folder redirection policy processing
- Configure Folders preference extension policy processing
- Configure Group Policy Caching
- Configure Group Policy slow link detection
- Configure Ini Files preference extension policy processing
- Configure Internet Explorer Maintenance policy processing
- Configure Internet Settings preference extension policy processing
- Configure IP security policy processing
- Configure Local Users and Groups preference extension policy processing
- Configure Logon Script Delay
- Configure Network Options preference extension policy processing
- Configure Power Options preference extension policy processing
- Configure Printers preference extension policy processing
- Configure Regional Options preference extension policy processing
- Configure registry policy processing
- Configure Registry preference extension policy processing
- Configure Scheduled Tasks preference extension policy processing
- Configure scripts policy processing
- Configure security policy processing
- Configure Services preference extension policy processing
- Configure Shortcuts preference extension policy processing
- Configure software Installation policy processing
- Configure Start Menu preference extension policy processing
- Configure user Group Policy loopback processing mode
- Configure web-to-app linking with app URI handlers
- Configure wired policy processing
- Configure wireless policy processing
- Continue experiences on this device
- Determine if interactive users can generate Resultant Set of Policy data
- Enable AD/DFS domain controller synchronization during policy refresh
- Enable Group Policy Caching for Servers
- Phone-PC linking on this device
- Remove users' ability to invoke machine policy refresh
- Set Group Policy refresh interval for computers
- Set Group Policy refresh interval for domain controllers
- Specify startup policy processing wait time
- Specify workplace connectivity wait time for policy processing
- Turn off background refresh of Group Policy
- Turn off Group Policy Client Service AOAC optimization
- Turn off Local Group Policy Objects processing
- Turn off Resultant Set of Policy logging
- Logging and tracing
- Internet Communication Management
- Internet Communication settings
- Turn off access to all Windows Update features
- Turn off access to the Store
- Turn off Automatic Root Certificates Update
- Turn off downloading of print drivers over HTTP
- Turn off Event Viewer "Events.asp" links
- Turn off handwriting personalization data sharing
- Turn off handwriting recognition error reporting
- Turn off Help and Support Center "Did you know?" content
- Turn off Help and Support Center Microsoft Knowledge Base search
- Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
- Turn off Internet download for Web publishing and online ordering wizards
- Turn off Internet File Association service
- Turn off printing over HTTP
- Turn off Registration if URL connection is referring to Microsoft.com
- Turn off Search Companion content file updates
- Turn off the "Order Prints" picture task
- Turn off the "Publish to Web" task for files and folders
- Turn off the Windows Messenger Customer Experience Improvement Program
- Turn off Windows Customer Experience Improvement Program
- Turn off Windows Error Reporting
- Turn off Windows Network Connectivity Status Indicator active tests
- Turn off Windows Update device driver searching
- Restrict Internet communication
- Internet Communication settings
- iSCSI
- General iSCSI
- iSCSI Security
- iSCSI Target Discovery
- KDC
- Kerberos
- Allow retrieving the cloud kerberos ticket during the logon
- Always send compound authentication first
- Define host name-to-Kerberos realm mappings
- Define interoperable Kerberos V5 realm settings
- Disable revocation checking for the SSL certificate of KDC proxy servers
- Fail authentication requests when Kerberos armoring is not available
- Kerberos client support for claims, compound authentication and Kerberos armoring
- Require strict KDC validation
- Require strict target SPN match on remote procedure calls
- Set maximum Kerberos SSPI context token buffer size
- Specify KDC proxy servers for Kerberos clients
- Support compound authentication
- Support device authentication using certificate
- Use forest search order
- Kernel DMA Protection
- Locale Services
- Logon
- Allow users to select when a password is required when resuming from connected standby
- Always use classic logon
- Always use custom logon background
- Always wait for the network at computer startup and logon
- Assign a default credential provider
- Assign a default domain for logon
- Block user from showing account details on sign-in
- Do not display network selection UI
- Do not display the Getting Started welcome screen at logon
- Do not enumerate connected users on domain-joined computers
- Do not process the legacy run list
- Do not process the run once list
- Enumerate local users on domain-joined computers
- Exclude credential providers
- Hide entry points for Fast User Switching
- Run these programs at user logon
- Show clear logon background
- Show first sign-in animation
- Turn off app notifications on the lock screen
- Turn off picture password sign-in
- Turn off Windows Startup sound
- Turn on convenience PIN sign-in
- Turn on security key sign-in
- Mitigation Options
- Net Logon
- DC Locator DNS Records
- Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names
- Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails
- Force Rediscovery Interval
- Return domain controller address type
- Set Priority in the DC Locator DNS SRV records
- Set TTL in the DC Locator DNS Records
- Set Weight in the DC Locator DNS SRV records
- Specify address lookup behavior for DC locator ping
- Specify DC Locator DNS records not registered by the DCs
- Specify dynamic registration of the DC Locator DNS Records
- Specify Refresh Interval of the DC Locator DNS records
- Specify sites covered by the application directory partition DC Locator DNS SRV records
- Specify sites covered by the DC Locator DNS SRV records
- Specify sites covered by the GC Locator DNS SRV Records
- Try Next Closest Site
- Use automated site coverage by the DC Locator DNS SRV Records
- Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.
- Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC
- Use lowercase DNS host names when registering domain controller SRV records
- Allow cryptography algorithms compatible with Windows NT 4.0
- Contact PDC on logon failure
- Set scavenge interval
- Specify expected dial-up delay on logon
- Specify log file debug output level
- Specify maximum log file size
- Specify negative DC Discovery cache setting
- Specify positive periodic DC Cache refresh for non-background callers
- Specify site name
- Use final DC discovery retry setting for background callers
- Use initial DC discovery retry setting for background callers
- Use maximum DC discovery retry interval setting for background callers
- Use positive periodic DC cache refresh for background callers
- Use urgent mode when pinging domain controllers
- DC Locator DNS Records
- OS Policies
- PIN Complexity
- Power Management
- Button Settings
- Select the lid switch action (on battery)
- Select the lid switch action (plugged in)
- Select the Power button action (on battery)
- Select the Power button action (plugged in)
- Select the Sleep button action (on battery)
- Select the Sleep button action (plugged in)
- Select the Start menu Power button action (on battery)
- Select the Start menu Power button action (plugged in)
- Energy Saver Settings
- Hard Disk Settings
- Notification Settings
- Power Throttling Settings
- Sleep Settings
- Allow applications to prevent automatic sleep (on battery)
- Allow applications to prevent automatic sleep (plugged in)
- Allow automatic sleep with Open Network Files (on battery)
- Allow automatic sleep with Open Network Files (plugged in)
- Allow network connectivity during connected-standby (on battery)
- Allow network connectivity during connected-standby (plugged in)
- Allow standby states (S1-S3) when sleeping (on battery)
- Allow standby states (S1-S3) when sleeping (plugged in)
- Require a password when a computer wakes (on battery)
- Require a password when a computer wakes (plugged in)
- Specify the system hibernate timeout (on battery)
- Specify the system hibernate timeout (plugged in)
- Specify the system sleep timeout (on battery)
- Specify the system sleep timeout (plugged in)
- Specify the unattended sleep timeout (on battery)
- Specify the unattended sleep timeout (plugged in)
- Turn off hybrid sleep (on battery)
- Turn off hybrid sleep (plugged in)
- Turn on the ability for applications to prevent sleep transitions (on battery)
- Turn on the ability for applications to prevent sleep transitions (plugged in)
- Video and Display Settings
- Reduce display brightness (on battery)
- Reduce display brightness (plugged in)
- Specify the display dim brightness (on battery)
- Specify the display dim brightness (plugged in)
- Turn off adaptive display timeout (on battery)
- Turn off adaptive display timeout (plugged in)
- Turn off the display (on battery)
- Turn off the display (plugged in)
- Turn on desktop background slideshow (on battery)
- Turn on desktop background slideshow (plugged in)
- Select an active power plan
- Specify a custom active power plan
- Button Settings
- Recovery
- Remote Assistance
- Remote Procedure Call
- Removable Storage Access
- All Removable Storage: Allow direct access in remote sessions
- All Removable Storage classes: Deny all access
- CD and DVD: Deny execute access
- CD and DVD: Deny read access
- CD and DVD: Deny write access
- Custom Classes: Deny read access
- Custom Classes: Deny write access
- Floppy Drives: Deny execute access
- Floppy Drives: Deny read access
- Floppy Drives: Deny write access
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
- Tape Drives: Deny execute access
- Tape Drives: Deny read access
- Tape Drives: Deny write access
- Time (in seconds) to force reboot
- WPD Devices: Deny read access
- WPD Devices: Deny write access
- Scripts
- Allow logon scripts when NetBIOS or WINS is disabled
- Maximum wait time for Group Policy scripts
- Run logon scripts synchronously
- Run shutdown scripts visible
- Run startup scripts asynchronously
- Run startup scripts visible
- Run Windows PowerShell scripts first at computer startup, shutdown
- Run Windows PowerShell scripts first at user logon, logoff
- Security Account Manager
- Server Manager
- Service Control Manager Settings
- Security Settings
- Shutdown
- Shutdown Options
- Storage Health
- Storage Sense
- System Restore
- Troubleshooting and Diagnostics
- Application Compatibility Diagnostics
- Detect application failures caused by deprecated COM objects
- Detect application failures caused by deprecated Windows DLLs
- Detect application installers that need to be run as administrator
- Detect application install failures
- Detect applications unable to launch installers under UAC
- Detect compatibility issues for applications and drivers
- Notify blocked drivers
- Corrupted File Recovery
- Disk Diagnostic
- Fault Tolerant Heap
- Microsoft Support Diagnostic Tool
- Microsoft Support Diagnostic Tool: Configure execution level
- Microsoft Support Diagnostic Tool: Restrict tool download
- Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
- Troubleshooting: Allow users to access recommended troubleshooting for known problems
- MSI Corrupted File Recovery
- Scheduled Maintenance
- Scripted Diagnostics
- Configure Security Policy for Scripted Diagnostics
- Troubleshooting: Allow users to access and run Troubleshooting Wizards
- Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)
- Windows Boot Performance Diagnostics
- Windows Memory Leak Diagnosis
- Windows Performance PerfTrack
- Windows Resource Exhaustion Detection and Resolution
- Windows Shutdown Performance Diagnostics
- Windows Standby/Resume Performance Diagnostics
- Windows System Responsiveness Performance Diagnostics
- Diagnostics: Configure scenario execution level
- Diagnostics: Configure scenario retention
- Application Compatibility Diagnostics
- Trusted Platform Module Services
- Configure the level of TPM owner authorization information available to the operating system
- Configure the list of blocked TPM commands
- Configure the system to clear the TPM if it is not in a ready state.
- Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
- Ignore the default list of blocked TPM commands
- Ignore the local list of blocked TPM commands
- Standard User Individual Lockout Threshold
- Standard User Lockout Duration
- Standard User Total Lockout Threshold
- User Profiles
- Add the Administrators security group to roaming user profiles
- Control slow network connection timeout for user profiles
- Delete cached copies of roaming profiles
- Delete user profiles older than a specified number of days on system restart
- Disable detection of slow network connections
- Do not check for user ownership of Roaming Profile Folders
- Do not forcefully unload the users registry at user logoff
- Do not log users on with temporary profiles
- Download roaming profiles on primary computers only
- Establish timeout value for dialog boxes
- Leave Windows Installer and Group Policy Software Installation Data
- Maximum retries to unload and update user profile
- Only allow local user profiles
- Prevent Roaming Profile changes from propagating to the server
- Prompt user when a slow network connection is detected
- Set maximum wait time for the network if a user has a roaming user profile or remote home directory
- Set roaming profile path for all users logging onto this computer
- Set the schedule for background upload of a roaming user profile's registry file while user is logged on
- Set user home folder
- Turn off the advertising ID
- User management of sharing user name, account picture, and domain information with apps (not desktop apps)
- Wait for remote user profile
- Windows File Protection
- Windows Time Service
- Activate Shutdown Event Tracker System State Data feature
- Allow Distributed Link Tracking clients to use domain resources
- Display highly detailed status messages
- Display Shutdown Event Tracker
- Do not automatically encrypt files moved to encrypted folders
- Do not display Manage Your Server page at logon
- Do not turn off system power after a Windows system shutdown has occurred.
- Download missing COM components
- Enable Persistent Time Stamp
- Remove Boot / Shutdown / Logon / Logoff status messages
- Restrict potentially unsafe HTML Help functions to specified folders
- Restrict these programs from being launched from Help
- Specify settings for optional component installation and component repair
- Specify Windows installation file location
- Specify Windows Service Pack installation file location
- Turn off Data Execution Prevention for HTML Help Executible
- Windows Components
- ActiveX Installer Service
- Add features to Windows 8.1
- Application Compatibility
- App Package Deployment
- Allow all trusted apps to install
- Allow deployment operations in special profiles
- Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
- Archive infrequently used apps
- Disable installing Windows apps on non-system volumes
- Not allow sideloaded apps to auto-update in the background
- Not allow sideloaded apps to auto-update in the background on a metered network
- Prevent non-admin users from installing packaged Windows apps
- Prevent users' app data from being stored on non-system volumes
- App Privacy
- Let Windows apps access account information
- Let Windows apps access an eye tracker device
- Let Windows apps access call history
- Let Windows apps access contacts
- Let Windows apps access diagnostic information about other apps
- Let Windows apps access email
- Let Windows apps access location
- Let Windows apps access messaging
- Let Windows apps access motion
- Let Windows apps access notifications
- Let Windows apps access Tasks
- Let Windows apps access the calendar
- Let Windows apps access the camera
- Let Windows apps access the microphone
- Let Windows apps access trusted devices
- Let Windows apps access user movements while running in the background
- Let Windows apps activate with voice
- Let Windows apps activate with voice while the system is locked
- Let Windows apps communicate with unpaired devices
- Let Windows apps control radios
- Let Windows apps make phone calls
- Let Windows apps run in the background
- Let Windows apps take screenshots of various windows or displays
- Let Windows apps turn off the screenshot border
- App runtime
- AutoPlay Policies
- Backup
- Biometrics
- BitLocker Drive Encryption
- Fixed Data Drives
- Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
- Choose how BitLocker-protected fixed drives can be recovered
- Configure use of hardware-based encryption for fixed data drives
- Configure use of passwords for fixed data drives
- Configure use of smart cards on fixed data drives
- Deny write access to fixed drives not protected by BitLocker
- Enforce drive encryption type on fixed data drives
- Operating System Drives
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
- Allow enhanced PINs for startup
- Allow network unlock at startup
- Allow Secure Boot for integrity validation
- Choose how BitLocker-protected operating system drives can be recovered
- Configure minimum PIN length for startup
- Configure pre-boot recovery message and URL
- Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
- Configure TPM platform validation profile for BIOS-based firmware configurations
- Configure TPM platform validation profile for native UEFI firmware configurations
- Configure use of hardware-based encryption for operating system drives
- Configure use of passwords for operating system drives
- Disallow standard users from changing the PIN or password
- Enable use of BitLocker authentication requiring preboot keyboard input on slates
- Enforce drive encryption type on operating system drives
- Require additional authentication at startup (Windows Server 2008 and Windows Vista)
- Require additional authentication at startup
- Reset platform validation data after BitLocker recovery
- Use enhanced Boot Configuration Data validation profile
- Removable Data Drives
- Allow access to BitLocker-protected removable data drives from earlier versions of Windows
- Choose how BitLocker-protected removable drives can be recovered
- Configure use of hardware-based encryption for removable data drives
- Configure use of passwords for removable data drives
- Configure use of smart cards on removable data drives
- Control use of BitLocker on removable drives
- Deny write access to removable drives not protected by BitLocker
- Enforce drive encryption type on removable data drives
- Choose default folder for recovery password
- Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])
- Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
- Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
- Disable new DMA devices when this computer is locked
- Prevent memory overwrite on restart
- Provide the unique identifiers for your organization
- Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
- Validate smart card certificate usage rule compliance
- Fixed Data Drives
- Camera
- Chat
- Cloud Content
- Connect
- Credential User Interface
- Data Collection and Preview Builds
- Allow commercial data pipeline
- Allow Desktop Analytics Processing
- Allow device name to be sent in Windows diagnostic data
- Allow Diagnostic Data
- Allow Update Compliance Processing
- Allow WUfB Cloud Processing
- Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
- Configure collection of browsing data for Desktop Analytics
- Configure Connected User Experiences and Telemetry
- Configure diagnostic data opt-in change notifications
- Configure diagnostic data opt-in settings user interface
- Configure diagnostic data upload endpoint for Desktop Analytics
- Configure the Commercial ID
- Disable deleting diagnostic data
- Disable diagnostic data viewer
- Disable OneSettings Downloads
- Do not show feedback notifications
- Enable OneSettings Auditing
- Limit Diagnostic Log Collection
- Limit Dump Collection
- Limit optional diagnostic data for Desktop Analytics
- Toggle user control over Insider builds
- Delivery Optimization
- Absolute Max Cache Size (in GB)
- Allow uploads while the device is on battery while under set Battery level (percentage)
- Cache Server Hostname
- Cache Server Hostname Source
- Delay Background download Cache Server fallback (in seconds)
- Delay background download from http (in secs)
- Delay Foreground download Cache Server fallback (in seconds)
- Delay Foreground download from http (in secs)
- Download Mode
- Enable Peer Caching while the device connects via VPN
- Group ID
- Max Cache Age (in seconds)
- Max Cache Size (percentage)
- Maximum Background Download Bandwidth (in KB/s)
- Maximum Background Download Bandwidth (percentage)
- Maximum Foreground Download Bandwidth (in KB/s)
- Maximum Foreground Download Bandwidth (percentage)
- Minimum Background QoS (in KB/s)
- Minimum disk size allowed to use Peer Caching (in GB)
- Minimum Peer Caching Content File Size (in MB)
- Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
- Modify Cache Drive
- Monthly Upload Data Cap (in GB)
- Select a method to restrict Peer Selection
- Select the source of Group IDs
- Set Business Hours to Limit Background Download Bandwidth
- Set Business Hours to Limit Foreground Download Bandwidth
- Desktop Gadgets
- Desktop Window Manager
- Device and Driver Compatibility
- Device Registration
- Digital Locker
- Edge UI
- Event Forwarding
- Event Logging
- Event Log Service
- Application
- Security
- Setup
- System
- Event Viewer
- File Explorer
- Previous Versions
- Allow the use of remote paths in file shortcut icons
- Configure Windows Defender SmartScreen
- Disable binding directly to IPropertySetStorage without intermediate layers.
- Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time
- Do not show the 'new application installed' notification
- Location where all default Library definition files for users/machines reside.
