Policy CSP - Privacy

Logo of Windows Insider.

Important

This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview.

AllowAutoAcceptPairingAndPrivacyConsentPrompts

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts

Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. Most restricted value is 0.

Note

There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Not allowed.
1 Allowed.

AllowCrossDeviceClipboard

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/AllowCrossDeviceClipboard

This policy setting determines whether Clipboard contents can be synchronized across devices.

  • If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Microsoft Entra account.

  • If you disable this policy setting, Clipboard contents can't be shared to other devices.

Policy change takes effect immediately.

Most restrictive value is 0 to not allow cross-device clipboard.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed.
1 (Default) Allowed.

Group policy mapping:

Name Value
Name AllowCrossDeviceClipboard
Friendly Name Allow Clipboard synchronization across devices
Location Computer Configuration
Path System > OS Policies
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name AllowCrossDeviceClipboard
ADMX File Name OSPolicy.admx

AllowInputPersonalization

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/AllowInputPersonalization

This policy specifies whether users on the device have the option to enable online speech recognition services.

If this policy is enabled or not configured, control is deferred to users, and users may choose whether to enable speech services via settings.

If this policy is disabled, speech services will be disabled, and users can't enable speech services via settings.

Updated in Windows 10, version 1809.

When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft uses voice input to help improve speech services.

The most restrictive value is 0 to not allow speech services.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed.
1 (Default) Choice deferred to user's preference.

Group policy mapping:

Name Value
Name AllowInputPersonalization
Friendly Name Allow users to enable online speech recognition services
Location Computer Configuration
Path Control Panel > Regional and Language Options
Registry Key Name Software\Policies\Microsoft\InputPersonalization
Registry Value Name AllowInputPersonalization
ADMX File Name Globalization.admx

DisableAdvertisingId

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/DisableAdvertisingId

This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps.

  • If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps.

  • If you disable or don't configure this policy setting, users can control whether apps can use the advertising ID for experiences across apps.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 65535

Allowed values:

Value Description
0 Disabled.
1 Enabled.
65535 (Default) Not configured.

Group policy mapping:

Name Value
Name DisableAdvertisingId
Friendly Name Turn off the advertising ID
Location Computer Configuration
Path System > User Profiles
Registry Key Name Software\Policies\Microsoft\Windows\AdvertisingInfo
Registry Value Name DisabledByGroupPolicy
ADMX File Name UserProfiles.admx

DisablePrivacyExperience

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./User/Vendor/MSFT/Policy/Config/Privacy/DisablePrivacyExperience
./Device/Vendor/MSFT/Policy/Config/Privacy/DisablePrivacyExperience

When logging into a new user account for the first time or after an upgrade in some scenarios, that user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this policy to prevent this experience from launching.

If this policy is enabled, the privacy experience won't launch for newly created user accounts or for accounts that would've been prompted to choose their privacy settings after an upgrade.

If this policy is disabled or not configured, then the privacy experience may launch for newly created user accounts or for accounts that should be prompted to choose their privacy settings after an upgrade.

In some managed environments, the privacy settings may be set by other policies. In this case, enable this policy to not show a screen for users to change these privacy settings.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Allow the 'choose privacy settings for your device' screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade.
1 Don't allow the 'choose privacy settings for your device' screen when a new user logs in or an existing user logs in for the first time after an upgrade.

Group policy mapping:

Name Value
Name DisablePrivacyExperience
Friendly Name Don't launch privacy settings experience on user logon
Location Computer and User Configuration
Path Windows Components > OOBE
Registry Key Name Software\Policies\Microsoft\Windows\OOBE
Registry Value Name DisablePrivacyExperience
ADMX File Name OOBE.admx

EnableActivityFeed

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/EnableActivityFeed

This policy setting determines whether ActivityFeed is enabled.

  • If you enable this policy setting, all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user.

  • If you disable this policy setting, activities can't be published and ActivityFeed shall disable cloud sync.

Policy change takes effect immediately.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud).
1 (Default) Enabled. Apps/OS can publish the activities and will be roamed across device graph.

Group policy mapping:

Name Value
Name EnableActivityFeed
Friendly Name Enables Activity Feed
Location Computer Configuration
Path System > OS Policies
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name EnableActivityFeed
ADMX File Name OSPolicy.admx

LetAppsAccessAccountInfo

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo

This policy setting specifies whether Windows apps can access account information.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access account information and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access account information and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to account information.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessAccountInfo
Friendly Name Let Windows apps access account information
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessAccountInfo_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access account information.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access account information and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access account information and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessAccountInfo
Friendly Name Let Windows apps access account information
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessAccountInfo_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access account information.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access account information and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access account information and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessAccountInfo
Friendly Name Let Windows apps access account information
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessAccountInfo_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access account information.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access account information and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access account information and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessAccountInfo
Friendly Name Let Windows apps access account information
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessBackgroundSpatialPerception

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception

This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background.

