Set-PolicyConfig
This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.
Use the Set-PolicyConfig cmdlet to modify the endpoint restrictions that are configured in the organization.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Set-PolicyConfig
[[-Identity] <OrganizationIdParameter>]
[-CaseHoldPolicyLimit <Int32>]
[-ClassificationScheme <ClassificationScheme>]
[-ComplianceUrl <String>]
[-Confirm]
[-DlpAppGroups <PswsHashtable[]>]
[-DlpAppGroupsPsws <PswsHashtable[]>]
[-DlpExtensionGroups <PswsHashtable[]>]
[-DlpNetworkShareGroups <PswsHashtable>]
[-DlpPrinterGroups <PswsHashtable>]
[-DlpRemovableMediaGroups <PswsHashtable>]
[-DocumentIsUnsupportedSeverity <RuleSeverity>]
[-EnableAdvancedRuleBuilder <Boolean>]
[-EnableLabelCoauth <Boolean>]
[-EnableSpoAipMigration <Boolean>]
[-EndpointDlpGlobalSettings <PswsHashtable[]>]
[-EndpointDlpGlobalSettingsPsws <PswsHashtable[]>]
[-ExtendTeamsDlpPoliciesToSharePointOneDrive <Boolean>]
[-InformationBarrierMode <InformationBarrierMode>]
[-InformationBarrierPeopleSearchRestriction <InformationBarrierPeopleSearchRestriction>]
[-IsDlpSimulationOptedIn <Boolean>]
[-OnPremisesWorkload <Workload>]
[-ProcessingLimitExceededSeverity <RuleSeverity>]
[-PurviewLabelConsent <Boolean>]
[-ReservedForFutureUse <Boolean>]
[-RetentionForwardCrawl <Boolean>]
[-RuleErrorAction <PolicyRuleErrorAction>]
[-SenderAddressLocation <PolicySenderAddressLocation>]
[-SiteGroups <PswsHashtable[]>]
[-SiteGroupsPsws <PswsHashtable[]>]
[-WhatIf]
[<CommonParameters>] Description
To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Purview compliance portal.
Examples
Example 1
{{ Add example code here }}{{ Add example description here }}
Parameters
-CaseHoldPolicyLimit
{{ Fill CaseHoldPolicyLimit Description }}
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ClassificationScheme
{{ Fill ClassificationScheme Description }}
| Type: | ClassificationScheme |
| Accepted values: | Default, V0_AggregatedOnly, V1_DetailedResults |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ComplianceUrl
{{ Fill ComplianceUrl Description }}
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Confirm
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
- Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DlpAppGroups
{{ Fill DlpAppGroups Description }}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DlpAppGroupsPsws
{{ Fill DlpAppGroupsPsws Description }}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DlpExtensionGroups
{{ Fill DlpExtensionGroups Description }}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DlpNetworkShareGroups
{{ Fill DlpNetworkShareGroups Description }}
| Type: | PswsHashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DlpPrinterGroups
{{ Fill DlpPrinterGroups Description }}
| Type: | PswsHashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DlpRemovableMediaGroups
{{ Fill DlpRemovableMediaGroups Description }}
| Type: | PswsHashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-DocumentIsUnsupportedSeverity
{{ Fill DocumentIsUnsupportedSeverity Description }}
| Type: | RuleSeverity |
| Accepted values: | Low, Medium, High, None, Informational, Information |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EnableAdvancedRuleBuilder
{{ Fill EnableAdvancedRuleBuilder Description }}
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EnableLabelCoauth
The EnableLabelCoauth parameter enables or disables co-authoring support in Office desktop apps for the entire organization. Valid value are:
- $true: Co-authoring support in Office desktop apps is enabled. When documents are labeled and encrypted by sensitivity labels, multiple users can edit these documents at the same time. Labeling information for unencrypted files is no longer saved in custom properties. Don't enable co-authoring if you use any apps, services, scripts, or tools that read or write labeling metadata to the old location.
- $false: Co-authoring support in Office desktop apps is disabled.
Disabling co-authoring support in Office desktop apps in the organization has the following consequences:
- For apps and services that support the new labeling metadata, they now revert to the original metadata format and location when labels are read or saved.
- The new metadata format and location for Office documents that was used while the setting was enabled will not be copied to the original format and location. As a result, this labeling information for unencrypted Word, Excel, and PowerPoint files will be lost.
- Co-authoring and AutoSave no longer work in your organization for labeled and encrypted documents.
- Sensitivity labels remain enabled for Office files in OneDrive and SharePoint.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EnableSpoAipMigration
The EnableSpoAipMigration parameter enables or disables built-in labeling for supported Office files in SharePoint and OneDrive. Valid values are:
- $true: Users can apply your sensitivity labels in Office for the web. Users will see the Sensitivity button on the ribbon so they can apply labels, and see any applied label name on the status bar.