- Set a default associations configuration file
- Set a support web page link
- Show hibernate in the power options menu
- Show lock in the user tile menu
- Show sleep in the power options menu
- Start File Explorer with ribbon minimized
- Turn off Data Execution Prevention for Explorer
- Turn off heap termination on corruption
- Turn off numerical sorting in File Explorer
- Turn off shell protocol protected mode
- Verify old and new Folder Redirection targets point to the same share before redirecting
- File History
- Find My Device
- Handwriting
- HomeGroup
- Human Presence
- Internet Explorer
- Accelerators
- Application Compatibility
- Browser menus
- Compatibility View
- Corporate Settings
- Delete Browsing History
- Allow deleting browsing history on exit
- Disable "Configuring History"
- Prevent access to Delete Browsing History
- Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track data
- Prevent deleting cookies
- Prevent deleting download history
- Prevent deleting favorites site data
- Prevent deleting form data
- Prevent deleting InPrivate Filtering data
- Prevent deleting passwords
- Prevent deleting temporary Internet files
- Prevent deleting websites that the user has visited
- Prevent the deletion of temporary Internet files and cookies
- Internet Control Panel
- Advanced Page
- Allow active content from CDs to run on user machines
- Allow Install On Demand (except Internet Explorer)
- Allow Install On Demand (Internet Explorer)
- Allow Internet Explorer to use the HTTP2 network protocol
- Allow Internet Explorer to use the SPDY/3 network protocol
- Allow software to run or install even if the signature is invalid
- Allow third-party browser extensions
- Always send Do Not Track header
- Automatically check for Internet Explorer updates
- Check for server certificate revocation
- Check for signatures on downloaded programs
- Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
- Do not allow resetting Internet Explorer settings
- Do not save encrypted pages to disk
- Empty Temporary Internet Files folder when browser is closed
- Play animations in web pages
- Play sounds in web pages
- Play videos in web pages
- Turn off ClearType
- Turn off encryption support
- Turn off loading websites and content in the background to optimize performance
- Turn off Profile Assistant
- Turn off sending UTF-8 query strings for URLs
- Turn off the flip ahead with page prediction feature
- Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
- Turn on Caret Browsing support
- Turn on Enhanced Protected Mode
- Use HTTP 1.1 through proxy connections
- Use HTTP 1.1
- Content Page
- General Page
- Browsing History
- Allow websites to store application caches on client computers
- Allow websites to store indexed databases on client computers
- Set application caches expiration time limit for individual domains
- Set application cache storage limits for individual domains
- Set default storage limits for websites
- Set indexed database storage limits for individual domains
- Set maximum application cache individual resource size
- Set maximum application cache resource list size
- Set maximum application caches storage limit for all domains
- Set maximum indexed database storage limit for all domains
- Start Internet Explorer with tabs from last browsing session
- Browsing History
- Security Page
- Internet Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Intranet Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Local Machine Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Internet Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Intranet Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Local Machine Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Restricted Sites Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Trusted Sites Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Restricted Sites Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Trusted Sites Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Internet Zone Template
- Intranet Sites: Include all local (intranet) sites not listed in other zones
- Intranet Sites: Include all network paths (UNCs)
- Intranet Sites: Include all sites that bypass the proxy server
- Intranet Zone Template
- Local Machine Zone Template
- Locked-Down Internet Zone Template
- Locked-Down Intranet Zone Template
- Locked-Down Local Machine Zone Template
- Locked-Down Restricted Sites Zone Template
- Locked-Down Trusted Sites Zone Template
- Restricted Sites Zone Template
- Site to Zone Assignment List
- Trusted Sites Zone Template
- Turn on automatic detection of intranet
- Turn on certificate address mismatch warning
- Turn on Notification bar notification for intranet content
- Internet Zone
- Disable the Advanced page
- Disable the Connections page
- Disable the Content page
- Disable the General page
- Disable the Privacy page
- Disable the Programs page
- Disable the Security page
- Prevent ignoring certificate errors
- Send internationalized domain names
- Use UTF-8 for mailto links
- Advanced Page
- Internet Settings
- Advanced settings
- Browsing
- Multimedia
- Searching
- AutoComplete
- Component Updates
- Help Menu > About Internet Explorer
- Periodic check for updates to Internet Explorer and Internet Tools
- Open Internet Explorer tiles on the desktop
- Set how links are opened in Internet Explorer
- Advanced settings
- Privacy
- Establish InPrivate Filtering threshold
- Establish Tracking Protection threshold
- Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
- Turn off collection of InPrivate Filtering data
- Turn off InPrivate Browsing
- Turn off InPrivate Filtering
- Turn off Tracking Protection
- Security Features
- Add-on Management
- Add-on List
- All Processes
- Deny all add-ons unless specifically allowed in the Add-on List
- Process List
- Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
- Turn off blocking of outdated ActiveX controls for Internet Explorer
- Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
- Turn on ActiveX control logging in Internet Explorer
- AJAX
- Binary Behavior Security Restriction
- Consistent Mime Handling
- Local Machine Zone Lockdown Security
- Mime Sniffing Safety Feature
- MK Protocol Security Restriction
- Network Protocol Lockdown
- Notification bar
- Object Caching Protection
- Protection From Zone Elevation
- Restrict ActiveX Install
- Restrict File Download
- Scripted Window Security Restrictions
- Allow fallback to SSL 3.0 (Internet Explorer)
- Do not display the reveal password button
- Turn off Data Execution Prevention
- Turn off Data URI support
- Add-on Management
- Toolbars
- Add a specific list of search providers to the user's list of search providers
- Allow "Save Target As" in Internet Explorer mode
- Allow Internet Explorer 8 shutdown behavior
- Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
- Automatically activate newly installed add-ons
- Configure which channel of Microsoft Edge to use for opening redirected sites
- Customize user agent string
- Disable Automatic Install of Internet Explorer components
- Disable changing Automatic Configuration settings
- Disable changing connection settings
- Disable changing secondary home page settings
- Disable Import/Export Settings wizard
- Disable Internet Explorer 11 as a standalone browser
- Disable Periodic Check for Internet Explorer software updates
- Disable showing the splash screen
- Disable software update shell notifications on program launch
- Do not allow users to enable or disable add-ons
- Enable extended hot keys in Internet Explorer mode
- Enforce full-screen mode
- Install new versions of Internet Explorer automatically
- Keep all intranet sites in Internet Explorer
- Let users turn on and use Enterprise Mode from the Tools menu
- Limit Site Discovery output by Domain
- Limit Site Discovery output by Zone
- Make proxy settings per-machine (rather than per-user)
- Pop-up allow list
- Prevent "Fix settings" functionality
- Prevent access to Internet Explorer Help
- Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
- Prevent bypassing SmartScreen Filter warnings
- Prevent changing pop-up filter level
- Prevent changing proxy settings
- Prevent changing the default search provider
- Prevent configuration of how windows open
- Prevent configuration of new tab creation
- Prevent Internet Explorer Search box from appearing
- Prevent managing pop-up exception list
- Prevent managing SmartScreen Filter
- Prevent managing the phishing filter
- Prevent participation in the Customer Experience Improvement Program
- Prevent per-user installation of ActiveX controls
- Prevent running First Run wizard
- Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.
- Restrict search providers to a specific list
- Security Zones: Do not allow users to add/delete sites
- Security Zones: Do not allow users to change policies
- Security Zones: Use only machine settings
- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.
- Set tab process growth
- Show message when opening sites in Microsoft Edge using Enterprise Mode
- Specify default behavior for a new tab
- Specify use of ActiveX Installer Service for installation of ActiveX controls
- Turn off ability to pin sites in Internet Explorer on the desktop
- Turn off ActiveX Opt-In prompt
- Turn off add-on performance notifications
- Turn off Automatic Crash Recovery
- Turn off browser geolocation
- Turn off configuration of pop-up windows in tabbed browsing
- Turn off Crash Detection
- Turn off Favorites bar
- Turn off Managing SmartScreen Filter for Internet Explorer 8
- Turn off page-zooming functionality
- Turn off pop-up management
- Turn off Quick Tabs functionality
- Turn off Reopen Last Browsing Session
- Turn off suggestions for all user-installed providers
- Turn off tabbed browsing
- Turn off the auto-complete feature for web addresses
- Turn off the quick pick menu
- Turn off the Security Settings Check feature
- Turn on ActiveX Filtering
- Turn on compatibility logging
- Turn on menu bar by default
- Turn on Site Discovery WMI output
- Turn on Site Discovery XML output
- Turn on Suggested Sites
- Use the Enterprise Mode IE website list
- Internet Information Services
- Location and Sensors
- Windows Location Provider
- Turn off location
- Turn off location scripting
- Turn off sensors
- Maintenance Scheduler
- Maps
- MDM
- Messaging
- Microsoft account
- Microsoft Defender Antivirus
- Client Interface
- Device Control
- Exclusions
- MAPS
- Microsoft Defender Exploit Guard
- Attack Surface Reduction
- Controlled Folder Access
- Network Protection
- MpEngine
- Network Inspection System
- Quarantine
- Real-time Protection
- Configure local setting override for monitoring file and program activity on your computer
- Configure local setting override for monitoring for incoming and outgoing file activity
- Configure local setting override for scanning all downloaded files and attachments
- Configure local setting override for turn on behavior monitoring
- Configure local setting override to turn on real-time protection
- Configure monitoring for incoming and outgoing file and program activity
- Define the maximum size of downloaded files and attachments to be scanned
- Monitor file and program activity on your computer
- Scan all downloaded files and attachments
- Turn off real-time protection
- Turn on behavior monitoring
- Turn on process scanning whenever real-time protection is enabled
- Turn on raw volume write notifications
- Turn on script scanning
- Remediation
- Reporting
- Configure time out for detections in critically failed state
- Configure time out for detections in non-critical failed state
- Configure time out for detections in recently remediated state
- Configure time out for detections requiring additional action
- Configure Watson events
- Configure Windows software trace preprocessor components
- Configure WPP tracing level
- Turn off enhanced notifications
- Scan
- Allow users to pause scan
- Check for the latest virus and spyware security intelligence before running a scheduled scan
- Configure local setting override for maximum percentage of CPU utilization
- Configure local setting override for scheduled quick scan time
- Configure local setting override for scheduled scan time
- Configure local setting override for schedule scan day
- Configure local setting override for the scan type to use for a scheduled scan
- Configure low CPU priority for scheduled scans
- Create a system restore point
- Define the number of days after which a catch-up scan is forced
- Run full scan on mapped network drives
- Scan archive files
- Scan network files
- Scan packed executables
- Scan removable drives
- Specify the day of the week to run a scheduled scan
- Specify the interval to run quick scans per day
- Specify the maximum depth to scan archive files
- Specify the maximum percentage of CPU utilization during a scan
- Specify the maximum size of archive files to be scanned
- Specify the scan type to use for a scheduled scan
- Specify the time for a daily quick scan
- Specify the time of day to run a scheduled scan
- Start the scheduled scan only when computer is on but not in use
- Turn on catch-up full scan
- Turn on catch-up quick scan
- Turn on e-mail scanning
- Turn on heuristics
- Turn on removal of items from scan history folder
- Turn on reparse point scanning
- Security Intelligence Updates
- Allow notifications to disable security intelligence based reports to Microsoft MAPS
- Allow real-time security intelligence updates based on reports to Microsoft MAPS
- Allow security intelligence updates from Microsoft Update
- Allow security intelligence updates when running on battery power
- Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
- Check for the latest virus and spyware security intelligence on startup
- Define the number of days after which a catch-up security intelligence update is required
- Define the number of days before spyware security intelligence is considered out of date
- Define the number of days before virus security intelligence is considered out of date
- Define the order of sources for downloading security intelligence updates
- Initiate security intelligence update on startup
- Specify the day of the week to check for security intelligence updates
- Specify the interval to check for security intelligence updates
- Specify the time to check for security intelligence updates
- Turn on scan after security intelligence update
- Threats
- Allow antimalware service to remain running always
- Allow antimalware service to startup with normal priority
- Configure detection for potentially unwanted applications
- Configure local administrator merge behavior for lists
- Configure scheduled task times randomization window
- Define addresses to bypass proxy server
- Define proxy auto-config (.pac) for connecting to the network
- Define proxy server for connecting to the network
- Define the directory path to copy support log files
- Randomize scheduled task times
- Turn off Microsoft Defender Antivirus
- Turn off routine remediation
- Microsoft Defender Application Guard
- Allow auditing events in Microsoft Defender Application Guard
- Allow camera and microphone access in Microsoft Defender Application Guard
- Allow data persistence for Microsoft Defender Application Guard
- Allow files to download and save to the host operating system from Microsoft Defender Application Guard
- Allow hardware-accelerated rendering for Microsoft Defender Application Guard
- Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device
- Configure Microsoft Defender Application Guard clipboard settings
- Configure Microsoft Defender Application Guard print settings
- Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
- Turn on Microsoft Defender Application Guard in Managed Mode
- Microsoft Defender Exploit Guard
- Exploit Protection
- Microsoft Edge
- Allow Address bar drop-down list suggestions
- Allow Adobe Flash
- Allow clearing browsing data on exit
- Allow configuration updates for the Books Library
- Allow Developer Tools
- Allow extended telemetry for the Books tab
- Allow Extensions
- Allow FullScreen Mode
- Allow InPrivate browsing
- Allow Microsoft Compatibility List
- Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
- Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
- Allow printing
- Allow Saving History
- Allow search engine customization
- Allow Sideloading of extension
- Allow web content on New Tab page
- Always show the Books Library in Microsoft Edge
- Configure additional search engines
- Configure Autofill
- Configure cookies
- Configure Do Not Track
- Configure Favorites Bar
- Configure Favorites
- Configure Home Button
- Configure kiosk mode
- Configure kiosk reset after idle timeout
- Configure Open Microsoft Edge With
- Configure Password Manager
- Configure Pop-up Blocker
- Configure search suggestions in Address bar
- Configure Start pages
- Configure the Adobe Flash Click-to-Run setting
- Configure the Enterprise Mode Site List
- Configure Windows Defender SmartScreen
- Disable lockdown of Start pages
- For PDF files that have both landscape and portrait pages, print each in its own orientation.
