- Specify a common set of Windows Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured. There are some prerequisites before you can enable this setting: – Manually configure a device’s system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in the Windows Defender Security Center. – Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in the Windows Defender Security Center. – Place the generated XML file in a shared or local path. Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied. Enabled Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following: – C:\MitigationSettings\Config.XML – \\Server\Share\Config.xml – https://localhost:8080/Config.xml The settings in the XML file will be applied to the endpoint. Disabled Common settings will not be applied, and the locally configured settings will be used instead. Not configured Same as Disabled.
| Use a common set of exploit protection settings |
Windows Components\Windows Defender Exploit Guard\Exploit Protection |
|
- The handwriting panel has 2 modes – floats near the text box, or, attached to the bottom of the screen. Default is floating near text box. If you want the panel to be fixed, use this policy to fix it to the bottom.
| Handwriting Panel Default Mode Docked |
Windows Components\Handwriting |
|
- This policy setting allows backup and restore of cellular text messages to Microsoft’s cloud services.
| Allow Message Service Cloud Sync |
Windows Components\Messaging |
|
- This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL’s and favorite folders to appear on top of users’ favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
| Provision Favorites |
Windows Components\Microsoft Edge |
|
- This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL’s and favorite folders to appear on top of users’ favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
| Provision Favorites |
Windows Components\Microsoft Edge |
|
- This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won’t be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting (default), employees can add, import and make changes to the Favorites list.
| Prevent changes to Favorites on Microsoft Edge |
Windows Components\Microsoft Edge |
|
- This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. If you enable this setting, employees won’t be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. Important Don’t enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don’t configure this setting (default), employees can add, import and make changes to the Favorites list.
| Prevent changes to Favorites on Microsoft Edge |
Windows Components\Microsoft Edge |
|
- This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
| Specify global DNS |
Network\Network Connectivity Status Indicator |
|
- Allows downloading new updates to ML Model parameters for predicting storage disk failure. Enabled: Updates would be downloaded for the Disk Failure Prediction Failure Model. Disabled: Updates would not be downloaded for the Disk Failure Prediction Failure Model. Not configured: Same as Enabled.
| Allow downloading updates to the Disk Failure Prediction Model |
System\Storage Health |
|
- This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
| Enable Device Health Attestation Monitoring and Reporting |
System\Device Health Attestation Service |
|
- This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
| Configure the system to clear the TPM if it is not in a ready state. |
System\Trusted Platform Module Services |
|
- Enable or disable Windows Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Block: Users and applications will not be able to access dangerous domains -Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs. Disabled: Users and applications will not be blocked from connecting to dangerous domains. Not configured: Same as Disabled.
| Prevent users and apps from accessing dangerous websites |
Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection |
|
- Enable or disable controlled folder access for untrusted applications. Block: Untrusted applications cannot modify or delete files in protected folders, such as the Documents folder. Disabled: All applications can modify or delete files in protected folders, such as the Documents folder. Audit Mode: Applications that would normally be considered “”untrusted”” if the setting was Enabled will still be able to modify or delete files in protected folders. However, each event will be recorded in the Windows event log. Not configured: Same as Disabled. Windows Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the configure allowed applications GP setting. Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
| Configure Controlled folder access |
Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access |
|
- Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: – Block: the rule will be applied – Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) – Off: the rule will not be applied Enabled: Specify the state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: – Name column: Enter a valid ASR rule ID – Value column: Enter the status ID that relates to state you want to specify for the associated rule The following status IDs are permitted under the value column: – 1 (Block) – 0 (Off) – 2 (Audit) Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: No ASR rules will be configured. Not configured: Same as Disabled. You can exclude folders or files in the “”Exclude files and paths from Attack Surface Reduction Rules”” GP setting.
| Configure Attack Surface Reduction rules |
Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction |
|
- Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: – Name column: Enter a folder path or a fully qualified resource name. For example, “”C:\Windows”” will exclude all files in that directory. “”C:\Windows\App.exe”” will exclude only that specific file in that specific folder – Value column: Enter “”0″” for each item Disabled: No exclusions will be applied to the ASR rules. Not configured: Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
| Exclude files and paths from Attack Surface Reduction Rules |
Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction |
|
- Add additional applications that should be considered “trusted” by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. Windows Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: Specify additional allowed applications in the Options section.. Disabled: No additional applications will be added to the trusted list. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
| Configure allowed applications |
Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access |
|
- Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in the Windows Defender Security Center. Enabled: Specify additional folders that should be protected in the Options section. Disabled: No additional folders will be protected. Not configured: Same as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Windows Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
| Configure protected folders |
Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access |
|
- Hide the Firewall and network protection area in the Windows Defender Security Center. Enabled: The Firewall and network protection area will be hidden. Disabled: The Firewall and network protection area will be shown. Not configured: Same as Disabled.
| Hide the Virus and threat protection area |
Windows Components\Windows Defender Security Center\Virus and threat protection |
|
- Hide the Firewall and network protection area in the Windows Defender Security Center. Enabled: The Firewall and network protection area will be hidden. Disabled: The Firewall and network protection area will be shown. Not configured: Same as Disabled.