Note

Currently, this policy is supported only in Microsoft HoloLens 2.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps

List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.

Note

Currently, this policy is supported only in Microsoft HoloLens 2.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps

List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.

Note

Currently, this policy is supported only in Microsoft HoloLens 2.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps

List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.

Note

Currently, this policy is supported only in Microsoft HoloLens 2.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

LetAppsAccessCalendar

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar

This policy setting specifies whether Windows apps can access the calendar.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the calendar and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the calendar and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to the calendar.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessCalendar
Friendly Name Let Windows apps access the calendar
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCalendar_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access the calendar.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the calendar and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the calendar and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCalendar
Friendly Name Let Windows apps access the calendar
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCalendar_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access the calendar.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the calendar and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the calendar and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCalendar
Friendly Name Let Windows apps access the calendar
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCalendar_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access the calendar.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the calendar and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the calendar and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCalendar
Friendly Name Let Windows apps access the calendar
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCallHistory

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory

This policy setting specifies whether Windows apps can access call history.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the call history and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the call history and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the call history by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to call history.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessCallHistory
Friendly Name Let Windows apps access call history
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCallHistory_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access call history.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the call history and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the call history and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the call history by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCallHistory
Friendly Name Let Windows apps access call history
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCallHistory_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access call history.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the call history and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the call history and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the call history by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCallHistory
Friendly Name Let Windows apps access call history
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCallHistory_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access call history.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the call history and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the call history and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the call history by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCallHistory
Friendly Name Let Windows apps access call history
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCamera

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera

This policy setting specifies whether Windows apps can access the camera.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the camera and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the camera and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to the camera.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessCamera
Friendly Name Let Windows apps access the camera
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCamera_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access the camera.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the camera and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the camera and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCamera
Friendly Name Let Windows apps access the camera
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCamera_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access the camera.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the camera and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the camera and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCamera
Friendly Name Let Windows apps access the camera
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessCamera_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access the camera.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the camera and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the camera and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessCamera
Friendly Name Let Windows apps access the camera
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessContacts

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts

This policy setting specifies whether Windows apps can access contacts.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access contacts and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access contacts and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to contacts.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessContacts
Friendly Name Let Windows apps access contacts
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessContacts_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access contacts.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access contacts and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access contacts and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessContacts
Friendly Name Let Windows apps access contacts
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessContacts_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access contacts.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access contacts and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access contacts and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessContacts
Friendly Name Let Windows apps access contacts
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessContacts_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access contacts.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access contacts and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access contacts and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessContacts
Friendly Name Let Windows apps access contacts
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessEmail

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail

This policy setting specifies whether Windows apps can access email.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access email and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access email and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to email.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessEmail
Friendly Name Let Windows apps access email
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessEmail_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access email.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access email and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access email and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessEmail
Friendly Name Let Windows apps access email
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessEmail_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access email.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access email and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access email and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessEmail
Friendly Name Let Windows apps access email
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessEmail_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access email.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access email and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access email and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessEmail
Friendly Name Let Windows apps access email
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGazeInput

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput

This policy setting specifies whether Windows apps can access the eye tracker.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-2]
Default Value 0

LetAppsAccessGazeInput_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps

List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

LetAppsAccessGazeInput_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps

List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

LetAppsAccessGazeInput_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps

List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

LetAppsAccessGraphicsCaptureProgrammatic

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic

This policy setting specifies whether Windows apps can take screenshots of various windows or displays.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-2]
Default Value 0

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureProgrammatic
Friendly Name Let Windows apps take screenshots of various windows or displays
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps

This policy setting specifies whether Windows apps can take screenshots of various windows or displays.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureProgrammatic
Friendly Name Let Windows apps take screenshots of various windows or displays
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps

This policy setting specifies whether Windows apps can take screenshots of various windows or displays.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureProgrammatic
Friendly Name Let Windows apps take screenshots of various windows or displays
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can take screenshots of various windows or displays.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to take screenshots of various windows or displays and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureProgrammatic
Friendly Name Let Windows apps take screenshots of various windows or displays
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureWithoutBorder

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder

This policy setting specifies whether Windows apps can turn off the screenshot border.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to turn off the screenshot border and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to turn off the screenshot border and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-2]
Default Value 0

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureWithoutBorder
Friendly Name Let Windows apps turn off the screenshot border
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps

This policy setting specifies whether Windows apps can turn off the screenshot border.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to turn off the screenshot border and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to turn off the screenshot border and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureWithoutBorder
Friendly Name Let Windows apps turn off the screenshot border
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps

This policy setting specifies whether Windows apps can turn off the screenshot border.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to turn off the screenshot border and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to turn off the screenshot border and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureWithoutBorder
Friendly Name Let Windows apps turn off the screenshot border
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 21H2 [10.0.22000] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can turn off the screenshot border.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to turn off the screenshot border and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to turn off the screenshot border and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessGraphicsCaptureWithoutBorder
Friendly Name Let Windows apps turn off the screenshot border
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessHumanPresence

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows Insider Preview [10.0.25000]
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessHumanPresence

This policy setting specifies whether Windows apps can access presence sensing.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessHumanPresence
Friendly Name Let Windows apps access presence sensing
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessHumanPresence_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows Insider Preview [10.0.25000]
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessHumanPresence_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access presence sensing.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessHumanPresence
Friendly Name Let Windows apps access presence sensing
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessHumanPresence_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows Insider Preview [10.0.25000]
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessHumanPresence_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access presence sensing.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessHumanPresence
Friendly Name Let Windows apps access presence sensing
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessHumanPresence_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows Insider Preview [10.0.25000]
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessHumanPresence_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access presence sensing.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access presence sensing and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access presence sensing and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access presence sensing by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessHumanPresence
Friendly Name Let Windows apps access presence sensing
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessLocation

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation

This policy setting specifies whether Windows apps can access location.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access location and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access location and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to the device's location.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessLocation
Friendly Name Let Windows apps access location
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessLocation_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access location.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access location and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access location and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessLocation
Friendly Name Let Windows apps access location
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessLocation_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access location.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access location and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access location and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessLocation
Friendly Name Let Windows apps access location
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessLocation_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access location.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access location and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access location and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessLocation
Friendly Name Let Windows apps access location
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMessaging

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging

This policy setting specifies whether Windows apps can read or send messages (text or MMS).

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps can read or send messages and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps can't read or send messages and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to messaging.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessMessaging
Friendly Name Let Windows apps access messaging
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMessaging_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_ForceAllowTheseApps

This policy setting specifies whether Windows apps can read or send messages (text or MMS).

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps can read or send messages and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps can't read or send messages and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMessaging
Friendly Name Let Windows apps access messaging
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMessaging_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_ForceDenyTheseApps

This policy setting specifies whether Windows apps can read or send messages (text or MMS).

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps can read or send messages and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps can't read or send messages and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMessaging
Friendly Name Let Windows apps access messaging
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMessaging_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can read or send messages (text or MMS).

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps can read or send messages and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps can't read or send messages and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMessaging
Friendly Name Let Windows apps access messaging
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMicrophone

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone

This policy setting specifies whether Windows apps can access the microphone.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the microphone and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the microphone and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to the microphone.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessMicrophone
Friendly Name Let Windows apps access the microphone
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMicrophone_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access the microphone.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the microphone and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the microphone and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMicrophone
Friendly Name Let Windows apps access the microphone
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMicrophone_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access the microphone.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the microphone and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the microphone and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMicrophone
Friendly Name Let Windows apps access the microphone
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMicrophone_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access the microphone.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access the microphone and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access the microphone and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMicrophone
Friendly Name Let Windows apps access the microphone
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMotion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion

This policy setting specifies whether Windows apps can access motion data.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access motion data and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access motion data and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to motion data.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessMotion
Friendly Name Let Windows apps access motion
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMotion_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access motion data.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access motion data and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access motion data and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMotion
Friendly Name Let Windows apps access motion
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMotion_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access motion data.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access motion data and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access motion data and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMotion
Friendly Name Let Windows apps access motion
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessMotion_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access motion data.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access motion data and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access motion data and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessMotion
Friendly Name Let Windows apps access motion
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessNotifications

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications

This policy setting specifies whether Windows apps can access notifications.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access notifications and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access notifications and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to notifications.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessNotifications
Friendly Name Let Windows apps access notifications
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessNotifications_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access notifications.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access notifications and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access notifications and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessNotifications
Friendly Name Let Windows apps access notifications
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessNotifications_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access notifications.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access notifications and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access notifications and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessNotifications
Friendly Name Let Windows apps access notifications
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessNotifications_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access notifications.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access notifications and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access notifications and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessNotifications
Friendly Name Let Windows apps access notifications
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessPhone

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone

This policy setting specifies whether Windows apps can make phone calls.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to make phone calls and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to make phone calls and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to make phone calls.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessPhone
Friendly Name Let Windows apps make phone calls
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessPhone_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_ForceAllowTheseApps