- Keep favorites in sync between Internet Explorer and Microsoft Edge
- Prevent access to the about:flags page in Microsoft Edge
- Prevent bypassing Windows Defender SmartScreen prompts for files
- Prevent bypassing Windows Defender SmartScreen prompts for sites
- Prevent certificate error overrides
- Prevent changes to Favorites on Microsoft Edge
- Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
- Prevent the First Run webpage from opening on Microsoft Edge
- Prevent turning off required extensions
- Prevent using Localhost IP address for WebRTC
- Provision Favorites
- Send all intranet sites to Internet Explorer 11
- Set default search engine
- Set Home Button URL
- Set New Tab page URL
- Show message when opening sites in Internet Explorer
- Suppress the display of Edge Deprecation Notification
- Unlock Home Button
- Microsoft Secondary Authentication Factor
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Access 2016 backup only
- Calculator
- Common 2013 backup only
- Common 2016 backup only
- Excel 2013 backup only
- Excel 2016 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Lync 2016 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Access 2016
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft Excel 2016
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Lync 2016
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Access 2016
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Common 2016
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 Excel 2016
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 Lync 2016
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 OneNote 2016
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 Outlook 2016
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 PowerPoint 2016
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Project 2016
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Publisher 2016
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Visio 2016
- Microsoft Office 365 Word 2013
- Microsoft Office 365 Word 2016
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft Office 2016 Common Settings
- Microsoft Office 2016 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneDrive for Business 2016
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft OneNote 2016
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft Outlook 2016
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft PowerPoint 2016
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Project 2016
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Publisher 2016
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Visio 2016
- Microsoft Word 2010
- Microsoft Word 2013
- Microsoft Word 2016
- Notepad
- OneNote 2013 backup only
- OneNote 2016 backup only
- Outlook 2013 backup only
- Outlook 2016 backup only
- PowerPoint 2013 backup only
- PowerPoint 2016 backup only
- Project 2013 backup only
- Project 2016 backup only
- Publisher 2013 backup only
- Publisher 2016 backup only
- Visio 2013 backup only
- Visio 2016 backup only
- Word 2013 backup only
- Word 2016 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Contact IT Link Text
- Contact IT URL
- Do not synchronize Windows Apps
- Enable UEV
- First Use Notification
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Settings template catalog path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Sync Unlisted Windows Apps
- Tray Icon
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications
- NetMeeting
- News and interests
- OneDrive
- Online Assistance
- OOBE
- Portable Operating System
- Presentation Settings
- Push To Install
- Remote Desktop Services
- RD Licensing
- Remote Desktop Connection Client
- RemoteFX USB Device Redirection
- Allow .rdp files from unknown publishers
- Allow .rdp files from valid publishers and user's default .rdp settings
- Configure server authentication for client
- Do not allow hardware accelerated decoding
- Do not allow passwords to be saved
- Prompt for credentials on the client computer
- Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
- Turn Off UDP On Client
- Remote Desktop Session Host
- Application Compatibility
- Connections
- Allow remote start of unlisted programs
- Allow users to connect remotely by using Remote Desktop Services
- Automatic reconnection
- Configure keep-alive connection interval
- Deny logoff of an administrator logged in to the console session
- Limit number of connections
- Restrict Remote Desktop Services users to a single Remote Desktop Services session
- Select network detection on the server
- Select RDP transport protocols
- Set rules for remote control of Remote Desktop Services user sessions
- Suspend user sign-in to complete app registration
- Turn off Fair Share CPU Scheduling
- Device and Resource Redirection
- Allow audio and video playback redirection
- Allow audio recording redirection
- Allow time zone redirection
- Allow UI Automation redirection
- Do not allow Clipboard redirection
- Do not allow COM port redirection
- Do not allow drive redirection
- Do not allow location redirection
- Do not allow LPT port redirection
- Do not allow smart card device redirection
- Do not allow supported Plug and Play device redirection
- Do not allow video capture redirection
- Limit audio playback quality
- Licensing
- Printer Redirection
- Profiles
- RD Connection Broker
- Remote Session Environment
- RemoteFX for Windows Server 2008 R2
- Allow desktop composition for remote desktop sessions
- Always show desktop on connection
- Configure compression for RemoteFX data
- Configure H.264/AVC hardware encoding for Remote Desktop Connections
- Configure image quality for RemoteFX Adaptive Graphics
- Configure RemoteFX Adaptive Graphics
- Do not allow font smoothing
- Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
- Enforce Removal of Remote Desktop Wallpaper
- Limit maximum color depth
- Limit maximum display resolution
- Limit number of monitors
- Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections
- Remove "Disconnect" option from Shut Down dialog
- Remove Windows Security item from Start menu
- Start a program on connection
- Use advanced RemoteFX graphics for RemoteApp
- Use hardware graphics adapters for all Remote Desktop Services sessions
- Use WDDM graphics display driver for Remote Desktop Connections
- Security
- Always prompt for password upon connection
- Do not allow local administrators to customize permissions
- Require secure RPC communication
- Require use of specific security layer for remote (RDP) connections
- Require user authentication for remote connections by using Network Level Authentication
- Server authentication certificate template
- Set client connection encryption level
- Session Time Limits
- Temporary folders
- RSS Feeds
- Search
- OCR
- Add primary intranet search location
- Add secondary intranet search locations
- Allow Cloud Search
- Allow Cortana above lock screen
- Allow Cortana
- Allow Cortana Page in OOBE on an AAD account
- Allow indexing of encrypted files
- Allow search and Cortana to use location
- Allow use of diacritics
- Always use automatic language detection when indexing content and properties
- Control rich previews for attachments
- Default excluded paths
- Default indexed paths
- Disable indexer backoff
- Don't search the web or display web results in Search
- Don't search the web or display web results in Search over metered connections
- Do not allow locations on removable drives to be added to libraries
- Do not allow web search
- Enable indexing of online delegate mailboxes
- Enable indexing uncached Exchange folders
- Enable throttling for online mail indexing
- Indexer data location
- Prevent adding UNC locations to index from Control Panel
- Prevent adding user-specified locations to the All Locations menu
- Prevent clients from querying the index remotely
- Prevent customization of indexed locations in Control Panel
- Prevent indexing certain paths
- Prevent indexing e-mail attachments
- Prevent indexing files in offline files cache
- Prevent indexing Microsoft Office Outlook
- Prevent indexing of certain file types
- Prevent indexing public folders
- Prevent indexing when running on battery power to conserve energy
- Prevent the display of advanced indexing options for Windows Search in the Control Panel
- Prevent unwanted iFilters and protocol handlers
- Preview pane location
- Set large or small icon view in desktop search results
- Set the SafeSearch setting for Search
- Set what information is shared in Search
- Stop indexing in the event of limited hard drive space
- Security Center
- Shutdown Options
- Smart Card
- Allow certificates with no extended key usage certificate attribute
- Allow ECC certificates to be used for logon and authentication
- Allow Integrated Unblock screen to be displayed at the time of logon
- Allow signature keys valid for Logon
- Allow time invalid certificates
- Allow user name hint
- Configure root certificate clean up
- Display string when smart card is blocked
- Filter duplicate logon certificates
- Force the reading of all certificates from the smart card
- Notify user of successful smart card driver installation
- Prevent plaintext PINs from being returned by Credential Manager
- Reverse the subject name stored in a certificate when displaying
- Turn on certificate propagation from smart card
- Turn on root certificate propagation from smart card
- Turn on Smart Card Plug and Play service
- Software Protection Platform
- Sound Recorder
- Speech
- Store
- Sync your settings
- Tablet PC
- Accessories
- Cursors
- Hardware Buttons
- Input Panel
- Disable text prediction
- For tablet pen input, don't show the Input Panel icon
- For touch input, don't show the Input Panel icon
- Include rarely used Chinese, Kanji, or Hanja characters
- Prevent Input Panel tab from appearing
- Turn off AutoComplete integration with Input Panel
- Turn off password security in Input Panel
- Turn off tolerant and Z-shaped scratch-out gestures
- Pen Flicks Learning
- Pen UX Behaviors
- Tablet PC Pen Training
- Touch Input
- Task Scheduler
- Tenant Restrictions
- Text Input
- Widgets
- Windows Calendar
- Windows Color System
- Windows Customer Experience Improvement Program
- Windows Defender SmartScreen
- Windows Error Reporting
- Advanced Error Reporting Settings
- Configure Corporate Windows Error Reporting
- Configure Report Archive
- Configure Report Queue
- Default application reporting settings
- List of applications to always report errors for
- List of applications to be excluded
- List of applications to never report errors for
- Report operating system errors
- Report unplanned shutdown events
- Consent
- Automatically send memory dumps for OS-generated error reports
- Configure Error Reporting
- Disable logging
- Disable Windows Error Reporting
- Display Error Notification
- Do not send additional data