- $false: Users can't apply your sensitivity labels in Office for the web.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EndpointDlpGlobalSettings
The EndpointDlpGlobalSettings parameter specifies the global endpoints. This parameter uses the following syntax: @(@{"Setting"="<Setting>"; "Value"="<Value>}",@{"Setting"="<Setting>"; "Value"="<Value>"},...).
The value of <Setting> is one of the supported values.
Example values:
@{"Setting"="PathExclusion"; "Value"="C:\Windows";}@{"Setting"="PathExclusion"; "Value"="%AppData%\Mozilla";}@{"Setting"="PathExclusion"; "Value"="C:\Users\*\Desktop";}@{"Setting"="UnallowedApp"="Notepad ++;"Executable"="notepad++"}@{"Setting"="UnallowedApp"="Executable"="cmd"}@{"Setting"="UnallowedBrowser"="Chrome";"Executable"="chrome"}@{"Setting"="CloudAppRestrictions"="Allow"}@{"Setting"="CloudAppRestrictionList"="1.1.2.2"}@{"Setting"="CloudAppRestrictionList"="subdomain.com"}@{"Setting"="CloudAppRestrictionList"="another.differentdomain.edu"}@{"Setting"="ShowEndpointJustificationDropdown"; "True";}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EndpointDlpGlobalSettingsPsws
{{ Fill EndpointDlpGlobalSettingsPsws Description }}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ExtendTeamsDlpPoliciesToSharePointOneDrive
The ExtendTeamsDlpPoliciesToSharePointOneDrive parameter enables the Teams DLP Policy to automatically extend protection to the content stored in OneDrive shared in 1:1 chats and content stored in SharePoint associated with Teams teams shared through channel chats. Valid values are:
- $true
- $false
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Identity
You don't need to use this parameter. The only endpoint restrictions object in the organization is named Settings.
| Type: | OrganizationIdParameter |
| Position: | 0 |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-InformationBarrierMode
The InformationBarrierMode parameter specifies the mode that controls the total number of segments and how many segments a user can be part of. Valid values are:
- SingleSegment: Users in the organization can have 5000 segments but can only be assigned to one segment.
- MultiSegment: Users in the organization can have 5000 segments and can be assigned up to 10 segments. For more information, see Use multi-segment support in information barriers.
| Type: | InformationBarrierMode |
| Accepted values: | SingleSegment, MultiSegment |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-InformationBarrierPeopleSearchRestriction
{{ Fill InformationBarrierPeopleSearchRestriction Description }}
| Type: | InformationBarrierPeopleSearchRestriction |
| Accepted values: | Enabled, Disabled |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-IsDlpSimulationOptedIn
{{ Fill IsDlpSimulationOptedIn Description }}
| Type: | Boolean |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-OnPremisesWorkload
{{ Fill OnPremisesWorkload Description }}
| Type: | Workload |
| Accepted values: | None, Exchange, SharePoint, Intune, OneDriveForBusiness, PublicFolder, SharePointOnPremises, ExchangeOnPremises, AuditAlerting, Skype, ModernGroup, DynamicScope, Teams, UnifiedAuditAzure, EndpointDevices, ThirdPartyApps, OnPremisesScanner |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ProcessingLimitExceededSeverity
{{ Fill ProcessingLimitExceededSeverity Description }}
| Type: | RuleSeverity |
| Accepted values: | Low, Medium, High, None, Informational, Information |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-PurviewLabelConsent
{{ Fill PurviewLabelConsent Description }}
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ReservedForFutureUse
{{ Fill ReservedForFutureUse Description }}
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RetentionForwardCrawl
{{ Fill RetentionForwardCrawl Description }}
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RuleErrorAction
The RuleErrorAction parameter specifies what to do if an error is encountered during the evaluation of the rule. Valid values are:
- Ignore
- RetryThenBlock (This is the default value)
| Type: | PolicyRuleErrorAction |
| Accepted values: | Ignore, RetryThenBlock |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SenderAddressLocation
The SenderAddressLocation parameter specifies where to look for sender addresses in conditions and exceptions that examine sender email addresses. Valid values are:
- Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields). This is the default value.
- Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission, which is typically stored in the Return-Path field).
- HeaderOrEnvelope: Examine senders in the message header and the message envelope.
| Type: | PolicySenderAddressLocation |
| Accepted values: | Header, Envelope, HeaderOrEnvelope |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SiteGroups
{{ Fill SiteGroups Description }}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-SiteGroupsPsws
{{ Fill SiteGroupsPsws Description }}
| Type: | PswsHashtable[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-WhatIf
The WhatIf switch doesn't work in Security & Compliance PowerShell.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |