Set-PolicyConfig

This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.

Use the Set-PolicyConfig cmdlet to modify the endpoint restrictions that are configured in the organization.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Set-PolicyConfig
   [[-Identity] <OrganizationIdParameter>]
   [-CaseHoldPolicyLimit <Int32>]
   [-ClassificationScheme <ClassificationScheme>]
   [-ComplianceUrl <String>]
   [-Confirm]
   [-DlpAppGroups <PswsHashtable[]>]
   [-DlpAppGroupsPsws <PswsHashtable[]>]
   [-DlpExtensionGroups <PswsHashtable[]>]
   [-DlpNetworkShareGroups <PswsHashtable>]
   [-DlpPrinterGroups <PswsHashtable>]
   [-DlpRemovableMediaGroups <PswsHashtable>]
   [-DocumentIsUnsupportedSeverity <RuleSeverity>]
   [-EnableAdvancedRuleBuilder <Boolean>]
   [-EnableLabelCoauth <Boolean>]
   [-EnableSpoAipMigration <Boolean>]
   [-EndpointDlpGlobalSettings <PswsHashtable[]>]
   [-EndpointDlpGlobalSettingsPsws <PswsHashtable[]>]
   [-ExtendTeamsDlpPoliciesToSharePointOneDrive <Boolean>]
   [-InformationBarrierMode <InformationBarrierMode>]
   [-InformationBarrierPeopleSearchRestriction <InformationBarrierPeopleSearchRestriction>]
   [-IsDlpSimulationOptedIn <Boolean>]
   [-OnPremisesWorkload <Workload>]
   [-ProcessingLimitExceededSeverity <RuleSeverity>]
   [-PurviewLabelConsent <Boolean>]
   [-ReservedForFutureUse <Boolean>]
   [-RetentionForwardCrawl <Boolean>]
   [-RuleErrorAction <PolicyRuleErrorAction>]
   [-SenderAddressLocation <PolicySenderAddressLocation>]
   [-SiteGroups <PswsHashtable[]>]
   [-SiteGroupsPsws <PswsHashtable[]>]
   [-WhatIf]
   [<CommonParameters>]

Description

To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Purview compliance portal.

Examples

Example 1

{{ Add example code here }}

{{ Add example description here }}

Parameters

-CaseHoldPolicyLimit

{{ Fill CaseHoldPolicyLimit Description }}

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ClassificationScheme

{{ Fill ClassificationScheme Description }}

Type:ClassificationScheme
Accepted values:Default, V0_AggregatedOnly, V1_DetailedResults
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ComplianceUrl

{{ Fill ComplianceUrl Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DlpAppGroups

{{ Fill DlpAppGroups Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DlpAppGroupsPsws

{{ Fill DlpAppGroupsPsws Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DlpExtensionGroups

{{ Fill DlpExtensionGroups Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DlpNetworkShareGroups

{{ Fill DlpNetworkShareGroups Description }}

Type:PswsHashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DlpPrinterGroups

{{ Fill DlpPrinterGroups Description }}

Type:PswsHashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DlpRemovableMediaGroups

{{ Fill DlpRemovableMediaGroups Description }}

Type:PswsHashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-DocumentIsUnsupportedSeverity

{{ Fill DocumentIsUnsupportedSeverity Description }}

Type:RuleSeverity
Accepted values:Low, Medium, High, None, Informational, Information
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-EnableAdvancedRuleBuilder

{{ Fill EnableAdvancedRuleBuilder Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-EnableLabelCoauth

The EnableLabelCoauth parameter enables or disables co-authoring support in Office desktop apps for the entire organization. Valid value are:

  • $true: Co-authoring support in Office desktop apps is enabled. When documents are labeled and encrypted by sensitivity labels, multiple users can edit these documents at the same time. Labeling information for unencrypted files is no longer saved in custom properties. Don't enable co-authoring if you use any apps, services, scripts, or tools that read or write labeling metadata to the old location.
  • $false: Co-authoring support in Office desktop apps is disabled.

Disabling co-authoring support in Office desktop apps in the organization has the following consequences:

  • For apps and services that support the new labeling metadata, they now revert to the original metadata format and location when labels are read or saved.
  • The new metadata format and location for Office documents that was used while the setting was enabled will not be copied to the original format and location. As a result, this labeling information for unencrypted Word, Excel, and PowerPoint files will be lost.
  • Co-authoring and AutoSave no longer work in your organization for labeled and encrypted documents.
  • Sensitivity labels remain enabled for Office files in OneDrive and SharePoint.
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-EnableSpoAipMigration

The EnableSpoAipMigration parameter enables or disables built-in labeling for supported Office files in SharePoint and OneDrive. Valid values are:

  • $true: Users can apply your sensitivity labels in Office for the web. Users will see the Sensitivity button on the ribbon so they can apply labels, and see any applied label name on the status bar.
  • $false: Users can't apply your sensitivity labels in Office for the web.
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-EndpointDlpGlobalSettings

The EndpointDlpGlobalSettings parameter specifies the global endpoints. This parameter uses the following syntax: @(@{"Setting"="<Setting>"; "Value"="<Value>}",@{"Setting"="<Setting>"; "Value"="<Value>"},...).