- Do not throttle additional data
- Prevent display of the user interface for critical errors
- Send additional data when on battery power
- Send data when on connected to a restricted/costed network
- Advanced Error Reporting Settings
- Windows Game Recording and Broadcasting
- Windows Hello for Business
- Allow enumeration of emulated smart card for all users
- Configure device unlock factors
- Configure dynamic lock factors
- Turn off smart card emulation
- Use a hardware security device
- Use biometrics
- Use certificate for on-premises authentication
- Use cloud trust for on-premises authentication
- Use PIN Recovery
- Use Windows Hello for Business certificates as smart card certificates
- Use Windows Hello for Business
- Windows Ink Workspace
- Windows Installer
- Allow user control over installs
- Allow users to browse for source while elevated
- Allow users to patch elevated products
- Allow users to use media source while elevated
- Always install with elevated privileges
- Control maximum size of baseline file cache
- Enforce upgrade component rules
- Prevent embedded UI
- Prevent Internet Explorer security prompt for Windows Installer scripts
- Prevent users from using Windows Installer to install updates and upgrades
- Prohibit flyweight patching
- Prohibit non-administrators from applying vendor signed updates
- Prohibit removal of updates
- Prohibit rollback
- Prohibit use of Restart Manager
- Prohibit User Installs
- Remove browse dialog box for new source
- Save copies of transform files in a secure location on workstation
- Specify the types of events Windows Installer records in its transaction log
- Turn off creation of System Restore checkpoints
- Turn off logging via package settings
- Turn off Windows Installer
- Windows Logon Options
- Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
- Disable or enable software Secure Attention Sequence
- Display information about previous logons during user logon
- Report when logon server was not available during user logon
- Sign-in and lock last interactive user automatically after a restart
- Windows Media Digital Rights Management
- Windows Media Player
- Windows Messenger
- Windows Mobility Center
- Windows PowerShell
- Windows Reliability Analysis
- Windows Remote Management (WinRM)
- WinRM Client
- WinRM Service
- Allow Basic authentication
- Allow CredSSP authentication
- Allow remote server management through WinRM
- Allow unencrypted traffic
- Disallow Kerberos authentication
- Disallow Negotiate authentication
- Disallow WinRM from storing RunAs credentials
- Specify channel binding token hardening level
- Turn On Compatibility HTTP Listener
- Turn On Compatibility HTTPS Listener
- Windows Remote Shell
- Windows Sandbox
- Windows Security
- Account protection
- App and browser protection
- Device performance and health
- Device security
- Enterprise Customization
- Family options
- Firewall and network protection
- Notifications
- Systray
- Virus and threat protection
- Windows Update
- Legacy Policies
- Allow Automatic Updates immediate installation
- Allow non-administrators to receive update notifications
- Configure auto-restart reminder notifications for updates
- Configure auto-restart required notification for updates
- Configure auto-restart warning notifications schedule for updates
- Delay Restart for scheduled installations
- Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
- Do not allow update deferral policies to cause scans against Windows Update
- Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
- Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
- No auto-restart with logged on users for scheduled automatic updates installations
- Re-prompt for restart with scheduled installations
- Reschedule Automatic Updates scheduled installations
- Specify deadline before auto-restart for update installation
- Specify Engaged restart transition and notification schedule for updates
- Turn off auto-restart notifications for update installations
- Turn on recommended updates via Automatic Updates
- Turn on Software Notifications
- Manage end user experience
- Allow updates to be downloaded automatically over metered connections
- Always automatically restart at the scheduled time
- Configure Automatic Updates
- Display options for update notifications
- Remove access to "Pause updates" feature
- Remove access to use all Windows Update features
- Specify active hours range for auto-restarts
- Specify deadlines for automatic updates and restarts
- Turn off auto-restart for updates during active hours
- Update Power Policy for Cart Restarts
- Manage updates offered from Windows Server Update Service
- Allow signed updates from an intranet Microsoft update service location
- Automatic Updates detection frequency
- Do not connect to any Windows Update Internet locations
- Enable client-side targeting
- Specify intranet Microsoft update service location
- Specify source service for specific classes of Windows Updates
- Manage updates offered from Windows Update
- Legacy Policies
- Work Folders
- Control Panel
- Add or Remove Programs
- Go directly to Components Wizard
- Hide Add/Remove Windows Components page
- Hide Add New Programs page
- Hide Change or Remove Programs page
- Hide the "Add a program from CD-ROM or floppy disk" option
- Hide the "Add programs from Microsoft" option
- Hide the "Add programs from your network" option
- Hide the Set Program Access and Defaults page
- Remove Add or Remove Programs
- Remove Support Information
- Specify default category for Add New Programs
- Display
- Personalization
- Enable screen saver
- Force a specific visual style file or force Windows Classic
- Force specific screen saver
- Load a specific theme
- Password protect the screen saver
- Prevent changing color and appearance
- Prevent changing color scheme
- Prevent changing desktop background
- Prevent changing desktop icons
- Prevent changing mouse pointers
- Prevent changing screen saver
- Prevent changing sounds
- Prevent changing theme
- Prevent changing visual style for windows and buttons
- Prohibit selection of visual style font size
- Screen saver timeout
- Printers
- Browse a common web site to find printers
- Browse the network to find printers
- Default Active Directory path when searching for printers
- Enable Device Control Printing Restrictions
- List of Approved USB-connected print devices
- Only use Package Point and print
- Package Point and print - Approved servers
- Point and Print Restrictions
- Prevent addition of printers
- Prevent deletion of printers
- Turn off Windows default printer management
- Programs
- Regional and Language Options
- Handwriting personalization
- Hide Regional and Language Options administrative options
- Hide the geographic location option
- Hide the select language group options
- Hide user locale selection and customization options
- Restrict Language Pack and Language Feature Installation
- Restrict selection of Windows menus and dialogs language
- Restricts the UI languages Windows should use for the selected user
- Turn off autocorrect misspelled words
- Turn off highlight misspelled words
- Turn off insert a space after selecting a text prediction
- Turn off offer text predictions as I type
- Always open All Control Panel Items when opening Control Panel
- Hide specified Control Panel items
- Prohibit access to Control Panel and PC settings
- Settings Page Visibility
- Show only specified Control Panel items
- Add or Remove Programs
- Desktop
- Active Directory
- Desktop
- Don't save settings at exit
- Do not add shares of recently opened documents to Network Locations
- Hide and disable all items on the desktop
- Hide Internet Explorer icon on desktop
- Hide Network Locations icon on desktop
- Prevent adding, dragging, dropping and closing the Taskbar's toolbars
- Prohibit adjusting desktop toolbars
- Prohibit User from manually redirecting Profile Folders
- Remove Computer icon on the desktop
- Remove My Documents icon on the desktop
- Remove Properties from the Computer icon context menu
- Remove Properties from the Documents icon context menu
- Remove Properties from the Recycle Bin context menu
- Remove Recycle Bin icon from desktop
- Remove the Desktop Cleanup Wizard
- Turn off Aero Shake window minimizing mouse gesture
- Network
- Network Connections
- Ability to change properties of an all user remote access connection
- Ability to delete all user remote access connections
- Ability to Enable/Disable a LAN connection
- Ability to rename all user remote access connections
- Ability to rename LAN connections
- Ability to rename LAN connections or remote access connections available to all users
- Enable Windows 2000 Network Connections settings for Administrators
- Prohibit access to properties of a LAN connection
- Prohibit access to properties of components of a LAN connection
- Prohibit access to properties of components of a remote access connection
- Prohibit access to the Advanced Settings item on the Advanced menu
- Prohibit access to the New Connection Wizard
- Prohibit access to the Remote Access Preferences item on the Advanced menu
- Prohibit adding and removing components for a LAN or remote access connection
- Prohibit changing properties of a private remote access connection
- Prohibit connecting and disconnecting a remote access connection
- Prohibit deletion of remote access connections
- Prohibit Enabling/Disabling components of a LAN connection
- Prohibit renaming private remote access connections
- Prohibit TCP/IP advanced configuration
- Prohibit viewing of status for an active connection
- Turn off notifications when a connection has only limited or no connectivity
- Offline Files
- Action on server disconnect
- Event logging level
- Initial reminder balloon lifetime
- Non-default server disconnect actions
- Prevent use of Offline Files folder
- Prohibit user configuration of Offline Files
- Reminder balloon frequency
- Reminder balloon lifetime
- Remove "Make Available Offline" command
- Remove "Make Available Offline" for these files and folders
- Remove "Work offline" command
- Specify administratively assigned Offline Files
- Synchronize all offline files before logging off
- Synchronize all offline files when logging on
- Synchronize offline files before suspend
- Turn off reminder balloons
- Windows Connect Now
- Network Connections
- Start Menu and Taskbar
- Notifications
- Add "Run in Separate Memory Space" check box to Run dialog box
- Add Logoff to the Start Menu
- Add Search Internet link to Start Menu
- Add the Run command to the Start Menu
- Change Start Menu power button
- Clear history of recently opened documents on exit
- Clear the recent programs list for new users
- Clear tile notifications during log on
- Disable context menus in the Start Menu
- Disable showing balloon notifications as toasts.
