Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
[This article is prerelease documentation and is subject to change.]
Important
- You need to be part of the Frontier preview program and sign up to accept terms of participation to get early access to Microsoft Scout. Frontier connects you directly with Microsoft's latest AI innovations. Frontier previews are subject to the existing preview terms of your customer agreements. As these features are still in development, their availability and capabilities may change over time.
- This is a preview feature.
- Preview features may have restricted functionality and may not be released for general availability. These features are available before an official release so that customers can get early access and provide feedback.
- For more information, go to our Microsoft Product Terms.
Microsoft Scout supports enterprise management through Windows Group Policy and Microsoft Intune by using Administrative Template (ADMX/ADML) files. These policies are device-scoped and are stored under HKLM\SOFTWARE\Policies\Scout. Because the policies are managed at the device level, standard users can't modify them.
Available admin controls
Administrators can use these policies to manage Microsoft Scout features and capabilities, including:
- Requiring approval for tool actions
- Blocking specific MCP servers
- Restricting permission types
- Disabling AI models or providers
- Disabling Heartbeat and Automations
- Limiting file system access to the workspace
- Blocking browser egress destinations
- Controlling Frontier access
Policy reference
The following policy settings are available.
| Policy setting | Registry value | Type | Description |
|---|---|---|---|
| Policy version | PolicyVersion |
REG_DWORD |
Stores the policy schema version for diagnostics and future migrations. |
| Disabled MCP servers | DisabledServers |
REG_SZ |
Comma-separated list of MCP server keys to block, such as filesystem, playwright, or WorkIQ. |
| Disabled permission kinds | DisabledPermissions |
REG_SZ |
Comma-separated list of permission types to deny, such as shell, write, mcp, url, or custom-tool. |
| Force human approval for all non-read actions | ForcePrompt |
REG_DWORD |
Requires user approval for every non-read tool action, regardless of local approval settings. |
| Disabled AI models | DisabledModels |
REG_SZ |
Comma-separated list of model IDs to block. |
| Disabled AI model providers | DisabledProviders |
REG_SZ |
Comma-separated list of provider names to block, such as anthropic or openai. |
| Disable Heartbeat | DisableHeartbeat |
REG_DWORD |
Disables the Heartbeat monitoring feature. |
| Disable Automations | DisableWorkflows |
REG_DWORD |
Prevents users from creating or running automations. |
| Restrict file system access to workspace | RestrictToWorkspace |
REG_DWORD |
Limits file system and shell access to the current workspace directory. |
| Blocked browser egress origins | BrowserEgressBlockedOrigins |
REG_SZ |
Comma-separated list of HTTP or HTTPS origins that are blocked from Playwright browser traffic. |