| Hide the Firewall and network protection area |
Windows Components\Windows Defender Security Center\Firewall and network protection |
|
- Hide the App and browser protection area in the Windows Defender Security Center. Enabled: The App and browser protection area will be hidden. Disabled: The App and browser protection area will be shown. Not configured: Same as Disabled.
| Hide the App and browser protection area |
Windows Components\Windows Defender Security Center\App and browser protection |
|
- Prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center. Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as Disabled.
| Prevent users from modifying settings |
Windows Components\Windows Defender Security Center\App and browser protection |
|
- Hide the Device performance and health area in the Windows Defender Security Center. Enabled: The Device performance and health area will be hidden. Disabled: The Device performance and health area will be shown. Not configured: Same as Disabled.
| Hide the Device performance and health area |
Windows Components\Windows Defender Security Center\Device performance and health |
|
- Hide the Family options area in the Windows Defender Security Center. Enabled: The Family options area will be hidden. Disabled: The Family options area will be shown. Not configured: Same as Disabled.
| Hide the Family options area |
Windows Components\Windows Defender Security Center\Family options |
|
- Hide notifications from the Windows Defender Security Center. Enabled: Local users will not see notifications from the Windows Defender Security Center. Disabled: Local users can see notifications from the Windows Defender Security Center. Not configured: Same as Disabled.
| Hide all notifications |
Windows Components\Windows Defender Security Center\Notifications |
|
- Only show critical notifications from the Windows Defender Security Center. If the Suppress all notifications GP setting has been enabled, this setting will have no effect. Enabled: Local users will only see critical notifications from the Windows Defender Security Center. They will not see other types of notifications, such as regular PC or device health information. Disabled: Local users will see all types of notifications from the Windows Defender Security Center. Not configured: Same as Disabled.
| Hide non-critical notifications |
Windows Components\Windows Defender Security Center\Notifications |
|
- Display specified contact information to local users in Windows Defender Security Center notifications. Enabled: Your company contact information will be displayed in notifications that come from the Windows Defender Security Center. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify contact website Disabled: No contact information will be shown on notifications. Not configured: Same as Disabled.
| Configure customized notifications |
Windows Components\Windows Defender Security Center\Enterprise Customization |
|
- Display specified contact information to local users in a contact card flyout menu in the Windows Defender Security Center Enabled: Your company contact information will be displayed in a flyout menu in the Windows Defender Security Center. After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify contact website Disabled: No contact information will be shown in the Windows Defender Security Center. Not configured: Same as Disabled.
| Configure customized contact information |
Windows Components\Windows Defender Security Center\Enterprise Customization |
|
- Specify the company name that will be displayed in the Windows Defender Security Center and associated notifications. This setting must be enabled for any contact information to appear. Enabled: Enter the company name in the Options section. Disabled: Company information will not be shown at all in either the Windows Defender Security Center or any notifications that it creates. Not configured: Same as Disabled.
| Specify contact company name |
Windows Components\Windows Defender Security Center\Enterprise Customization |
|
- Specify the phone number or Skype ID that will be displayed in the Windows Defender Security Center and associated notifications. Users can click on the contact information to automatically call the supplied number. Skype will be used to initiate the call. Enabled: Enter the phone number or Skype ID in the Options section. Disabled: A contact phone number or Skype ID will not be shown in either the Windows Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
| Specify contact phone number or Skype ID |
Windows Components\Windows Defender Security Center\Enterprise Customization |
|
- Specify the email address or email ID that will be displayed in the Windows Defender Security Center and associated notifications. Users can click on the contact information to create an email that will be sent to the specified address. The default email application will be used. Enabled: Enter the email address or email ID in the Options section. Disabled: A contact email address or email ID will not be shown in either the Windows Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
| Specify contact email address or Email ID |
Windows Components\Windows Defender Security Center\Enterprise Customization |
|
- Specify the URL that will be displayed in the Windows Defender Security Center and associated notifications. Users can click on the contact information to visit the specified website. The default web browser will be used. Enabled: Enter the URL in the Options section. Disabled: A contact website URL will not be shown in either the Windows Defender Security Center or any notifications it creates. Not configured: Same as Disabled.
| Specify contact website |
Windows Components\Windows Defender Security Center\Enterprise Customization |
|
- Selecting “Disable preview builds” will prevent preview builds from installing on the device. This will prevent users from opting into the Windows Insider Program, through Settings -> Update and Security. Selecting “Disable preview builds once next release is public” will prevent preview builds from installing once the next Windows release is public. This option is useful when your device is set up to install preview and you want to gracefully opt out the device for flighting. This option will provide preview builds until devices reaches the next public release. Selecting “Enable preview builds” will enable preview builds installation on the device. Users can download and install Windows preview builds on their devices by opting-in through Settings -> Update and Security -> Windows Insider Program. Admins can also use other policies to manage flight settings on behalf of users when this value is set.
| Manage preview builds |
Windows Components\Windows Update\Windows Update for Business |
|
