Policy CSP - NetworkIsolation

EnterpriseCloudResources

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseCloudResources

This setting doesn't apply to desktop apps.

A pipe-separated list of domain cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address.

Contains a list of Enterprise resource domains hosted in the cloud. Connections to these resources are considered connections to enterprise networks.

If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the Intranet proxy servers for apps policy.

Example: [cloudresource]|[cloudresource]|[cloudresource],[proxy]|[cloudresource]|[cloudresource],[proxy]|.

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: |)

Group policy mapping:

Name Value
Name WF_NetIsolation_EnterpriseCloudResources
Friendly Name Enterprise resource domains hosted in the cloud
Element Name Enterprise cloud resources.
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
ADMX File Name NetworkIsolation.admx

EnterpriseInternalProxyServers

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseInternalProxyServers

This setting doesn't apply to desktop apps.

A semicolon-separated list of intranet proxy server IP addresses. These addresses are categorized as private by Windows Network Isolation and are accessible to apps that have the Home/Work Networking capability.

  • If you enable this policy setting, it allows an administrator to configure a set of proxies that provide access to intranet resources.

  • If you disable or don't configure this policy setting, Windows Network Isolation attempts to discover proxies and configures them as Internet nodes.

This setting should NOT be used to configure Internet proxies.

Example: [3efe:3022::1000]; 18.0.0.1; 18.0.0.2

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)

Group policy mapping:

Name Value
Name WF_NetIsolation_Intranet_Proxies
Friendly Name Intranet proxy servers for apps
Element Name Type a proxy server IP address for the intranet.
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
ADMX File Name NetworkIsolation.admx

EnterpriseIPRange

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRange

This setting doesn't apply to desktop apps.

A comma-separated list of IP address ranges that are in your corporate network.

  • If you enable this policy setting, it ensures that apps with the Home/Work Networking capability have appropriate access to your corporate network. These addresses are only accessible to apps if and only if the app has declared the Home/Work Networking capability.

Windows Network Isolation attempts to automatically discover private network hosts. By default, the addresses configured with this policy setting are merged with the hosts that are declared as private through automatic discovery.

To ensure that these addresses are the only addresses ever classified as private, enable the "Subnet definitions are authoritative" policy setting.

  • If you disable or don't configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts.

Example: 3efe:1092::/96,18.1.1.1/10

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)

Group policy mapping:

Name Value
Name WF_NetIsolation_PrivateSubnet
Friendly Name Private network ranges for apps
Element Name Private subnets.
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
ADMX File Name NetworkIsolation.admx

Example of IP ranges:

10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

EnterpriseIPRangesAreAuthoritative

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative

This setting doesn't apply to desktop apps.

Turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment.

  • If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private.

  • If you disable or don't configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment.

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Enable.
0 (Default) Disable.

Group policy mapping:

Name Value
Name WF_NetIsolation_Authoritative_Subnet
Friendly Name Subnet definitions are authoritative
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
Registry Value Name DSubnetsAuthoritive
ADMX File Name NetworkIsolation.admx

EnterpriseNetworkDomainNames

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseNetworkDomainNames

This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that's sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example contoso. sharepoint. com, Fabrikam. com.

Note

The client requires domain name to be canonical, otherwise the setting will be rejected by the client. Here are the steps to create canonical domain names:Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft. COM -> microsoft. com. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags. Call IdnToUnicode with no flags set (dwFlags = 0).

For more information, see the following APIs:

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)

EnterpriseProxyServers

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServers

This setting doesn't apply to desktop apps.

A semicolon-separated list of Internet proxy server IP addresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Client or Internet Client/Server capabilities.

  • If you enable this policy setting, apps on proxied networks can access the Internet without relying on the Private Network capability. However, in most situations Windows Network Isolation will be able to correctly discover proxies. By default, any proxies configured with this setting are merged with proxies that are auto-discovered. To make this policy configuration the sole list of allowed proxies, enable the "Proxy definitions are authoritative" setting.

  • If you disable or don't configure this policy setting, apps will use the Internet proxies auto-discovered by Windows Network Isolation.

Example: [3efe:3022::1000];18.0.0.1;18.0.0.2

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)

Group policy mapping:

Name Value
Name WF_NetIsolation_Domain_Proxies
Friendly Name Internet proxy servers for apps
Element Name Domain Proxies.
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
ADMX File Name NetworkIsolation.admx

EnterpriseProxyServersAreAuthoritative

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative

This setting doesn't apply to desktop apps.

Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment.

  • If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies.

  • If you disable or don't configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses.

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
1 Enable.
0 (Default) Disable.

Group policy mapping:

Name Value
Name WF_NetIsolation_Authoritative_Proxies
Friendly Name Proxy definitions are authoritative
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
Registry Value Name DProxiesAuthoritive
ADMX File Name NetworkIsolation.admx

NeutralResources

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/NeutralResources

This setting doesn't apply to desktop apps.

A comma-separated list of domain names that can be used as both work or personal resource.

For more information see: https://go.microsoft.com/fwlink/p/?LinkId=234043

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)

Group policy mapping:

Name Value
Name WF_NetIsolation_NeutralResources
Friendly Name Domains categorized as both work and personal
Element Name Neutral resources.
Location Computer Configuration
Path Network > Network Isolation
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation
ADMX File Name NetworkIsolation.admx

Policy configuration service provider