Policy CSP - Security

Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


Security policies

Security/AllowAddProvisioningPackage
Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices
Security/AllowManualRootCertificateInstallation
Security/AllowRemoveProvisioningPackage
Security/AntiTheftMode
Security/ClearTPMIfNotReady
Security/ConfigureWindowsPasswords
Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
Security/RecoveryEnvironmentAuthentication
Security/RequireDeviceEncryption
Security/RequireProvisioningPackageSignature
Security/RequireRetrieveHealthCertificateOnBoot

Security/AllowAddProvisioningPackage

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark

Scope:

  • Device

Specifies whether to allow the runtime configuration agent to install provisioning packages.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark cross mark cross mark

Note

This policy has been deprecated in Windows 10, version 1607


Note

This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AllowManualRootCertificateInstallation

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark cross mark check mark check mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Specifies whether the user is allowed to manually install root and intermediate CA certificates.

Most restricted value is 0.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AllowRemoveProvisioningPackage

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark

Scope:

  • Device

Specifies whether to allow the runtime configuration agent to remove provisioning packages.

The following list shows the supported values:

  • 0 – Not allowed.
  • 1 (default) – Allowed.

Security/AntiTheftMode

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark cross mark cross mark cross mark cross mark check mark check mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

Allows or disallow Anti Theft Mode on the device.

The following list shows the supported values:

  • 0 – Don't allow Anti Theft Mode.
  • 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).

Security/ClearTPMIfNotReady

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Added in Windows 10, version 1709. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.

ADMX Info:

  • GP English name: Configure the system to clear the TPM if it is not in a ready state.
  • GP name: ClearTPMIfNotReady_Name
  • GP path: System/Trusted Platform Module Services
  • GP ADMX file name: TPM.admx

The following list shows the supported values:

  • 0 (default) – Will not force recovery from a non-ready TPM state.
  • 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear.

Security/ConfigureWindowsPasswords

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark4 check mark4 check mark4 check mark4

Scope:

  • Device

Added in Windows 10, version 1803. Configures the use of passwords for Windows features.

Note

This policy is only supported in Windows 10 S.

The following list shows the supported values:

  • 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features)
  • 1- Allow passwords (Passwords continue to be allowed to be used for Windows features)
  • 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords")

Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark1 check mark1 check mark1 check mark1 cross mark cross mark

Scope:

  • Device

Note

This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.

Added in Windows 10, version 1607 to replace the deprecated policy Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices.

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.

The following list shows the supported values:

  • 0 (default) – Encryption enabled.
  • 1 – Encryption disabled.

Security/RecoveryEnvironmentAuthentication

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark5 check mark5 check mark5 check mark5

Scope:

  • User
  • Device

Added in Windows 10, version 1809. This policy controls the Admin Authentication requirement in RecoveryEnvironment.

Supported values:

  • 0 - Default: Keep using default(current) behavior
  • 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment
  • 2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment

Validation procedure

The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE. The process of starting Push Button Reset (PBR) in WinRE:

  1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE.
  2. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything".

If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior:

  1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
  2. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options.

If the MDM policy is set to "RequireAuthentication" (1)

  1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
  2. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication.

If the MDM policy is set to "NoRequireAuthentication" (2)

  1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication.
  2. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back.
  3. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither.

Security/RequireDeviceEncryption

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark check mark check mark

Scope:

  • Device

Allows enterprise to turn on internal storage encryption.

Most restricted value is 1.

Important

If encryption has been enabled, it cannot be turned off by using this policy.

The following list shows the supported values:

  • 0 (default) – Encryption is not required.
  • 1 – Encryption is required.

Security/RequireProvisioningPackageSignature

Home Pro Business Enterprise Education Mobile Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark

Scope:

  • Device

Specifies whether provisioning packages must have a certificate signed by a device trusted authority.

The following list shows the supported values:

  • 0 (default) – Not required.
  • 1 – Required.

Security/RequireRetrieveHealthCertificateOnBoot

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark check mark check mark check mark check mark check mark check mark

Scope:

  • Device

Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.

Setting this policy to 1 (Required):

  • Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
  • Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.

Note

We recommend that this policy is set to Required after MDM enrollment.

Most restricted value is 1.

The following list shows the supported values:

  • 0 (default) – Not required.
  • 1 – Required.

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.
  • 4 - Added in Windows 10, version 1803.
  • 5 - Added in the next major release of Windows 10.