Policy CSP - ADMX_AttachmentManager
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
AM_EstimateFileHandlerRisk
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_EstimateFileHandlerRisk
This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.
Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files.
Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler.
Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options.
If you enable this policy setting, you can choose the order in which Windows processes risk assessment data.
If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
If you don't configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AM_EstimateFileHandlerRisk |
| Friendly Name | Trust logic for file attachments |
| Location | User Configuration |
| Path | Windows Components > Attachment Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments |
| ADMX File Name | AttachmentManager.admx |
AM_SetFileRiskLevel
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetFileRiskLevel
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
Low Risk: If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information.
If you enable this policy setting, you can specify the default risk level for file types.
If you disable this policy setting, Windows sets the default risk level to moderate.
If you don't configure this policy setting, Windows sets the default risk level to moderate.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AM_SetFileRiskLevel |
| Friendly Name | Default risk level for file attachments |
| Location | User Configuration |
| Path | Windows Components > Attachment Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations |
| ADMX File Name | AttachmentManager.admx |
AM_SetHighRiskInclusion
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetHighRiskInclusion
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can create a custom list of high-risk file types.
If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk.
If you don't configure this policy setting, Windows uses its built-in list of high-risk file types.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AM_SetHighRiskInclusion |
| Friendly Name | Inclusion list for high risk file types |
| Location | User Configuration |
| Path | Windows Components > Attachment Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations |
| ADMX File Name | AttachmentManager.admx |
AM_SetLowRiskInclusion
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetLowRiskInclusion
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types that pose a low risk.
If you disable this policy setting, Windows uses its default trust logic.
If you don't configure this policy setting, Windows uses its default trust logic.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AM_SetLowRiskInclusion |
| Friendly Name | Inclusion list for low file types |
| Location | User Configuration |
| Path | Windows Components > Attachment Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations |
| ADMX File Name | AttachmentManager.admx |
AM_SetModRiskInclusion
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetModRiskInclusion
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
If you enable this policy setting, you can specify file types which pose a moderate risk.
If you disable this policy setting, Windows uses its default trust logic.
If you don't configure this policy setting, Windows uses its default trust logic.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | AM_SetModRiskInclusion |
| Friendly Name | Inclusion list for moderate risk file types |
| Location | User Configuration |
| Path | Windows Components > Attachment Manager |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations |
| ADMX File Name | AttachmentManager.admx |
Related articles
Feedback
Kommer snart: Under hela 2024 kommer vi att fasa ut GitHub-problem som feedbackmekanism för innehåll och ersätta det med ett nytt feedbacksystem. Mer information finns i: https://aka.ms/ContentUserFeedback.
Skicka och visa feedback för