Globalization.

admx Machine
SecGuide.admx Machine
DnsClient.admx Machine
Printing.admx Machine
Printing.admx Machine
StartMenu.admx Machine
WPN.admx Machine
FileSys.admx Machine
FileSys.admx Machine
FileSys.admx Machine
FileSys.admx Machine
Kerberos.admx Machine
Netlogon.admx Machine
sam.admx Machine
StorageSense.admx Machine
StorageSense.admx Machine
StorageSense.admx Machine
StorageSense.admx Machine
StorageSense.admx Machine
StorageSense.admx Machine
AppxPackageManager.admx Machine
AppPrivacy.admx Machine
AppPrivacy.admx Machine
AppPrivacy.admx Machine
AppPrivacy.admx Machine
AppPrivacy.admx Machine
DataCollection.admx Machine
DataCollection.admx Machine
DataCollection.admx Machine
DataCollection.admx Machine
inetres.admx Machine
inetres.admx Machine
inetres.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
WindowsDefender.admx Machine
Passport.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsSandbox.admx Machine
WindowsUpdate.admx Machine
TerminalServer.admx User
Printing.admx User
Printing.admx User
Globalization.admx User
Taskbar.admx User
StartMenu.admx User
EAIME.admx User
inetres.admx User
inetres.admx User
inetres.admx User
Passport.admx User
Control Panel\Regional and Language Options
MS Security Guide
Network\DNS Client
Printers
Printers
Start Menu and Taskbar
Start Menu and Taskbar\Notifications
System\Filesystem\NTFS
System\Filesystem\NTFS
System\Filesystem\NTFS
System\Filesystem\NTFS
System\Kerberos
System\Net Logon\DC Locator DNS Records
System\Security Account Manager
System\Storage Sense
System\Storage Sense
System\Storage Sense
System\Storage Sense
System\Storage Sense
System\Storage Sense
Windows Components\App Package Deployment
Windows Components\App Privacy
Windows Components\App Privacy
Windows Components\App Privacy
Windows Components\App Privacy
Windows Components\App Privacy
Windows Components\Data Collection and Preview Builds
Windows Components\Data Collection and Preview Builds
Windows Components\Data Collection and Preview Builds
Windows Components\Data Collection and Preview Builds
Windows Components\Internet Explorer
Windows Components\Internet Explorer
Windows Components\Internet Explorer
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus\Exclusions
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\Network Inspection System
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates
Windows Components\Windows Hello for Business
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Sandbox
Windows Components\Windows Update\Windows Update for Business
AutoSubscription
Control Panel\Printers
Control Panel\Printers
Control Panel\Regional and Language Options
Start Menu and Taskbar
Start Menu and Taskbar
Windows Components\IME
Windows Components\Internet Explorer
Windows Components\Internet Explorer
Windows Components\Internet Explorer
Windows Components\Windows Hello for Business
Restrict Language Pack and Language Feature Installation
Limits print driver installation to Administrators
Configure DNS over HTTPS (DoH) name resolution
Enable Device Control Printing Restrictions
List of Approved USB-connected print devices
Show or hide "Most used" list from Start menu
Enables group policy for the WNS FQDN
Enable NTFS non-paged pool usage
NTFS default tier
NTFS parallel flush threshold
NTFS parallel flush worker threads
Allow retrieving the cloud kerberos ticket during the logon
Use lowercase DNS host names when registering domain controller SRV records
Configure validation of ROCA-vulnerable WHfB keys during authentication
Allow Storage Sense
Allow Storage Sense Temporary Files cleanup
Configure Storage Sense cadence
Configure Storage Sense Cloud Content dehydration threshold
Configure Storage Sense Recycle Bin cleanup threshold
Configure Storage Storage Downloads cleanup threshold
Archive infrequently used apps
Let Windows apps access user movements while running in the background
Let Windows apps activate with voice
Let Windows apps activate with voice while the system is locked
Let Windows apps take screenshots of various windows or displays
Let Windows apps turn off the screenshot border
Disable OneSettings Downloads
Enable OneSettings Auditing
Limit Diagnostic Log Collection
Limit Dump Collection
Allow "Save Target As" in Internet Explorer mode
Disable Internet Explorer 11 as a standalone browser
Enable extended hot keys in Internet Explorer mode
Define the directory path to copy support log files
Ip Address Exclusions
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
This setting controls datagram processing for network protection.
Turn on script scanning
Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
Use cloud trust for on-premises authentication
Allow audio input in Windows Sandbox
Allow clipboard sharing with Windows Sandbox
Allow networking in Windows Sandbox
Allow printer sharing with Windows Sandbox
Allow vGPU sharing for Windows Sandbox
Allow video input in Windows Sandbox
Disable safeguards for Feature Updates
Enable auto-subscription
Enable Device Control Printing Restrictions
List of Approved USB-connected print devices
Restrict Language Pack and Language Feature Installation
Remove the Meet Now icon
Show or hide "Most used" list from Start menu
Configure Korean IME version
Allow "Save Target As" in Internet Explorer mode
Disable Internet Explorer 11 as a standalone browser
Enable extended hot keys in Internet Explorer mode
Use cloud trust for on-premises authentication
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesInstall
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!RestrictDriverInstallationToAdministrators
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DoHPolicy
HKLM\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!WnsEndpoint
HKLM\System\CurrentControlSet\Policies!NtfsForceNonPagedPoolAllocation
HKLM\System\CurrentControlSet\Policies!NtfsDefaultTier
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushThreshold
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushWorkers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!CloudKerberosTicketRetrievalEna
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsSrvRecordUseLowerCaseHostNames
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM!SamNGCKeyROCAValidation
HKLM\Software\Policies\Microsoft\Windows\StorageSense!AllowStorageSenseGlobal
HKLM\Software\Policies\Microsoft\Windows\StorageSense!AllowStorageSenseTemporaryFilesCleanup
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseGlobalCadence; HKLM\Software\Policies\Mic
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseCloudContentDehydrationThreshold; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseRecycleBinCleanupThreshold; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseDownloadsCleanupThreshold; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAutomaticAppArchiving
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessBackgroundSpatialPerception HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsActivateWithVoice
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsActivateWithVoiceAboveLock
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureProgrammatic HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureWithoutBorder HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableOneSettingsDownloads
HKLM\Software\Policies\Microsoft\Windows\DataCollection!EnableOneSettingsAuditing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDiagnosticLogCollection
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDumpCollection
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!AllowSaveTargetAsInIEMode
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NotifyDisableIEOptions
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!EnableExtendedIEModeHotkeys
HKLM\Software\Policies\Microsoft\Windows Defender!SupportLogLocation
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_IpAddresses; HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection!AllowNetworkP
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableDatagramProcessing
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScriptScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!MeteredConnectionUpdates