- Do not allow pinning items in Jump Lists
- Do not allow pinning programs to the Taskbar
- Do not allow pinning Store app to the Taskbar
- Do not allow taskbars on more than one display
- Do not display any custom toolbars in the taskbar
- Do not display or track items in Jump Lists from remote locations
- Do not keep history of recently opened documents
- Do not search communications
- Do not search for files
- Do not search Internet
- Do not search programs and Control Panel items
- Do not use the search-based method when resolving shell shortcuts
- Do not use the tracking-based method when resolving shell shortcuts
- Force classic Start Menu
- Force Start to be either full screen size or menu size
- Go to the desktop instead of Start when signing in
- Gray unavailable Windows Installer programs Start Menu shortcuts
- Hide the notification area
- List desktop apps first in the Apps view
- Lock all taskbar settings
- Lock the Taskbar
- Pin Apps to Start when installed
- Prevent changes to Taskbar and Start Menu Settings
- Prevent grouping of taskbar items
- Prevent users from adding or removing toolbars
- Prevent users from customizing their Start Screen
- Prevent users from moving taskbar to another screen dock location
- Prevent users from rearranging toolbars
- Prevent users from resizing the taskbar
- Prevent users from uninstalling applications from Start
- Remove "Recently added" list from Start Menu
- Remove access to the context menus for the taskbar
- Remove All Programs list from the Start menu
- Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands
- Remove Balloon Tips on Start Menu items
- Remove Clock from the system notification area
- Remove common program groups from Start Menu
- Remove Default Programs link from the Start menu.
- Remove Documents icon from Start Menu
- Remove Downloads link from Start Menu
- Remove Favorites menu from Start Menu
- Remove frequent programs list from the Start Menu
- Remove Games link from Start Menu
- Remove Help menu from Start Menu
- Remove Homegroup link from Start Menu
- Remove links and access to Windows Update
- Remove Logoff on the Start Menu
- Remove Music icon from Start Menu
- Remove Network Connections from Start Menu
- Remove Network icon from Start Menu
- Remove Notifications and Action Center
- Remove Pictures icon from Start Menu
- Remove pinned programs from the Taskbar
- Remove pinned programs list from the Start Menu
- Remove programs on Settings menu
- Remove Recent Items menu from Start Menu
- Remove Recorded TV link from Start Menu
- Remove Run menu from Start Menu
- Remove Search Computer link
- Remove Search link from Start Menu
- Remove See More Results / Search Everywhere link
- Remove the "Undock PC" button from the Start Menu
- Remove the battery meter
- Remove the Meet Now icon
- Remove the networking icon
- Remove the People Bar from the taskbar
- Remove the Security and Maintenance icon
- Remove the volume control icon
- Remove user's folders from the Start Menu
- Remove user folder link from Start Menu
- Remove user name from Start Menu
- Remove Videos link from Start Menu
- Search just apps from the Apps view
- Show "Run as different user" command on Start
- Show additional calendar
- Show or hide "Most used" list from Start menu
- Show QuickLaunch on Taskbar
- Show Start on the display the user is using when they press the Windows logo key
- Show the Apps view automatically when the user goes to Start
- Show Windows Store apps on the taskbar
- Start Layout
- Turn off all balloon notifications
- Turn off automatic promotion of notification icons to the taskbar
- Turn off feature advertisement balloon notifications
- Turn off notification area cleanup
- Turn off taskbar thumbnails
- Turn off user tracking
- System
- Ctrl+Alt+Del Options
- Display
- Driver Installation
- Folder Redirection
- Do not automatically make all redirected folders available offline
- Do not automatically make specific redirected folders available offline
- Enable optimized move of contents in Offline Files cache on Folder Redirection server path change
- Redirect folders on primary computers only
- Use localized subfolder names when redirecting Start Menu and My Documents
- Group Policy
- Configure Group Policy domain controller selection
- Configure Group Policy slow link detection
- Create new Group Policy Object links disabled by default
- Determine if interactive users can generate Resultant Set of Policy data
- Enforce Show Policies Only
- Set default name for new Group Policy objects
- Set Group Policy refresh interval for users
- Turn off automatic update of ADM files
- Internet Communication Management
- Internet Communication settings
- Turn off access to the Store
- Turn off downloading of print drivers over HTTP
- Turn off handwriting personalization data sharing
- Turn off handwriting recognition error reporting
- Turn off Help Experience Improvement Program
- Turn off Help Ratings
- Turn off Internet download for Web publishing and online ordering wizards
- Turn off Internet File Association service
- Turn off printing over HTTP
- Turn off the "Order Prints" picture task
- Turn off the "Publish to Web" task for files and folders
- Turn off the Windows Messenger Customer Experience Improvement Program
- Turn off Windows Online
- Restrict Internet communication
- Internet Communication settings
- Locale Services
- Logon
- Mitigation Options
- Power Management
- Removable Storage Access
- All Removable Storage classes: Deny all access
- CD and DVD: Deny read access
- CD and DVD: Deny write access
- Custom Classes: Deny read access
- Custom Classes: Deny write access
- Floppy Drives: Deny read access
- Floppy Drives: Deny write access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
- Tape Drives: Deny read access
- Tape Drives: Deny write access
- Time (in seconds) to force reboot
- WPD Devices: Deny read access
- WPD Devices: Deny write access
- Scripts
- User Profiles
- Century interpretation for Year 2000
- Custom User Interface
- Don't run specified Windows applications
- Do not display the Getting Started welcome screen at logon
- Download missing COM components
- Prevent access to registry editing tools
- Prevent access to the command prompt
- Restrict these programs from being launched from Help
- Run only specified Windows applications
- Windows Automatic Updates
- Windows Components
- Add features to Windows 8.1
- Application Compatibility
- App runtime
- Attachment Manager
- Default risk level for file attachments
- Do not preserve zone information in file attachments
- Hide mechanisms to remove zone information
- Inclusion list for high risk file types
- Inclusion list for low file types
- Inclusion list for moderate risk file types
- Notify antivirus programs when opening attachments
- Trust logic for file attachments
- AutoPlay Policies
- Calculator
- Cloud Content
- Configure Windows spotlight on lock screen
- Do not suggest third-party content in Windows spotlight
- Do not use diagnostic data for tailored experiences
- Turn off all Windows spotlight features
- Turn off Spotlight collection on Desktop
- Turn off the Windows Welcome Experience
- Turn off Windows Spotlight on Action Center
- Turn off Windows Spotlight on Settings
- Credential User Interface
- Data Collection and Preview Builds
- Desktop Gadgets
- Desktop Window Manager
- Digital Locker
- Edge UI
- Allow edge swipe
- Disable help tips
- Do not show recent apps when the mouse is pointing to the upper-left corner of the screen
- Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key+X
- Search, Share, Start, Devices, and Settings don't appear when the mouse is pointing to the upper-right corner of the screen
- Turn off switching between recent apps
- Turn off tracking of app usage
- File Explorer
- Common Open File Dialog
- Explorer Frame Pane
- Previous Versions
- Allow only per user or approved shell extensions
- Disable binding directly to IPropertySetStorage without intermediate layers.
- Disable Known Folders
- Display confirmation dialog when deleting files
- Display the menu bar in File Explorer
- Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon
- Do not display the Welcome Center at user logon
- Do not move deleted files to the Recycle Bin
- Do not request alternate credentials
- Do not track Shell shortcuts during roaming
- Hides the Manage item on the File Explorer context menu
- Hide these specified drives in My Computer
- Location where all default Library definition files for users/machines reside.
- Maximum allowed Recycle Bin size
- Maximum number of recent documents
- No Computers Near Me in Network Locations
- No Entire Network in Network Locations
- Pin Internet search sites to the "Search again" links and the Start menu
- Pin Libraries or Search Connectors to the "Search again" links and the Start menu
- Prevent access to drives from My Computer
- Prevent users from adding files to the root of their Users Files folder.
- Remove "Map Network Drive" and "Disconnect Network Drive"
- Remove CD Burning features
- Remove DFS tab
- Remove File Explorer's default context menu
- Remove File menu from File Explorer
- Remove Hardware tab
- Remove Search button from File Explorer
- Remove Security tab
- Remove the Search the Internet "Search again" link
- Remove UI to change menu animation setting
- Request credentials for network installations
- Start File Explorer with ribbon minimized
- Turn off caching of thumbnail pictures
- Turn off common control and window animations
- Turn off display of recent search entries in the File Explorer search box
- Turn off numerical sorting in File Explorer
- Turn off shell protocol protected mode
- Turn off the caching of thumbnails in hidden thumbs.db files
- Turn off the display of snippets in Content view mode
- Turn off the display of thumbnails and only display icons.
- Turn off the display of thumbnails and only display icons on network folders
- Turn off Windows Key hotkeys
- Turn off Windows Libraries features that rely on indexed file data
- Turn on Classic Shell
- File Revocation
- IME
- Configure Japanese IME version
- Configure Korean IME version
- Configure Simplified Chinese IME version
- Configure Traditional Chinese IME version
- Do not include Non-Publishing Standard Glyph in the candidate list
- Restrict character code range of conversion
- Turn off custom dictionary
- Turn off history-based predictive input
- Turn off Internet search integration
- Turn off Open Extended Dictionary
- Turn off saving auto-tuning data to file
- Turn on cloud candidate for CHS
- Turn on cloud candidate
- Turn on lexicon update
- Turn on Live Sticker
- Turn on misconversion logging for misconversion report
- Instant Search
- Internet Explorer
- Accelerators
- Administrator Approved Controls
- Application Compatibility
- Browser menus
- Disable Open in New Window menu option
- Disable Save this program to disk option
- File menu: Disable closing the browser and Explorer windows
- File menu: Disable New menu option
- File menu: Disable Open menu option
- File menu: Disable Save As... menu option
- File menu: Disable Save As Web Page Complete
- Help menu: Remove 'For Netscape Users' menu option
- Help menu: Remove 'Send Feedback' menu option
- Help menu: Remove 'Tip of the Day' menu option
- Help menu: Remove 'Tour' menu option
- Hide Favorites menu
- Tools menu: Disable Internet Options... menu option
- Turn off Print Menu
- Turn off Shortcut Menu
- Turn off the ability to launch report site problems using a menu option
- View menu: Disable Full Screen menu option
- View menu: Disable Source menu option
- Compatibility View
- Delete Browsing History
- Allow deleting browsing history on exit
- Disable "Configuring History"
- Prevent access to Delete Browsing History
- Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track data
- Prevent deleting cookies
- Prevent deleting download history
- Prevent deleting favorites site data
- Prevent deleting form data
- Prevent deleting InPrivate Filtering data
- Prevent deleting passwords
- Prevent deleting temporary Internet files
- Prevent deleting websites that the user has visited
- Prevent the deletion of temporary Internet files and cookies
- Internet Control Panel
- Advanced Page
- Allow active content from CDs to run on user machines
- Allow Install On Demand (except Internet Explorer)
- Allow Install On Demand (Internet Explorer)
- Allow Internet Explorer to use the HTTP2 network protocol
- Allow Internet Explorer to use the SPDY/3 network protocol
- Allow software to run or install even if the signature is invalid
- Allow third-party browser extensions
- Always send Do Not Track header
- Automatically check for Internet Explorer updates
- Check for server certificate revocation
- Check for signatures on downloaded programs
- Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
- Do not allow resetting Internet Explorer settings
- Do not save encrypted pages to disk
- Empty Temporary Internet Files folder when browser is closed
- Play animations in web pages
- Play sounds in web pages
- Play videos in web pages
- Turn off ClearType
- Turn off encryption support
- Turn off loading websites and content in the background to optimize performance
- Turn off Profile Assistant
- Turn off sending UTF-8 query strings for URLs
- Turn off the flip ahead with page prediction feature
- Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
- Turn on Caret Browsing support
- Turn on Enhanced Protected Mode
- Use HTTP 1.1 through proxy connections
- Use HTTP 1.1
- Content Page
- General Page
- Browsing History
- Allow websites to store application caches on client computers
- Allow websites to store indexed databases on client computers
- Set application caches expiration time limit for individual domains
- Set application cache storage limits for individual domains
- Set default storage limits for websites
- Set indexed database storage limits for individual domains
- Set maximum application cache individual resource size
- Set maximum application cache resource list size
- Set maximum application caches storage limit for all domains
- Set maximum indexed database storage limit for all domains
- Start Internet Explorer with tabs from last browsing session
- Browsing History
- Security Page
- Internet Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Intranet Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Local Machine Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Internet Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Intranet Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Local Machine Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Restricted Sites Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Locked-Down Trusted Sites Zone
- Access data sources across domains
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Restricted Sites Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Trusted Sites Zone
- Access data sources across domains
- Allow active content over restricted protocols to access my computer
- Allow active scripting
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script
- Allow drag and drop or copy and paste files
- Allow file downloads
- Allow font downloads
- Allow installation of desktop items
- Allow loading of XAML Browser Applications
- Allow loading of XAML files
- Allow loading of XPS files
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control
- Allow OpenSearch queries in File Explorer
- Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls
- Allow scriptlets
- Allow updates to status bar via script
- Allow VBScript to run in Internet Explorer
- Allow video and animation on a webpage that uses an older media player
- Allow websites to open windows without status bar or Address bar
- Allow websites to prompt for information by using scripted windows
- Automatic prompting for ActiveX controls
- Automatic prompting for file downloads
- Display mixed content
- Don't run antimalware programs against ActiveX controls
- Do not prompt for client certificate selection when no certificates or only one certificate exists.
- Download signed ActiveX controls
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window
- Enable MIME Sniffing
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe
- Java permissions
- Launching applications and files in an IFRAME
- Logon options
- Render legacy filters
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets
- Show security warning for potentially unsafe files
- Software channel permissions
- Submit non-encrypted form data
- Turn off .NET Framework Setup
- Turn off first-run prompt
- Turn on Cross-Site Scripting Filter
- Turn on Protected Mode
- Turn on SmartScreen Filter scan
- Use Pop-up Blocker
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone
- Internet Zone Template
- Intranet Sites: Include all local (intranet) sites not listed in other zones
- Intranet Sites: Include all network paths (UNCs)
- Intranet Sites: Include all sites that bypass the proxy server
- Intranet Zone Template
- Local Machine Zone Template
- Locked-Down Internet Zone Template
- Locked-Down Intranet Zone Template
- Locked-Down Local Machine Zone Template
- Locked-Down Restricted Sites Zone Template
- Locked-Down Trusted Sites Zone Template
- Restricted Sites Zone Template
- Site to Zone Assignment List
- Trusted Sites Zone Template
- Turn on automatic detection of intranet
- Turn on certificate address mismatch warning
- Turn on Notification bar notification for intranet content
- Internet Zone
- Disable the Advanced page
- Disable the Connections page
- Disable the Content page
- Disable the General page
- Disable the Privacy page
- Disable the Programs page
- Disable the Security page
- Prevent ignoring certificate errors
- Send internationalized domain names
- Use UTF-8 for mailto links
- Advanced Page
- Internet Settings
- Advanced settings
- Browsing
- Go to an intranet site for a one-word entry in the Address bar
- Hide the button (next to the New Tab button) that opens Microsoft Edge
- Turn off configuring underline links
- Turn off details in messages about Internet connection problems
- Turn off page transitions
- Turn off phone number detection
- Turn off smooth scrolling
- Turn on script debugging
- Turn on the display of script errors
- Internet Connection Wizard Settings
- Multimedia
- Printing
- Searching
- Signup Settings
- Browsing
- AutoComplete
- Display settings
- General Colors
- Link Colors
- Prevent choosing default text size
- URL Encoding
- Open Internet Explorer tiles on the desktop
- Set how links are opened in Internet Explorer
- Advanced settings
- Offline Pages
- Disable adding channels
- Disable adding schedules for offline pages
- Disable all scheduled offline pages
- Disable channel user interface completely
- Disable downloading of site subscription content
- Disable editing and creating of schedule groups
- Disable editing schedules for offline pages
- Disable offline page hit logging
- Disable removing channels
- Disable removing schedules for offline pages
- Subscription Limits
- Persistence Behavior
- Privacy
- Establish InPrivate Filtering threshold
- Establish Tracking Protection threshold
- Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
- Turn off collection of InPrivate Filtering data
- Turn off InPrivate Browsing
- Turn off InPrivate Filtering
- Turn off Tracking Protection
- Security Features
- Add-on Management
- Add-on List
- All Processes
- Deny all add-ons unless specifically allowed in the Add-on List
- Process List
- Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
- Turn off automatic download of the ActiveX VersionList
- Turn off blocking of outdated ActiveX controls for Internet Explorer
- Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
- Turn on ActiveX control logging in Internet Explorer
- AJAX
- Binary Behavior Security Restriction
- Consistent Mime Handling
- Local Machine Zone Lockdown Security
- Mime Sniffing Safety Feature
- MK Protocol Security Restriction
- Network Protocol Lockdown
- Notification bar
- Object Caching Protection
- Protection From Zone Elevation
- Restrict ActiveX Install
- Restrict File Download
- Scripted Window Security Restrictions
- Do not display the reveal password button
- Turn off Data URI support
- Add-on Management
- Toolbars
- Configure Toolbar Buttons
- Customize command labels
- Disable customizing browser toolbar buttons
- Disable customizing browser toolbars
- Display tabs on a separate row
- Hide the Command bar
- Hide the status bar
- Lock all toolbars
- Lock location of Stop and Refresh buttons
- Turn off Developer Tools
- Turn off toolbar upgrade tool
- Use large icons for command buttons
- Add a specific list of search providers to the user's list of search providers
- Allow "Save Target As" in Internet Explorer mode
- Allow Internet Explorer 8 shutdown behavior
- Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
- Automatically activate newly installed add-ons
- Configure Media Explorer Bar
- Configure Outlook Express
- Configure which channel of Microsoft Edge to use for opening redirected sites
- Customize user agent string
- Disable AutoComplete for forms
- Disable caching of Auto-Proxy scripts
- Disable changing accessibility settings
- Disable changing Advanced page settings
- Disable changing Automatic Configuration settings
- Disable changing Calendar and Contact settings
- Disable changing certificate settings
- Disable changing color settings
- Disable changing connection settings
- Disable changing default browser check
- Disable changing font settings
- Disable changing home page settings
- Disable changing language settings
- Disable changing link color settings
- Disable changing Messaging settings
- Disable changing Profile Assistant settings
- Disable changing ratings settings
- Disable changing secondary home page settings
- Disable changing Temporary Internet files settings
- Disable external branding of Internet Explorer
- Disable Import/Export Settings wizard
- Disable Internet Connection wizard
- Disable Internet Explorer 11 as a standalone browser
- Disable the Reset Web Settings feature
- Display error message on proxy script download failure
- Do not allow users to enable or disable add-ons
- Enable extended hot keys in Internet Explorer mode
- Enforce full-screen mode
- Identity Manager: Prevent users from using Identities
- Keep all intranet sites in Internet Explorer
- Let users turn on and use Enterprise Mode from the Tools menu
- Limit Site Discovery output by Domain
- Limit Site Discovery output by Zone
- Notify users if Internet Explorer is not the default web browser
- Pop-up allow list
- Prevent "Fix settings" functionality
- Prevent access to Internet Explorer Help
- Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
- Prevent bypassing SmartScreen Filter warnings
- Prevent changing pop-up filter level
- Prevent changing proxy settings
- Prevent changing the default search provider
- Prevent configuration of how windows open
- Prevent configuration of new tab creation
- Prevent Internet Explorer Search box from appearing
- Prevent managing pop-up exception list
- Prevent managing SmartScreen Filter
- Prevent managing the phishing filter
- Prevent participation in the Customer Experience Improvement Program
- Prevent per-user installation of ActiveX controls
- Prevent running First Run wizard
- Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.
- Restrict search providers to a specific list
- Search: Disable Find Files via F3 within the browser
- Search: Disable Search Customization
- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.