This policy setting specifies whether Windows apps can make phone calls.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to make phone calls and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to make phone calls and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessPhone
Friendly Name Let Windows apps make phone calls
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessPhone_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_ForceDenyTheseApps

This policy setting specifies whether Windows apps can make phone calls.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to make phone calls and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to make phone calls and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessPhone
Friendly Name Let Windows apps make phone calls
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessPhone_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can make phone calls.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to make phone calls and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to make phone calls and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessPhone
Friendly Name Let Windows apps make phone calls
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessRadios

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios

This policy setting specifies whether Windows apps have access to control radios.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps will have access to control radios and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps won't have access to control radios and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to control radios.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessRadios
Friendly Name Let Windows apps control radios
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessRadios_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_ForceAllowTheseApps

This policy setting specifies whether Windows apps have access to control radios.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps will have access to control radios and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps won't have access to control radios and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessRadios
Friendly Name Let Windows apps control radios
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessRadios_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_ForceDenyTheseApps

This policy setting specifies whether Windows apps have access to control radios.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps will have access to control radios and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps won't have access to control radios and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessRadios
Friendly Name Let Windows apps control radios
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessRadios_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_UserInControlOfTheseApps

This policy setting specifies whether Windows apps have access to control radios.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps will have access to control radios and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps won't have access to control radios and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessRadios
Friendly Name Let Windows apps control radios
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTasks

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks

This policy setting specifies whether Windows apps can access tasks.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access tasks and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access tasks and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-2]
Default Value 0

Group policy mapping:

Name Value
Name LetAppsAccessTasks
Friendly Name Let Windows apps access Tasks
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTasks_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access tasks.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access tasks and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access tasks and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessTasks
Friendly Name Let Windows apps access Tasks
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTasks_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access tasks.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access tasks and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access tasks and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessTasks
Friendly Name Let Windows apps access Tasks
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTasks_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access tasks.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access tasks and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access tasks and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessTasks
Friendly Name Let Windows apps access Tasks
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTrustedDevices

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices

This policy setting specifies whether Windows apps can access trusted devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access trusted devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access trusted devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access trusted devices.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsAccessTrustedDevices
Friendly Name Let Windows apps access trusted devices
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTrustedDevices_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps

This policy setting specifies whether Windows apps can access trusted devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access trusted devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access trusted devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessTrustedDevices
Friendly Name Let Windows apps access trusted devices
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTrustedDevices_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps

This policy setting specifies whether Windows apps can access trusted devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access trusted devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access trusted devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessTrustedDevices
Friendly Name Let Windows apps access trusted devices
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsAccessTrustedDevices_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can access trusted devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to access trusted devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to access trusted devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsAccessTrustedDevices
Friendly Name Let Windows apps access trusted devices
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsActivateWithVoice

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsActivateWithVoice

This policy setting specifies whether Windows apps can be activated by voice.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to be activated with a voice keyword and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to be activated with a voice keyword and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device.

This policy is applied to Windows apps and Cortana.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control. Users can decide if Windows apps can be activated by voice using Settings > Privacy options on the device.
1 Force allow. Windows apps can be activated by voice and users can't change it.
2 Force deny. Windows apps can't be activated by voice and users can't change it.

Group policy mapping:

Name Value
Name LetAppsActivateWithVoice
Friendly Name Let Windows apps activate with voice
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsActivateWithVoiceAboveLock

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1903 [10.0.18362] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsActivateWithVoiceAboveLock

This policy setting specifies whether Windows apps can be activated by voice while the system is locked.

If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.

If you choose the "Force Allow" option, users can interact with applications using speech while the system is locked and employees in your organization can't change it.

If you choose the "Force Deny" option, users can't interact with applications using speech while the system is locked and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.

This policy is applied to Windows apps and Cortana. It takes precedence of the "Allow Cortana above lock" policy. This policy is applicable only when "Allow voice activation" policy is configured to allow applications to be activated with voice.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device.
1 Force allow. Windows apps can be activated by voice while the screen is locked, and users can't change it.
2 Force deny. Windows apps can't be activated by voice while the screen is locked, and users can't change it.