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseCloudTrustForOnPremAuth
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowAudioInput
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowClipboardRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowNetworking
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowPrinterRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVGPU
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVideoInput
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWUfBSafeguards
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AutoSubscription
HKCU\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKCU\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesInstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAMeetNow
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKCU\Software\Policies\Microsoft\InputMethod\Settings\KOR!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!AllowSaveTargetAsInIEMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NotifyDisableIEOptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!EnableExtendedIEModeHotkeys
HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!UseCloudTrustForOnPremAuth
At least Windows Server 2016 Windows 10
At least Windows Server 2008 R2 or Windows 7
At least Windows Vista
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
Unknown
At least Windows Vista
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10 Version 1909
At least Internet Explorer 11.0
At least Internet Explorer 11.0
At least Internet Explorer 11.0
At least Windows Server 2016 Windows 10 Version 1607
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows Server 2012 Windows 8 or Windows RT
At least Windows 10
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
At least Windows Server 2016 Windows 10 Version 1909
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
At least Windows Server 2016 Windows 10
Unknown
At least Windows Server 2016 Windows 10 Version 1909
Unknown
At least Internet Explorer 11.0
At least Internet Explorer 11.0
At least Internet Explorer 11.0
At least Windows 10
 This policy setting restricts all users from installing language packs and language features on demand packages. This
Determines whether users that aren't Administrator can install print drivers on this computer.By default users that aren't Adm
Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH).By default the DNS client will do classic DN
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
This policy sets a special WNS FQDN for specific environments.
By default NTFS allocates memory from both pageable and non-pageable memory as needed. Enabling this setting tells NTFS
For NTFS tiered volumes this controls the tier that new allocations go to by default.Client systems default to the Performance
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are current
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are current
This policy setting allows retrieving the cloud kerberos ticket during the logon.If you disable or do not configure this policy setti
This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host nam
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vu
Storage Sense can automatically clean some of the user’s files to free up disk space. By default Storage Sense is automatica
When Storage Sense runs it can delete the user’s temporary files that are not in use.If the group policy "Allow Storage Sen
Storage Sense can automatically clean some of the user’s files to free up disk space.If the group policy "Allow Storage Sens
When Storage Sense runs it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days.If th
When Storage Sense runs it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of d
When Storage Sense runs it can delete files in the user’s Downloads folder if they haven’t been opened for more than a
This policy setting controls whether the system can archive infrequently used apps.If you enable this policy setting then the sy
This policy setting specifies whether Windows apps can access the movement of the user's head hands motion controllers and
This policy setting specifies whether Windows apps can be activated by voice.If you choose the "User is in control" option emp
This policy setting specifies whether Windows apps can be activated by voice while the system is locked.If you choose the "Us
This policy setting specifies whether Windows apps can take screenshots of various windows or displays.You can specify eithe
This policy setting specifies whether Windows apps can turn off the screenshot border.You can specify either a default setting
This policy setting controls whether Windows can download configuration settings from the OneSettings service.If you enable
This policy setting controls whether Windows records attempts to download configuration settings from the OneSettings servi
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem
This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.If you enable this policy "
This policy lets you restrict launching of Internet Explorer as a standalone browser.If you enable this policy it:- Prevents Intern
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as "Ctrl+S" to have "Save
This policy setting allows you to configure the directory path where the support log files would be copied to. The value of this
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit m
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit m
This policy setting allows you to configure script scanning. If you enable or do not configure this setting script scanning will b
Disabled (Default): Updates and communications are not allowed over metered connections. Enabled: Allow managed
TBD
This policy setting enables or disables audio input to the Sandbox. If you enable this policy setting Windows Sandbox will be ab
This policy setting enables or disables clipboard sharing with the sandbox.If you enable this policy setting copy and paste betw
This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surfa
This policy setting enables or disables printer sharing from the host into the Sandbox.If you enable this policy setting host prin
This policy setting is to enable or disable the virtualized GPU. If you enable this policy setting vGPU will be supported in the Wi
This policy setting enables or disables video input to the Sandbox. If you enable this policy setting video input is enabled in Win
Enable this setting when Feature Updates should be deployed to devices without blocking on any safeguard holds. Sa
Controls the list of URLs that the user should be auto-subscribed to
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
This policy setting restricts the user from installing language packs and language features on demand. This policy do
This policy setting allows you to remove the Meet Now icon from the system control area.If you enable this policy setting the M
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
This policy setting controls the version of Microsoft IME.​If you don’t configure this policy setting user can control IME ve
This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.If you enable this policy "
This policy lets you restrict launching of Internet Explorer as a standalone browser.If you enable this policy it:- Prevents Intern
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as "Ctrl+S" to have "Save
TBD
ws uses for all logged users."   If you enable this policy setting the installation of language packs and language features is 
ter.If you disable this setting the system will not limit installation of print drivers to this computer.Additional Information: https://support.
one of the following options from the drop-down list:Prohibit DoH: No DoH name resolution will be performed.Allow DoH: Perform DoH qu
porate network or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to prin
e if the current USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by comm
hidden and user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this poli

