Policy CSP - ADMX_MMC
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_ActiveXControl
Permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted.
To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | MMC_ActiveXControl |
Friendly Name | ActiveX Control |
Location | User Configuration |
Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins |
Registry Key Name | Software\Policies\Microsoft\MMC{C96401CF-0E17-11D3-885B-00C04F72C717} |
Registry Value Name | Restrict_Run |
ADMX File Name | MMC.admx |
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_ExtendView
Permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted.
To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | MMC_ExtendView |
Friendly Name | Extended View (Web View) |
Location | User Configuration |
Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins > Extension snap-ins |
Registry Key Name | Software\Policies\Microsoft\MMC{B708457E-DB61-4C55-A92F-0D4B5E9B1224} |
Registry Value Name | Restrict_Run |
ADMX File Name | MMC.admx |
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_LinkToWeb
Permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted.
To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | MMC_LinkToWeb |
Friendly Name | Link to Web Address |
Location | User Configuration |
Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins |
Registry Key Name | Software\Policies\Microsoft\MMC{C96401D1-0E17-11D3-885B-00C04F72C717} |
Registry Value Name | Restrict_Run |
ADMX File Name | MMC.admx |
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_Author
Prevents users from entering author mode.
This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default.
As a result, users can't create console files or add or remove snap-ins. Also, because they can't open author-mode console files, they can't use the tools that the files contain.
This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users can't open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also can't open a blank MMC console window from a command prompt.
If you disable this setting or don't configure it, users can enter author mode and open author-mode console files.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | MMC_Restrict_Author |
Friendly Name | Restrict the user from entering author mode |
Location | User Configuration |
Path | Windows Components > Microsoft Management Console |
Registry Key Name | Software\Policies\Microsoft\MMC |
Registry Value Name | RestrictAuthorMode |
ADMX File Name | MMC.admx |
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_To_Permitted_Snapins
Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited.
- If you disable this setting or don't configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.
To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
Note
If you enable this setting, and you don't enable any settings in the Restricted/Permitted snap-ins folder, users can't use any MMC snap-ins.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | MMC_Restrict_To_Permitted_Snapins |
Friendly Name | Restrict users to the explicitly permitted list of snap-ins |
Location | User Configuration |
Path | Windows Components > Microsoft Management Console |
Registry Key Name | Software\Policies\Microsoft\MMC |
Registry Value Name | RestrictToPermittedSnapins |
ADMX File Name | MMC.admx |