- Set tab process growth
- Show message when opening sites in Microsoft Edge using Enterprise Mode
- Specify default behavior for a new tab
- Specify use of ActiveX Installer Service for installation of ActiveX controls
- Turn off ability to pin sites in Internet Explorer on the desktop
- Turn off ActiveX Opt-In prompt
- Turn off add-on performance notifications
- Turn off Automatic Crash Recovery
- Turn off browser geolocation
- Turn off configuration of pop-up windows in tabbed browsing
- Turn off Crash Detection
- Turn off Favorites bar
- Turn off Managing SmartScreen Filter for Internet Explorer 8
- Turn off page-zooming functionality
- Turn off pop-up management
- Turn off Quick Tabs functionality
- Turn off Reopen Last Browsing Session
- Turn off suggestions for all user-installed providers
- Turn off tabbed browsing
- Turn off Tab Grouping
- Turn off the auto-complete feature for web addresses
- Turn off the quick pick menu
- Turn off the Security Settings Check feature
- Turn on ActiveX Filtering
- Turn on compatibility logging
- Turn on menu bar by default
- Turn on Site Discovery WMI output
- Turn on Site Discovery XML output
- Turn on Suggested Sites
- Turn on the auto-complete feature for user names and passwords on forms
- Use Automatic Detection for dial-up connections
- Use the Enterprise Mode IE website list
- Location and Sensors
- Microsoft Edge
- Allow Address bar drop-down list suggestions
- Allow Adobe Flash
- Allow clearing browsing data on exit
- Allow configuration updates for the Books Library
- Allow Developer Tools
- Allow extended telemetry for the Books tab
- Allow Extensions
- Allow FullScreen Mode
- Allow InPrivate browsing
- Allow Microsoft Compatibility List
- Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
- Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
- Allow printing
- Allow Saving History
- Allow search engine customization
- Allow Sideloading of extension
- Allow web content on New Tab page
- Always show the Books Library in Microsoft Edge
- Configure additional search engines
- Configure Autofill
- Configure cookies
- Configure Do Not Track
- Configure Favorites Bar
- Configure Favorites
- Configure Home Button
- Configure kiosk mode
- Configure kiosk reset after idle timeout
- Configure Open Microsoft Edge With
- Configure Password Manager
- Configure Pop-up Blocker
- Configure search suggestions in Address bar
- Configure Start pages
- Configure the Adobe Flash Click-to-Run setting
- Configure the Enterprise Mode Site List
- Configure Windows Defender SmartScreen
- Disable lockdown of Start pages
- For PDF files that have both landscape and portrait pages, print each in its own orientation.
- Keep favorites in sync between Internet Explorer and Microsoft Edge
- Prevent access to the about:flags page in Microsoft Edge
- Prevent bypassing Windows Defender SmartScreen prompts for files
- Prevent bypassing Windows Defender SmartScreen prompts for sites
- Prevent certificate error overrides
- Prevent changes to Favorites on Microsoft Edge
- Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
- Prevent the First Run webpage from opening on Microsoft Edge
- Prevent turning off required extensions
- Prevent using Localhost IP address for WebRTC
- Provision Favorites
- Send all intranet sites to Internet Explorer 11
- Set default search engine
- Set Home Button URL
- Set New Tab page URL
- Show message when opening sites in Internet Explorer
- Suppress the display of Edge Deprecation Notification
- Unlock Home Button
- Microsoft Management Console
- Restricted/Permitted snap-ins
- Extension snap-ins
- AppleTalk Routing
- Authorization Manager
- Certification Authority Policy Settings
- Connection Sharing (NAT)
- DCOM Configuration Extension
- Device Manager
- DFS Management Extension
- DHCP Relay Management
- Disk Management Extension
- Event Viewer (Windows Vista)
- Event Viewer
- Extended View (Web View)
- File Server Resource Manager Extension
- IAS Logging
- IGMP Routing
- IP Routing
- IPX RIP Routing
- IPX Routing
- IPX SAP Routing
- Logical and Mapped Drives
- OSPF Routing
- Public Key Policies
- RAS Dialin - User Node
- Remote Access
- Removable Storage
- RIP Routing
- Routing
- Send Console Message
- Service Dependencies
- SMTP Protocol
- SNMP
- Storage Manager for SANS Extension
- System Properties
- Group Policy
- Group Policy snap-in extensions
- Administrative Templates (Computers)
- Administrative Templates (Users)
- Folder Redirection
- Internet Explorer Maintenance
- IP Security Policy Management
- NAP Client Configuration
- Remote Installation Services
- Scripts (Logon/Logoff)
- Scripts (Startup/Shutdown)
- Security Settings
- Software Installation (Computers)
- Software Installation (Users)
- Windows Firewall with Advanced Security
- Wired Network (IEEE 802.3) Policies
- Wireless Network (IEEE 802.11) Policies
- Preference snap-in extensions
- Permit use of Application snap-ins
- Permit use of Applications preference extension
- Permit use of Control Panel Settings (Computers)
- Permit use of Control Panel Settings (Users)
- Permit use of Data Sources preference extension
- Permit use of Devices preference extension
- Permit use of Drive Maps preference extension
- Permit use of Environment preference extension
- Permit use of Files preference extension
- Permit use of Folder Options preference extension
- Permit use of Folders preference extension
- Permit use of Ini Files preference extension
- Permit use of Internet Settings preference extension
- Permit use of Local Users and Groups preference extension
- Permit use of Network Options preference extension
- Permit use of Power Options preference extension
- Permit use of Preferences tab
- Permit use of Printers preference extension
- Permit use of Regional Options preference extension
- Permit use of Registry preference extension
- Permit use of Scheduled Tasks preference extension
- Permit use of Services preference extension
- Permit use of Shortcuts preference extension
- Permit use of Start Menu preference extension
- Resultant Set of Policy snap-in extensions
- Group Policy Management Editor
- Group Policy Management
- Group Policy Object Editor
- Group Policy Starter GPO Editor
- Group Policy tab for Active Directory Tools
- Resultant Set of Policy snap-in
- Group Policy snap-in extensions
- .Net Framework Configuration
- Active Directory Domains and Trusts
- Active Directory Sites and Services
- Active Directory Users and Computers
- ActiveX Control
- ADSI Edit
- Certificates
- Certificate Templates
- Certification Authority
- Component Services
- Computer Management
- Device Manager
- DFS Management
- Disk Defragmenter
- Disk Management
- Distributed File System
- Enterprise PKI
- Event Viewer (Windows Vista)
- Event Viewer
- Failover Clusters Manager
- FAX Service
- File Server Resource Manager
- FrontPage Server Extensions
- Health Registration Authority (HRA)
- Indexing Service
- Internet Authentication Service (IAS)
- Internet Information Services
- IP Security Monitor
- IP Security Policy Management
- Link to Web Address
- Local Users and Groups
- NAP Client Configuration
- Network Policy Server (NPS)
- Online Responder
- Performance Logs and Alerts
- QoS Admission Control
- Remote Desktop Services Configuration
- Remote Desktops
- Removable Storage Management
- Routing and Remote Access
- Security Configuration and Analysis
- Security Templates
- Server Manager
- Services
- Storage Manager for SANs
- System Information
- Telephony
- TPM Management
- Windows Firewall with Advanced Security
- Wireless Monitor
- WMI Control
- Extension snap-ins
- Restrict the user from entering author mode
- Restrict users to the explicitly permitted list of snap-ins
- Restricted/Permitted snap-ins
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Access 2016 backup only
- Calculator
- Common 2013 backup only
- Common 2016 backup only
- Excel 2013 backup only
- Excel 2016 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Lync 2016 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Access 2016
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft Excel 2016
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Lync 2016
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Access 2016
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Common 2016
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 Excel 2016
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 Lync 2016
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 OneNote 2016
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 Outlook 2016
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 PowerPoint 2016
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Project 2016
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Publisher 2016
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Visio 2016
- Microsoft Office 365 Word 2013
- Microsoft Office 365 Word 2016
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft Office 2016 Common Settings
- Microsoft Office 2016 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneDrive for Business 2016
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft OneNote 2016
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft Outlook 2016
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft PowerPoint 2016
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Project 2016
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Publisher 2016
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Visio 2016
- Microsoft Word 2010
- Microsoft Word 2013
- Microsoft Word 2016
- Notepad
- OneNote 2013 backup only
- OneNote 2016 backup only
- Outlook 2013 backup only
- Outlook 2016 backup only
- PowerPoint 2013 backup only
- PowerPoint 2016 backup only
- Project 2013 backup only
- Project 2016 backup only
- Publisher 2013 backup only
- Publisher 2016 backup only
- Visio 2013 backup only
- Visio 2016 backup only
- Word 2013 backup only
- Word 2016 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Do not synchronize Windows Apps
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications
- Multitasking
- NetMeeting
- Application Sharing
- Audio & Video
- Options Page
- Allow persisting automatic acceptance of Calls
- Disable Chat
- Disable Directory services
- Disable NetMeeting 2.x Whiteboard
- Disable Whiteboard
- Enable Automatic Configuration
- Limit the size of sent files
- Prevent adding Directory servers
- Prevent automatic acceptance of Calls
- Prevent changing Call placement method
- Prevent receiving files
- Prevent sending files
- Prevent viewing Web directory
- Set Call Security options
- Set the intranet support Web page
- Network Sharing
- OOBE
- Presentation Settings
- Remote Desktop Services
- RD Gateway
- RemoteApp and Desktop Connections
- Remote Desktop Connection Client
- Remote Desktop Session Host
- Connections
- Device and Resource Redirection
- Printer Redirection
- Remote Session Environment
- Session Time Limits
- RSS Feeds
- Search
- Sound Recorder
- Store
- Tablet PC
- Accessories
- Cursors
- Hardware Buttons
- Input Panel
- Disable text prediction
- For tablet pen input, don't show the Input Panel icon
- For touch input, don't show the Input Panel icon
- Include rarely used Chinese, Kanji, or Hanja characters
- Prevent Input Panel tab from appearing
- Turn off AutoComplete integration with Input Panel
- Turn off password security in Input Panel
- Turn off tolerant and Z-shaped scratch-out gestures
- Pen Flicks Learning
- Pen UX Behaviors
- Tablet PC Pen Training
- Touch Input
- Task Scheduler
- Windows Calendar
- Windows Color System
- Windows Defender SmartScreen
- Microsoft Edge
- Windows Error Reporting
- Advanced Error Reporting Settings
- Consent
- Automatically send memory dumps for OS-generated error reports
- Disable logging
- Disable Windows Error Reporting
- Do not send additional data
- Do not throttle additional data
- Send additional data when on battery power
- Send data when on connected to a restricted/costed network
- Windows Hello for Business
- Windows Installer
- Windows Logon Options
- Windows Media Player
- Networking
- Playback
- User Interface
- Prevent CD and DVD Media Information Retrieval
- Prevent Music File Media Information Retrieval
- Prevent Radio Station Preset Retrieval
- Windows Messenger
- Windows Mobility Center
- Windows PowerShell
- Windows Update
- Legacy Policies
- Manage updates offered from Windows Server Update Service
- Work Folders
- Enable auto-subscription