Policy CSP - Security
AllowAddProvisioningPackage
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Security/AllowAddProvisioningPackage
Specifies whether to allow the runtime configuration agent to install provisioning packages.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
AllowManualRootCertificateInstallation
Note
This policy is deprecated and may be removed in a future release.
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
❌ Pro ❌ Enterprise ❌ Education ❌ Windows SE ❌ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Security/AllowManualRootCertificateInstallation
This policy is deprecated.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
AllowRemoveProvisioningPackage
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Security/AllowRemoveProvisioningPackage
Specifies whether to allow the runtime configuration agent to remove provisioning packages.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Not allowed. |
| 1 (Default) | Allowed. |
AntiTheftMode
Note
This policy is deprecated and may be removed in a future release.
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
Not applicable | ✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Security/AntiTheftMode
This policy is deprecated.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Disabled. |
| 1 (Default) | Enabled. |
ClearTPMIfNotReady
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/Security/ClearTPMIfNotReady
This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Will not force recovery from a non-ready TPM state. |
| 1 | Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | ClearTPMIfNotReady_Name |
| Friendly Name | Configure the system to clear the TPM if it is not in a ready state. |
| Location | Computer Configuration |
| Path | System > Trusted Platform Module Services |
| Registry Key Name | Software\Policies\Microsoft\TPM |
| Registry Value Name | ClearTPMIfNotReadyGP |
| ADMX File Name | TPM.admx |
ConfigureWindowsPasswords
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/Policy/Config/Security/ConfigureWindowsPasswords
Configures the use of passwords for Windows features.
Note
This policy is only supported in Windows 10 S.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features). |
| 1 | Allow passwords (Passwords continue to be allowed to be used for Windows features). |
| 2 (Default) | As per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords"). |
PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
Specifies whether to allow automatic device encryption during OOBE when the device is Microsoft Entra joined.
For more information, see BitLocker Device Encryption
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Encryption enabled. |
| 1 | Encryption disabled. |
RecoveryEnvironmentAuthentication
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./User/Vendor/MSFT/Policy/Config/Security/RecoveryEnvironmentAuthentication
./Device/Vendor/MSFT/Policy/Config/Security/RecoveryEnvironmentAuthentication
This policy controls the requirement of Admin Authentication in RecoveryEnvironment.
Validation procedure:
To validate this policy, check whether Refresh ("Keep my files") and Reset ("Remove everything") require administrator authentication in Windows Recovery Environment (WinRE).
- First, start Push Button Reset (PBR) in WinRE. Open a command prompt as an administrator and run the following command:
reagentc /boottore - The device should restart to WinRE. In the WinRE interface, go to Troubleshoot and select Reset this PC. You should see two options: Keep my files and Remove everything.
- Choose the option to Keep my files. View the behavior for authentication.
- Select the back arrow and choose Remove everything. View the behavior for authentication.
Instead of going back, alternatively you can go through the reset options, and select Cancel on the final confirmation page. It will then return to the main WinRE interface.
The following table shows what behavior is expected for the policy settings with each scenario:
- ✔️ It prompts for authentication.
- ❌ No authentication required, and it continues with the reset options.
| Policy | Keep my files | Remove everything |
|---|---|---|
Default (0) |
✔️ | ❌ |
RequireAuthentication" (1) |
✔️ | ✔️ |
NoRequireAuthentication" (2) |
❌ | ❌ |
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Current) behavior. |
| 1 | RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment. |
| 2 | NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment. |
RequireDeviceEncryption
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption
Allows enterprise to turn on internal storage encryption. Most restricted value is 1. Important. If encryption has been enabled, it can't be turned off by using this policy.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Encryption isn't required. |
| 1 | Encryption is required. |
RequireProvisioningPackageSignature
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Security/RequireProvisioningPackageSignature
Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not required. |
| 1 | Required. |
RequireRetrieveHealthCertificateOnBoot
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/Security/RequireRetrieveHealthCertificateOnBoot
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. Setting this policy to 1 (Required):Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2. 0. Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
Note
We recommend that this policy is set to Required after MDM enrollment. Most restricted value is 1.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Not required. |
| 1 | Required. |