Share via


Policy CSP - System

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

Logo of Windows Insider.

Important

This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.

AllowBuildPreview

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowBuildPreview

This policy setting determines whether users can get preview builds of Windows, by configuring controls in Settings > Update and security > Windows Insider Program.

  • If you enable or don't configure this policy setting, users can download and install preview builds of Windows by configuring Windows Insider Program settings.

  • If you disable this policy setting, Windows Insider Program settings will be unavailable to users through the Settings app.

This policy is only supported up to Windows 10, Version 1703. Please use 'Manage preview builds' under 'Windows Update for Business' for newer Windows 10 versions.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 2

Allowed values:

Value Description
0 Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
1 Allowed. Users can make their devices available for downloading and installing preview software.
2 (Default) Not configured. Users can make their devices available for downloading and installing preview software.

Group policy mapping:

Name Value
Name AllowBuildPreview
Friendly Name Toggle user control over Insider builds
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\PreviewBuilds
Registry Value Name AllowBuildPreview
ADMX File Name AllowBuildPreview.admx

AllowCommercialDataPipeline

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline

This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.

AllowCommercialDataPipeline configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at https://go.microsoft.com/fwlink/?linkid=2185086 To enable this behavior:

  1. Enable this policy setting
  2. Join a Microsoft Entra account to the device.

Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.

If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at https://go.microsoft.com/fwlink/?LinkId=521839 unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing'.

See the documentation at https://go.microsoft.com/fwlink/?linkid=2011107 for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data.

Note

Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports.

Note

Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see Enable Windows diagnostic data processor configuration.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name AllowCommercialDataPipeline
Friendly Name Allow commercial data pipeline
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

AllowDesktopAnalyticsProcessing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 with KB4551853 [10.0.17763.1217] and later
✅ Windows 10, version 1903 with KB4556799 [10.0.18362.836] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowDesktopAnalyticsProcessing

This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.

This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at https://go.microsoft.com/fwlink/?linkid=2185086 To enable this behavior:

  1. Enable this policy setting

  2. Join a Microsoft Entra account to the device.

  3. Set Allow Telemetry to value 1 - Required, or higher

  4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.

When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.

This setting has no effect on devices unless they're properly enrolled in Desktop Analytics. If you disable this policy setting, devices won't appear in Desktop Analytics.

Note

Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see Enable Windows diagnostic data processor configuration.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
2 Allowed.

Group policy mapping:

Name Value
Name AllowDesktopAnalyticsProcessing
Friendly Name Allow Desktop Analytics Processing
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

AllowDeviceNameInDiagnosticData

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData

This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.

If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Allowed.

Group policy mapping:

Name Value
Name AllowDeviceNameInDiagnosticData
Friendly Name Allow device name to be sent in Windows diagnostic data
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

AllowEmbeddedMode

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowEmbeddedMode

Specifies whether set general purpose device to be in embedded mode. Most restricted value is 0.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not allowed.
1 Allowed.

AllowExperimentation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowExperimentation

Note

This policy isn't supported in Windows 10, version 1607. This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. Most restricted value is 0.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Disabled.
1 (Default) Permits Microsoft to configure device settings only.
2 Allows Microsoft to conduct full experimentation.

AllowFontProviders

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowFontProviders

This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider.

  • If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.

  • If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally-installed fonts.

  • If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.

This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value isn't set by default, so the default behavior is true (enabled).

This setting is used by lower-level components for text display and fond handling and hasn't direct effect on web browsers, which may download web fonts used in web content.

Note

Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed. No traffic to fs.microsoft.com and only locally installed fonts are available.
1 (Default) Allowed. There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.

Group policy mapping:

Name Value
Name EnableFontProviders
Friendly Name Enable Font Providers
Location Computer Configuration
Path Network > Fonts
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name EnableFontProviders
ADMX File Name GroupPolicy.admx

AllowLocation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowLocation

Specifies whether to allow app access to the Location service. Most restricted value is 0. While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. For example, an app's original Location setting is Off. The administrator then sets the AllowLocation policy to 2 (Force Location On. ) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the AllowLocation policy back to 1 (User Control), the app will revert to using its original setting of Off.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Force Location Off. All Location Privacy settings are toggled off and grayed out. Users can't change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
1 (Default) Location service is allowed. The user has control and can change Location Privacy settings on or off.
2 Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed.

Group policy mapping:

Name Value
Name DisableLocation_2
Friendly Name Turn off location
Location Computer Configuration
Path Windows Components > Location and Sensors
Registry Key Name Software\Policies\Microsoft\Windows\LocationAndSensors
Registry Value Name DisableLocation
ADMX File Name Sensors.admx

AllowMicrosoftManagedDesktopProcessing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 with KB4551853 [10.0.17763.1217] and later
✅ Windows 10, version 1903 with KB4556799 [10.0.18362.836] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowMicrosoftManagedDesktopProcessing

This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows. This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at https://go.microsoft.com/fwlink/?linkid=2185086 For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See https://go.microsoft.com/fwlink/?linkid=2184944 for more information. hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.

Note

Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see Enable Windows diagnostic data processor configuration.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
32 Allowed.

AllowOOBEUpdates

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows Insider Preview
./Device/Vendor/MSFT/Policy/Config/System/AllowOOBEUpdates

This policy allows you to configure whether a new device gets critical updates during the out-of-box experience.

  • If you disable the policy, new devices won't receive critical updates during the out-of-box experience.

  • If you enable the policy, new devices will receive the latest approved critical updates during the out-of-box experience.

Note

This policy doesn't control the zero-day patch (ZDP) updates page in OOBE.

If you have paused quality updates through Windows quality update deferrals and pause policies, no quality updates will be delivered during the out-of-box experience.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed.
1 (Default) Allowed.

Group policy mapping:

Name Value
Name AllowOOBEUpdates
Friendly Name Allow Updates in OOBE
Location Computer Configuration
Path Windows Components > OOBE
Registry Key Name Software\Policies\Microsoft\Windows\OOBE
Registry Value Name AllowOOBEUpdates
ADMX File Name OOBE.admx

AllowStorageCard

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard

Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. Most restricted value is 0.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 SD card use isn't allowed and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card.
1 (Default) Allow a storage card.

AllowTelemetry

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./User/Vendor/MSFT/Policy/Config/System/AllowTelemetry
./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry

By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and doesn't apply to any additional apps installed by your organization.

  • Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions.

  • Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the "Optional diagnostic data" control in the Settings app.

  • Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent.

If you disable or don't configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app.

Note

The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Security. Information that's required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
1 (Default) Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
3 Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

Group policy mapping:

Name Value
Name AllowTelemetry
Friendly Name Allow Diagnostic Data
Location Computer and User Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

AllowUpdateComplianceProcessing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 with KB4551853 [10.0.17763.1217] and later
✅ Windows 10, version 1903 with KB4556799 [10.0.18362.836] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing

This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.

This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at https://go.microsoft.com/fwlink/?linkid=2185086 To enable this behavior:

  1. Enable this policy setting

  2. Join a Microsoft Entra account to the device.

  3. Set Allow Telemetry to value 1 - Required, or higher

  4. Set the Configure the Commercial ID setting for your Update Compliance workspace.

When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.

If you disable or don't configure this policy setting, devices won't appear in Update Compliance.

Note

Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see Enable Windows diagnostic data processor configuration.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
16 Enabled.

Group policy mapping:

Name Value
Name AllowUpdateComplianceProcessing
Friendly Name Allow Update Compliance Processing
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

AllowUserToResetPhone

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowUserToResetPhone

Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination. Most restricted value is 0. Tip, This policy is also applicable to Windows 10 and not exclusive to phone.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed.
1 (Default) Allowed to reset to factory default settings.

AllowWUfBCloudProcessing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 with KB4551853 [10.0.17763.1217] and later
✅ Windows 10, version 1903 with KB4556799 [10.0.18362.836] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing

This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.

This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at https://go.microsoft.com/fwlink/?linkid=2185086 To enable this behavior:

  1. Enable this policy setting

  2. Join a Microsoft Entra account to the device.

  3. Set Allow Telemetry to value 1 - Required, or higher.

When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.

If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features.

Note

Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see Enable Windows diagnostic data processor configuration.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
8 Enabled.

Group policy mapping:

Name Value
Name AllowWUfBCloudProcessing
Friendly Name Allow WUfB Cloud Processing
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

BootStartDriverInitialization

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization

This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:

  • Good: The driver has been signed and hasn't been tampered with.

  • Bad: The driver has been identified as malware. It's recommended that you don't allow known bad drivers to be initialized.

  • Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver.

  • Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver.

  • If you enable this policy setting you'll be able to choose which boot-start drivers to initialize the next time the computer is started.

  • If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.

If your malware detection application doesn't include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name POL_DriverLoadPolicy_Name
Friendly Name Boot-Start Driver Initialization Policy
Location Computer Configuration
Path System > Early Launch Antimalware
Registry Key Name System\CurrentControlSet\Policies\EarlyLaunch
Registry Value Name DriverLoadPolicy
ADMX File Name EarlyLaunchAM.admx

ConfigureMicrosoft365UploadEndpoint

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/System/ConfigureMicrosoft365UploadEndpoint

This policy sets the upload endpoint for this device's diagnostic data as part of the Desktop Analytics program.

If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint.

The value for this setting will be provided by Microsoft as part of the onboarding process for the program.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Group policy mapping:

Name Value
Name ConfigureMicrosoft365UploadEndpoint
Friendly Name Configure diagnostic data upload endpoint for Desktop Analytics
Element Name Desktop Analytics Custom Upload Endpoint.
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

ConfigureTelemetryOptInChangeNotification

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification

This policy setting controls whether notifications are shown, following a change to diagnostic data opt-in settings, on first logon and when the changes occur in settings.

If you set this policy setting to "Disable diagnostic data change notifications", diagnostic data opt-in change notifications won't appear.

If you set this policy setting to "Enable diagnostic data change notifications" or don't configure this policy setting, diagnostic data opt-in change notifications appear at first logon and when the changes occur in Settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Enable telemetry change notifications.
1 Disable telemetry change notifications.

Group policy mapping:

Name Value
Name ConfigureTelemetryOptInChangeNotification
Friendly Name Configure diagnostic data opt-in change notifications
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

ConfigureTelemetryOptInSettingsUx

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx

This policy setting determines whether an end user can change diagnostic data settings in the Settings app.

If you set this policy setting to "Disable diagnostic data opt-in settings", diagnostic data settings are disabled in the Settings app.

If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app.

Note

To set a limit on the amount of diagnostic data that's sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Enable Telemetry opt-in Settings.
1 Disable Telemetry opt-in Settings.

Group policy mapping:

Name Value
Name ConfigureTelemetryOptInSettingsUx
Friendly Name Configure diagnostic data opt-in settings user interface
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

DisableCHPE

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 24H2 with KB5055523 [10.0.26100.3775] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableCHPE

This policy setting controls whether loading CHPE binaries is disabled on the ARM64 device. This policy has no effect on x64 devices.

  • If you enable this policy setting, ARM64 devices won't load CHPE binaries. This setting is required for hotpatching on ARM64 devices.

  • If you disable or don't configure this policy setting, ARM64 devices will load CHPE binaries.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) CHPE Binaries Enabled (Default).
1 CHPE Binaries Disabled.

DisableDeviceDelete

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableDeviceDelete

This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & feedback Settings page.

  • If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device.

  • If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not disabled.
1 Disabled.

Group policy mapping:

Name Value
Name DisableDeviceDelete
Friendly Name Disable deleting diagnostic data
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

DisableDiagnosticDataViewer

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableDiagnosticDataViewer

This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & feedback Settings page.

  • If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.

  • If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not disabled.
1 Disabled.

Group policy mapping:

Name Value
Name DisableDiagnosticDataViewer
Friendly Name Disable diagnostic data viewer
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

DisableDirectXDatabaseUpdate

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableDirectXDatabaseUpdate

This group policy allows control over whether the DirectX Database Updater task will be run on the system.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not disabled.
1 Disabled.

Group policy mapping:

Name Value
Name DisableDirectXDatabaseUpdate
Path GroupPolicy > AT > Network > DirectXDatabase

DisableEnterpriseAuthProxy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableEnterpriseAuthProxy

This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Enable.
0 (Default) Disable.

Group policy mapping:

Name Value
Name DisableEnterpriseAuthProxy
Friendly Name Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

DisableOneDriveFileSync

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync

This policy setting lets you prevent apps and features from working with files on OneDrive.

  • If you enable this policy setting:
  • Users can't access OneDrive from the OneDrive app and file picker.

  • Packaged Microsoft Store apps can't access OneDrive using the WinRT API.

  • OneDrive doesn't appear in the navigation pane in File Explorer.

  • OneDrive files aren't kept in sync with the cloud.

  • Users can't automatically upload photos and videos from the camera roll folder.

  • If you disable or don't configure this policy setting, apps and features can work with OneDrive file storage.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Sync enabled.
1 Sync disabled.

Group policy mapping:

Name Value
Name PreventOnedriveFileSync
Friendly Name Prevent the usage of OneDrive for file storage
Location Computer Configuration
Path Windows Components > OneDrive
Registry Key Name Software\Policies\Microsoft\Windows\OneDrive
Registry Value Name DisableFileSyncNGSC
ADMX File Name SkyDrive.admx

DisableOneSettingsDownloads

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableOneSettingsDownloads

This policy setting controls whether Windows attempts to connect with the OneSettings service.

  • If you enable this policy, Windows won't attempt to connect with the OneSettings Service.

  • If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the OneSettings service to download configuration settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not disabled.
1 Disabled.

Group policy mapping:

Name Value
Name DisableOneSettingsDownloads
Friendly Name Disable OneSettings Downloads
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

DisableSystemRestore

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/System/DisableSystemRestore

Allows you to disable System Restore.

This policy setting allows you to turn off System Restore.

System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.

  • If you enable this policy setting, System Restore is turned off, and the System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.

  • If you disable or don't configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.

Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name SR_DisableSR
Friendly Name Turn off System Restore
Location Computer Configuration
Path System > System Restore
Registry Key Name Software\Policies\Microsoft\Windows NT\SystemRestore
Registry Value Name DisableSR
ADMX File Name SystemRestore.admx

EnableHotpatchAutoRemediation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 24H2 with KB5063878 [10.0.26100.4946] and later
./Device/Vendor/MSFT/Policy/Config/System/EnableHotpatchAutoRemediation

This policy setting controls whether Automatic Remediation is enabled on the hotpatch enrolled device. This policy has no effect on devices that doesn't have hotpatch updates installed.

  • If you enable this policy setting, Automatic Remediation is enabled on the hotpatch enrolled device.

  • If you disable or don't configure this policy setting, Automatic Remediation is disabled on the hotpatch enrolled device.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Automatic Remediation isn't enabled (Default).
1 Automatic Remediation is enabled.

EnableOneSettingsAuditing

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/EnableOneSettingsAuditing

This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog.

  • If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel.

  • If you disable or don't configure this policy setting, Windows won't record attempts to connect with the OneSettings service to the EventLog.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name EnableOneSettingsAuditing
Friendly Name Enable OneSettings Auditing
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

FeedbackHubAlwaysSaveDiagnosticsLocally

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/System/FeedbackHubAlwaysSaveDiagnosticsLocally

Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy isn't present or set to false, users will be presented with the option to save locally. The default is to not save locally.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) False. The Feedback Hub won't always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so.
1 True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted.

HideUnsupportedHardwareNotifications

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 24H2 [10.0.26100] and later
./Device/Vendor/MSFT/Policy/Config/System/HideUnsupportedHardwareNotifications

This policy controls messages which are shown when Windows is running on a device that doesn't meet the minimum system requirements for this OS version.

  • If you enable this policy setting, these messages will never appear on desktop or in the Settings app.

  • If you disable or don't configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that doesn't meet the minimum system requirements for this OS version.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name HideUnsupportedHardwareNotifications
Friendly Name Hide messages when Windows system requirements are not met
Location Computer Configuration
Path System
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\System
Registry Value Name HideUnsupportedHardwareNotifications
ADMX File Name ControlPanel.admx

LimitDiagnosticLogCollection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection

This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data.

By enabling this policy setting, diagnostic logs won't be collected.

If you disable or don't configure this policy setting, we may occasionally collect diagnostic logs if the device has been configured to send optional diagnostic data.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name LimitDiagnosticLogCollection
Friendly Name Limit Diagnostic Log Collection
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

LimitDumpCollection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection

This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data.

By enabling this setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps.

If you disable or don't configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name LimitDumpCollection
Friendly Name Limit Dump Collection
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

LimitEnhancedDiagnosticDataWindowsAnalytics

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics

This policy setting, in combination with the "Allow Diagnostic Data" policy setting, enables organizations to send the minimum data required by Desktop Analytics.

To enable the behavior described above, complete the following steps:

  1. Enable this policy setting

  2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".

  3. Enable the "Limit Dump Collection" policy

  4. Enable the "Limit Diagnostic Log Collection" policy.

When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at https://go.microsoft.com/fwlink/?linkid=2116020

If you disable or don't configure this policy setting, diagnostic data collection is determined by the "Allow Diagnostic Data" policy setting or by the end user from the Settings app.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disabled.
1 Enabled.

Group policy mapping:

Name Value
Name LimitEnhancedDiagnosticDataWindowsAnalytics
Friendly Name Limit optional diagnostic data for Desktop Analytics
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

TelemetryProxy

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/System/TelemetryProxy

With this policy setting, you can forward Connected User Experience and Telemetry requests to a proxy server.

If you enable this policy setting, you can specify the FQDN or IP address of the destination device within your organization's network (and optionally a port number, if desired). The connection will be made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if you disable or don't configure this policy setting, Connected User Experience and Telemetry data will be sent to Microsoft using the default proxy configuration.

The format for this setting is <server>:<port>

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Group policy mapping:

Name Value
Name TelemetryProxy
Friendly Name Configure Connected User Experiences and Telemetry
Element Name Proxy Server Name.
Location Computer Configuration
Path WindowsComponents > Data Collection and Preview Builds
Registry Key Name Software\Policies\Microsoft\Windows\DataCollection
ADMX File Name DataCollection.admx

TurnOffFileHistory

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/System/TurnOffFileHistory

This policy setting allows you to turn off File History.

  • If you enable this policy setting, File History can't be activated to create regular, automatic backups.

  • If you disable or don't configure this policy setting, File History can be activated to create regular, automatic backups.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Allow file history.
1 Turn off file history.

Group policy mapping:

Name Value
Name DisableFileHistory
Friendly Name Turn off File History
Location Computer Configuration
Path Windows Components > File History
Registry Key Name Software\Policies\Microsoft\Windows\FileHistory
Registry Value Name Disabled
ADMX File Name FileHistory.admx

Policy configuration service provider