ack usage at the cost of additional memory consumption.A reboot is required for this setting to take effect

act on other concurrent IO operations.Values with special meaning: 0: Use the system calculated default 1: Disable parallel flushThe de

de to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual c
CVE-2017-15361https://en.wikipedia.org/wiki/ROCA_vulnerabilityIf you enable this policy setting the following options are supported:Igno
with the "Configure Storage Sense cadence" group policy.Enabled:Storage Sense is turned on for the machine with the default cadence as
ge settings.Disabled:Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings.Not Co
ee disk space. The default is 0 (during low free disk space).Disabled or Not Configured:By default the Storage Sense cadence is set to “d
nopened before Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365.If you set this value to zero Storage Sense w
ycle Bin before Storage Sense will delete it. Supported values are: 0 - 365.If you set this value to zero Storage Sense will not delete files in t
can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365.If you set this value to zero S
g (default) then the system will follow default behavior which is to periodically check for and archive infrequently used apps and the user
u can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the
n Windows apps are allowed to be activated with a voice keyword and employees in your organization cannot change it.If you choose the
the device.If you choose the "Force Allow" option users can interact with applications using speech while the system is locked and emplo
werShell cmdlet. A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organizatio
per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whe
nfiguration settings from the OneSettings service.
ng\Operational EventLog channel.If you disable or don't configure this policy setting Windows will not record attempts to download config
e collected.If you disable or do not configure this policy setting we may occasionally collect diagnostic logs if the device has been configure
mps and user mode triage dumps.If you disable or do not configure this policy setting we may occasionally collect full or heap dumps if th
As" will not show up in the Internet Explorer mode context menu.For more information see https://go.microsoft.com/fwlink/?linkid=21021
nternet Explorer 11 to Microsoft Edge Stable Channel browser.- Overrides any other policies that redirect to Internet Explorer 11.If you dis
e this policy extended hotkeys will not work in Internet Explorer mode.For more information see https://go.microsoft.com/fwlink/?linkid=
his setting the support logs files will not be copied to any location.

Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProte
Note that this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProte

input from the user. Applications using a microphone may not function properly with this setting.If you do not configure this policy settin
clipboard sharing will be enabled.
u disable this policy setting networking is disabled in Windows Sandbox.If you do not configure this policy setting networking will be enabl
g printer redirection will be disabled.
GPU will be enabled. Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox.
 not configure this policy setting video input will be disabled. Applications that use video input may not function properly in Windows Sand
tion to deploy the Feature Update to devices for testing or to deploy the Feature Update without blocking on safeguard holds.

porate network or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to prin
e if the current USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by comm
use for the selected user."   If you enable this policy setting the installation of language packs and language features is pr

hidden and user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this poli
.​If you disable this user is not allowed to control IME version to use. The new Microsoft IME is always selected.This Policy setting applie
As" will not show up in the Internet Explorer mode context menu.For more information see https://go.microsoft.com/fwlink/?linkid=21021
nternet Explorer 11 to Microsoft Edge Stable Channel browser.- Overrides any other policies that redirect to Internet Explorer 11.If you dis
e this policy extended hotkeys will not work in Internet Explorer mode.For more information see https://go.microsoft.com/fwlink/?linkid=
 nd language features is prevented for all users. If you disable or do not configure this policy setting there is no language pa
Information: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july
ed.Allow DoH: Perform DoH queries if the configured DNS servers support it. If they don't support it try classic name resolution.Require Do
ere are no restrictions to printing based on connection type or printer Make/Model.
mbinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the
e or do not configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is de

1: Disable parallel flushThe default value and limit for this setting varies based on the number of available processors on a given system:

mation and potential manual cleanup procedures see the link below.If disabled domain controllers will use their configured DNS host name
ng options are supported:Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.Au
e with the default cadence as ‘during low free disk space’. Users cannot disable Storage Sense but they can adjust the cadence (unl
tting in Storage settings.Not Configured:By default Storage Sense will delete the user’s temporary files. Users can configure this setting
e Sense cadence is set to “during low free disk space”. Users can configure this setting in Storage settings.
value to zero Storage Sense will not dehydrate any cloud-backed content. The default value is 0 or never dehydrating cloud-backed conten
Sense will not delete files in the user’s Recycle Bin. The default is 30 days.Disabled or Not Configured:By default Storage Sense will de
5.If you set this value to zero Storage Sense will not delete files in the user’s Downloads folder. The default is 0 or never deleting files in
ently used apps and the user will be able to configure this setting themselves.
per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whe
ot change it.If you choose the "Force Deny" option Windows apps are not allowed to be activated with a voice keyword and employees in
e system is locked and employees in your organization cannot change it.If you choose the "Force Deny" option users cannot interact with
employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings >
r organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.If you choos

d attempts to download configuration settings from the OneSettings service to the EventLog.
the device has been configured to send optional diagnostic data.
ollect full or heap dumps if the user has opted to send optional diagnostic data.
soft.com/fwlink/?linkid=2102115
Internet Explorer 11.If you disable or don’t configure this policy all sites are opened using the current active browser settings. Note: M
microsoft.com/fwlink/?linkid=2102115

n is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of
n is false EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of

not configure this policy setting audio input will be enabled. Note that there may be security implications of exposing host audio input to th

tting networking will be enabled. Note that enabling networking can expose untrusted applications to the internal network.
tion properly in Windows Sandbox. Note that there may be security implications of exposing host video input to the container.
n safeguard holds.

ere are no restrictions to printing based on connection type or printer Make/Model.

mbinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the
d language features is prevented for the user.   If you disable or do not configure this policy setting there is no langua

e or do not configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is de
ected.This Policy setting applies only to Microsoft Korean IME.Note: Changes to this setting will not take effect until the user logs off.
soft.com/fwlink/?linkid=2102115
Internet Explorer 11.If you disable or don’t configure this policy all sites are opened using the current active browser settings. Note: M
microsoft.com/fwlink/?linkid=2102115
tting there is no language packs or feature installation restriction for any user.  
drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 for additional information.
c name resolution.Require DoH: Allow only DoH name resolution. If there are no DoH capable DNS servers configured name resolution wi

nt to a USB printer queue the device vid/pid will be compared to the approved list.
ing the Settings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will su

rocessors on a given system: - Default value calculation is: (([NumProcessors]/2) + 1) - Default max value calculation is: ([NumProcesso

heir configured DNS host name as-is when registering domain controller SRV records.If not configured domain controllers will default to us
for the ROCA vulnerability.Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the
ey can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy).Disabled:Storage Sense is turned
sers can configure this setting in Storage settings.

hydrating cloud-backed content.Disabled or Not Configured:By default Storage Sense will not dehydrate any cloud-backed content. Users
default Storage Sense will delete files in the user’s Recycle Bin that have been there for over 30 days. Users can configure this setting
ult is 0 or never deleting files in the Downloads folder.Disabled or Not Configured:By default Storage Sense will not delete files in the userâ

r organization can decide whether Windows apps can access the user's movements while the apps are running in the background by using
ce keyword and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your o
on users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it.If
or displays by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to take screenshot
acy on the device.If you choose the "Force Allow" option Windows apps are allowed to turn off the screenshot border and employees in yo

tive browser settings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect.

er depending on the value of EnableNetworkProtection.

er depending on the value of EnableNetworkProtection.

exposing host audio input to the container.

ternal network.
t to the container.

nt to a USB printer queue the device vid/pid will be compared to the approved list.
y setting there is no language packs or language features installation restriction for the user.  

ing the Settings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will su
ct until the user logs off.

tive browser settings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect.
rmation.
onfigured name resolution will fail.If you disable this policy setting or if you do not configure this policy setting computers will use locally c

versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same

calculation is: ([NumProcessors]*2)

n controllers will default to using their local configuration.The default local configuration is enabled.A reboot is not required for changes t
B keys that are subject to the ROCA vulnerability (authentications will still succeed).Block: during authentication the domain controller wil
sabled:Storage Sense is turned off the machine. Users cannot enable Storage Sense.Not Configured:By default Storage Sense is turned off

cloud-backed content. Users can configure this setting in Storage settings.

sers can configure this setting in Storage settings.
ill not delete files in the user’s Downloads folder. Users can configure this setting in Storage settings.

ng in the background by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to access
cy setting employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Pri
ganization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether users
are allowed to take screenshots of various windows or displays and employees in your organization cannot change it.If you choose the "Fo
ot border and employees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to tu
versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same
ng computers will use locally configured settings.

Menu" (which manages same part of Start menu but with fewer options).

t is not required for changes to this setting to take effect.More information is available at https://aka.ms/lowercasehostnamesrvrecord
tion the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).This setting
ult Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Sto

ws apps are allowed to access user movements while the apps are running in the background and employees in your organization cannot
eyword by using Settings > Privacy on the device.This policy is applied to Windows apps and Cortana.
tion can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the dev
hange it.If you choose the "Force Deny" option Windows apps are not allowed to take screenshots of various windows or displays and em
ows apps are not allowed to turn off the screenshot border and employees in your organization cannot change it.If you disable or do not c
Menu" (which manages same part of Start menu but with fewer options).
wercasehostnamesrvrecord
ntications will fail).This setting only takes effect on domain controllers.If not configured domain controllers will default to using their local
an configure this setting in Storage settings.

es in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access user movements w

g Settings > Privacy on the device.This policy is applied to Windows apps and Cortana. It takes precedence of the “Allow Cortana above
s windows or displays and employees in your organization cannot change it.If you disable or do not configure this policy setting employees
ge it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows apps can turn off th
will default to using their local configuration. The default local configuration is Audit.A reboot is not required for changes to this setting to t

d to access user movements while the apps are running in the background and employees in your organization cannot change it.If you dis

the “Allow Cortana above lock” policy. This policy is applicable only when “Allow voice activation” policy is configured to allo
e this policy setting employees in your organization can decide whether Windows apps can take screenshots of various windows or display
r Windows apps can turn off the screenshot border by using Settings > Privacy on the device.If an app is open when this Group Policy obje
 for changes to this setting to take effect.Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mi

tion cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows app

” policy is configured to allow applications to be activated with voice.

of various windows or displays by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a de
n when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to the
t to Block until appropriate mitigations have been performed for example patching of vulnerable TPMs.More information is available at htt

decide whether Windows apps can access the user's movements while the apps are running in the background by using Settings > Privacy

olicy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
cy changes to be applied to the app.
e information is available at https://go.microsoft.com/fwlink/?linkid=2116430.

und by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restar

plied to the app.

device employees must restart the app or device for the policy changes to be applied to the app.