The value of <Setting> is one of the supported values.

Example values:

  • @{"Setting"="PathExclusion"; "Value"="C:\Windows";}
  • @{"Setting"="PathExclusion"; "Value"="%AppData%\Mozilla";}
  • @{"Setting"="PathExclusion"; "Value"="C:\Users\*\Desktop";}
  • @{"Setting"="UnallowedApp"="Notepad ++;"Executable"="notepad++"}
  • @{"Setting"="UnallowedApp"="Executable"="cmd"}
  • @{"Setting"="UnallowedBrowser"="Chrome";"Executable"="chrome"}
  • @{"Setting"="CloudAppRestrictions"="Allow"}
  • @{"Setting"="CloudAppRestrictionList"="1.1.2.2"}
  • @{"Setting"="CloudAppRestrictionList"="subdomain.com"}
  • @{"Setting"="CloudAppRestrictionList"="another.differentdomain.edu"}
  • @{"Setting"="ShowEndpointJustificationDropdown"; "True";}
Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-EndpointDlpGlobalSettingsPsws

{{ Fill EndpointDlpGlobalSettingsPsws Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ExtendTeamsDlpPoliciesToSharePointOneDrive

The ExtendTeamsDlpPoliciesToSharePointOneDrive parameter enables the Teams DLP Policy to automatically extend protection to the content stored in OneDrive shared in 1:1 chats and content stored in SharePoint associated with Teams teams shared through channel chats. Valid values are:

  • $true
  • $false
Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-Identity

You don't need to use this parameter. The only endpoint restrictions object in the organization is named Settings.

Type:OrganizationIdParameter
Position:0
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False
Applies to:Security & Compliance

-InformationBarrierMode

The InformationBarrierMode parameter specifies the mode that controls the total number of segments and how many segments a user can be part of. Valid values are:

  • SingleSegment: Users in the organization can have 5000 segments but can only be assigned to one segment.
  • MultiSegment: Users in the organization can have 5000 segments and can be assigned up to 10 segments. For more information, see Use multi-segment support in information barriers.
Type:InformationBarrierMode
Accepted values:SingleSegment, MultiSegment
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-InformationBarrierPeopleSearchRestriction

{{ Fill InformationBarrierPeopleSearchRestriction Description }}

Type:InformationBarrierPeopleSearchRestriction
Accepted values:Enabled, Disabled
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-IsDlpSimulationOptedIn

{{ Fill IsDlpSimulationOptedIn Description }}

Type:Boolean
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-OnPremisesWorkload

{{ Fill OnPremisesWorkload Description }}

Type:Workload
Accepted values:None, Exchange, SharePoint, Intune, OneDriveForBusiness, PublicFolder, SharePointOnPremises, ExchangeOnPremises, AuditAlerting, Skype, ModernGroup, DynamicScope, Teams, UnifiedAuditAzure, EndpointDevices, ThirdPartyApps, OnPremisesScanner
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ProcessingLimitExceededSeverity

{{ Fill ProcessingLimitExceededSeverity Description }}

Type:RuleSeverity
Accepted values:Low, Medium, High, None, Informational, Information
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-PurviewLabelConsent

{{ Fill PurviewLabelConsent Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-ReservedForFutureUse

{{ Fill ReservedForFutureUse Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-RetentionForwardCrawl

{{ Fill RetentionForwardCrawl Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-RuleErrorAction

The RuleErrorAction parameter specifies what to do if an error is encountered during the evaluation of the rule. Valid values are:

  • Ignore
  • RetryThenBlock (This is the default value)
Type:PolicyRuleErrorAction
Accepted values:Ignore, RetryThenBlock
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SenderAddressLocation

The SenderAddressLocation parameter specifies where to look for sender addresses in conditions and exceptions that examine sender email addresses. Valid values are:

  • Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To fields). This is the default value.
  • Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in the SMTP transmission, which is typically stored in the Return-Path field).
  • HeaderOrEnvelope: Examine senders in the message header and the message envelope.
Type:PolicySenderAddressLocation
Accepted values:Header, Envelope, HeaderOrEnvelope
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SiteGroups

{{ Fill SiteGroups Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-SiteGroupsPsws

{{ Fill SiteGroupsPsws Description }}

Type:PswsHashtable[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance

-WhatIf

The WhatIf switch doesn't work in Security & Compliance PowerShell.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Security & Compliance