Group policy mapping:

Name Value
Name LetAppsActivateWithVoiceAboveLock
Friendly Name Let Windows apps activate with voice while the system is locked
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsGetDiagnosticInfo

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo

This policy setting specifies whether Windows apps can get diagnostic information about other Windows apps, including user name.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can get diagnostic information about other apps using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can get diagnostic information about other apps by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps access to diagnostic data.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsGetDiagnosticInfo
Friendly Name Let Windows apps access diagnostic information about other apps
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsGetDiagnosticInfo_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps

This policy setting specifies whether Windows apps can get diagnostic information about other Windows apps, including user name.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can get diagnostic information about other apps using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can get diagnostic information about other apps by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsGetDiagnosticInfo
Friendly Name Let Windows apps access diagnostic information about other apps
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsGetDiagnosticInfo_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps

This policy setting specifies whether Windows apps can get diagnostic information about other Windows apps, including user name.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can get diagnostic information about other apps using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can get diagnostic information about other apps by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsGetDiagnosticInfo
Friendly Name Let Windows apps access diagnostic information about other apps
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsGetDiagnosticInfo_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can get diagnostic information about other Windows apps, including user name.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can get diagnostic information about other apps using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to get diagnostic information about other apps and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can get diagnostic information about other apps by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsGetDiagnosticInfo
Friendly Name Let Windows apps access diagnostic information about other apps
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsRunInBackground

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground

This policy setting specifies whether Windows apps can run in the background.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to run in the background and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to run in the background and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps from running in the background.

Warning

Be careful when you determine which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. If you turn off background activity for these types of apps, it could cause text message, email, and voicemail notifications to not function. This policy could also cause background email syncing to not function properly.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) .
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsRunInBackground
Friendly Name Let Windows apps run in the background
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsRunInBackground_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_ForceAllowTheseApps

This policy setting specifies whether Windows apps can run in the background.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to run in the background and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to run in the background and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsRunInBackground
Friendly Name Let Windows apps run in the background
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsRunInBackground_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps

This policy setting specifies whether Windows apps can run in the background.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to run in the background and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to run in the background and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsRunInBackground
Friendly Name Let Windows apps run in the background
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsRunInBackground_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1703 [10.0.15063] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can run in the background.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to run in the background and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to run in the background and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsRunInBackground
Friendly Name Let Windows apps run in the background
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsSyncWithDevices

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices

This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

The most restrictive value is 2 to deny apps syncing with devices.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) User in control.
1 Force allow.
2 Force deny.

Group policy mapping:

Name Value
Name LetAppsSyncWithDevices
Friendly Name Let Windows apps communicate with unpaired devices
Element Name Default for all apps.
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsSyncWithDevices_ForceAllowTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps

This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsSyncWithDevices
Friendly Name Let Windows apps communicate with unpaired devices
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsSyncWithDevices_ForceDenyTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps

This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsSyncWithDevices
Friendly Name Let Windows apps communicate with unpaired devices
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

LetAppsSyncWithDevices_UserInControlOfTheseApps

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1607 [10.0.14393] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps

This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.

You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If you choose the "Force Allow" option, Windows apps are allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you choose the "Force Deny" option, Windows apps aren't allowed to communicate with unpaired wireless devices and employees in your organization can't change it.

If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device.

If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ;)

Group policy mapping:

Name Value
Name LetAppsSyncWithDevices
Friendly Name Let Windows apps communicate with unpaired devices
Location Computer Configuration
Path Windows Components > App Privacy
Registry Key Name Software\Policies\Microsoft\Windows\AppPrivacy
ADMX File Name AppPrivacy.admx

PublishUserActivities

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/PublishUserActivities

This policy setting determines whether User Activities can be published.

  • If you enable this policy setting, activities of type User Activity are allowed to be published.

  • If you disable this policy setting, activities of type User Activity aren't allowed to be published.

Policy change takes effect immediately.

For more information, see Windows activity history and your privacy.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Disabled. Apps/OS can't publish the user activities.
1 (Default) Enabled. Apps/OS can publish the user activities.

Group policy mapping:

Name Value
Name PublishUserActivities
Friendly Name Allow publishing of User Activities
Location Computer Configuration
Path System > OS Policies
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name PublishUserActivities
ADMX File Name OSPolicy.admx

UploadUserActivities

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/Policy/Config/Privacy/UploadUserActivities

This policy setting determines whether published User Activities can be uploaded.

  • If you enable this policy setting, activities of type User Activity are allowed to be uploaded.

  • If you disable this policy setting, activities of type User Activity aren't allowed to be uploaded.

Deletion of activities of type User Activity are independent of this setting.

Policy change takes effect immediately.

For more information, see Windows activity history and your privacy.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
0 Not allowed.
1 (Default) Allowed.

Group policy mapping:

Name Value
Name UploadUserActivities
Friendly Name Allow upload of User Activities
Location Computer Configuration
Path System > OS Policies
Registry Key Name Software\Policies\Microsoft\Windows\System
Registry Value Name UploadUserActivities
ADMX File Name OSPolicy.admx

Policy configuration service provider