IntuneSecurityBaselineWindows10

Parameters

Parameter	Attribute	DataType	Description	Allowed Values
Description	Write	String	Policy description
DisplayName	Key	String	Policy name
RoleScopeTagIds	Write	StringArray[]	List of Scope Tags for this Entity instance.
Id	Write	String	The unique identifier for an entity. Read-only.
DeviceSettings	Write	MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10	The policy settings for the device scope.
UserSettings	Write	MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10	The policy settings for the user scope.
Assignments	Write	MSFT_DeviceManagementConfigurationPolicyAssignments[]	Represents the assignment to the Intune policy.
Ensure	Write	String	Present ensures the policy exists, absent ensures it is removed.	Present, Absent
Credential	Write	PSCredential	Credentials of the Admin
ApplicationId	Write	String	Id of the Azure Active Directory application to authenticate with.
TenantId	Write	String	Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret	Write	PSCredential	Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint	Write	String	Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity	Write	Boolean	Managed ID being used for authentication.
AccessTokens	Write	StringArray[]	Access token used for authentication.

MSFT_DeviceManagementConfigurationPolicyAssignments

Parameters

Parameter	Attribute	DataType	Description	Allowed Values
dataType	Write	String	The type of the target assignment.	#microsoft.graph.cloudPcManagementGroupAssignmentTarget, #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget
deviceAndAppManagementAssignmentFilterType	Write	String	The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude.	none, include, exclude
deviceAndAppManagementAssignmentFilterId	Write	String	The Id of the filter for the target assignment.
deviceAndAppManagementAssignmentFilterDisplayName	Write	String	The display name of the filter for the target assignment.
groupId	Write	String	The group Id that is the target of the assignment.
groupDisplayName	Write	String	The group Display Name that is the target of the assignment.
collectionId	Write	String	The collection Id that is the target of the assignment.(ConfigMgr)

MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths

Parameters

Parameter	Attribute	DataType	Description	Allowed Values
value	Write	String	Value
key	Write	String	Name

MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10

Parameters

Parameter	Attribute	DataType	Description	Allowed Values
CPL_Personalization_NoLockScreenCamera	Write	SInt32	Prevent enabling lock screen camera (0: Disabled, 1: Enabled)	0, 1
CPL_Personalization_NoLockScreenSlideshow	Write	SInt32	Prevent enabling lock screen slide show (0: Disabled, 1: Enabled)	0, 1
Pol_SecGuide_0201_LATFP	Write	SInt32	Apply UAC restrictions to local accounts on network logons (0: Disabled, 1: Enabled)	0, 1
Pol_SecGuide_0002_SMBv1_ClientDriver	Write	SInt32	Configure SMB v1 client driver (0: Disabled, 1: Enabled)	0, 1
Pol_SecGuide_SMB1ClientDriver	Write	SInt32	Configure MrxSmb10 driver - Depends on Pol_SecGuide_0002_SMBv1_ClientDriver (4: Disable driver (recommended), 3: Manual start (default for Win7/2008/2008R2/2012), 2: Automatic start (default for Win8.1/2012R2/newer))	4, 3, 2
Pol_SecGuide_0001_SMBv1_Server	Write	SInt32	Configure SMB v1 server (0: Disabled, 1: Enabled)	0, 1
Pol_SecGuide_0102_SEHOP	Write	SInt32	Enable Structured Exception Handling Overwrite Protection (SEHOP) (0: Disabled, 1: Enabled)	0, 1
Pol_SecGuide_0202_WDigestAuthn	Write	SInt32	WDigest Authentication (disabling may require KB2871997) (0: Disabled, 1: Enabled)	0, 1
Pol_MSS_DisableIPSourceRoutingIPv6	Write	SInt32	MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (0: Disabled, 1: Enabled)	0, 1
DisableIPSourceRoutingIPv6	Write	SInt32	DisableIPSourceRoutingIPv6 (Device) - Depends on Pol_MSS_DisableIPSourceRoutingIPv6 (0: No additional protection, source routed packets are allowed, 1: Medium, source routed packets ignored when IP forwarding is enabled, 2: Highest protection, source routing is completely disabled)	0, 1, 2
Pol_MSS_DisableIPSourceRouting	Write	SInt32	MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (0: Disabled, 1: Enabled)	0, 1
DisableIPSourceRouting	Write	SInt32	DisableIPSourceRouting (Device) - Depends on Pol_MSS_DisableIPSourceRouting (0: No additional protection, source routed packets are allowed, 1: Medium, source routed packets ignored when IP forwarding is enabled, 2: Highest protection, source routing is completely disabled)	0, 1, 2
Pol_MSS_EnableICMPRedirect	Write	SInt32	MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (0: Disabled, 1: Enabled)	0, 1
Pol_MSS_NoNameReleaseOnDemand	Write	SInt32	MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (0: Disabled, 1: Enabled)	0, 1
Turn_Off_Multicast	Write	SInt32	Turn off multicast name resolution (0: Disabled, 1: Enabled)	0, 1
NC_ShowSharedAccessUI	Write	SInt32	Prohibit use of Internet Connection Sharing on your DNS domain network (0: Disabled, 1: Enabled)	0, 1
hardeneduncpaths_Pol_HardenedPaths	Write	SInt32	Hardened UNC Paths (0: Disabled, 1: Enabled)	0, 1
pol_hardenedpaths	Write	MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths[]	Hardened UNC Paths: (Device) - Depends on hardeneduncpaths_Pol_HardenedPaths
WCM_BlockNonDomain	Write	SInt32	Prohibit connection to non-domain networks when connected to domain authenticated network (0: Disabled, 1: Enabled)	0, 1
ConfigureRedirectionGuardPolicy	Write	SInt32	Configure Redirection Guard (0: Disabled, 1: Enabled)	0, 1
RedirectionGuardPolicy_Enum	Write	SInt32	Redirection Guard Options (Device) - Depends on ConfigureRedirectionGuardPolicy (0: Redirection Guard Disabled, 1: Redirection Guard Enabled, 2: Redirection Guard Audit Only)	0, 1, 2
ConfigureRpcConnectionPolicy	Write	SInt32	Configure RPC connection settings (0: Disabled, 1: Enabled)	0, 1
RpcConnectionAuthentication_Enum	Write	SInt32	Use authentication for outgoing RPC connections: (Device) - Depends on ConfigureRpcConnectionPolicy (0: Default, 1: Authentication enabled, 2: Authentication disabled)	0, 1, 2
RpcConnectionProtocol_Enum	Write	SInt32	Protocol to use for outgoing RPC connections: (Device) - Depends on ConfigureRpcConnectionPolicy (0: RPC over TCP, 1: RPC over named pipes)	0, 1
ConfigureRpcListenerPolicy	Write	SInt32	Configure RPC listener settings (0: Disabled, 1: Enabled)	0, 1
RpcAuthenticationProtocol_Enum	Write	SInt32	Authentication protocol to use for incoming RPC connections: (Device) - Depends on ConfigureRpcListenerPolicy (0: Negotiate, 1: Kerberos)	0, 1
RpcListenerProtocols_Enum	Write	SInt32	Protocols to allow for incoming RPC connections: (Device) - Depends on ConfigureRpcListenerPolicy (3: RPC over named pipes, 5: RPC over TCP, 7: RPC over named pipes and TCP)	3, 5, 7
ConfigureRpcTcpPort	Write	SInt32	Configure RPC over TCP port (0: Disabled, 1: Enabled)	0, 1
RpcTcpPort	Write	SInt32	RPC over TCP port: (Device) - Depends on ConfigureRpcTcpPort
RestrictDriverInstallationToAdministrators	Write	SInt32	Limits print driver installation to Administrators (0: Disabled, 1: Enabled)	0, 1
ConfigureCopyFilesPolicy	Write	SInt32	Manage processing of Queue-specific files (0: Disabled, 1: Enabled)	0, 1
CopyFilesPolicy_Enum	Write	SInt32	Manage processing of Queue-Specific files: (Device) - Depends on ConfigureCopyFilesPolicy (0: Do not allow Queue-specific files, 1: Limit Queue-specific files to Color profiles, 2: Allow all Queue-specific files)	0, 1, 2
AllowEncryptionOracle	Write	SInt32	Encryption Oracle Remediation (0: Disabled, 1: Enabled)	0, 1
AllowEncryptionOracleDrop	Write	SInt32	Protection Level: (Device) - Depends on AllowEncryptionOracle (0: Force Updated Clients, 1: Mitigated, 2: Vulnerable)	0, 1, 2
AllowProtectedCreds	Write	SInt32	Remote host allows delegation of non-exportable credentials (0: Disabled, 1: Enabled)	0, 1
DeviceInstall_Classes_Deny	Write	SInt32	Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled)	0, 1
DeviceInstall_Classes_Deny_List	Write	StringArray[]	Prevented Classes - Depends on DeviceInstall_Classes_Deny
DeviceInstall_Classes_Deny_Retroactive	Write	SInt32	Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True)	0, 1
POL_DriverLoadPolicy_Name	Write	SInt32	Boot-Start Driver Initialization Policy (0: Disabled, 1: Enabled)	0, 1
SelectDriverLoadPolicy	Write	SInt32	Choose the boot-start drivers that can be initialized: - Depends on POL_DriverLoadPolicy_Name (8: Good only, 1: Good and unknown, 3: Good, unknown and bad but critical, 7: All)	8, 1, 3, 7
CSE_Registry	Write	SInt32	Configure registry policy processing (0: Disabled, 1: Enabled)	0, 1
CSE_NOBACKGROUND10	Write	SInt32	Do not apply during periodic background processing (Device) - Depends on CSE_Registry (0: False, 1: True)	0, 1
CSE_NOCHANGES10	Write	SInt32	Process even if the Group Policy objects have not changed (Device) - Depends on CSE_Registry (0: False, 1: True)	0, 1
DisableWebPnPDownload_2	Write	SInt32	Turn off downloading of print drivers over HTTP (0: Disabled, 1: Enabled)	0, 1
ShellPreventWPWDownload_2	Write	SInt32	Turn off Internet download for Web publishing and online ordering wizards (0: Disabled, 1: Enabled)	0, 1
AllowCustomSSPsAPs	Write	SInt32	Allow Custom SSPs and APs to be loaded into LSASS (0: Disabled, 1: Enabled)	0, 1
AllowStandbyStatesDC_2	Write	SInt32	Allow standby states (S1-S3) when sleeping (on battery) (0: Disabled, 1: Enabled)	0, 1
AllowStandbyStatesAC_2	Write	SInt32	Allow standby states (S1-S3) when sleeping (plugged in) (0: Disabled, 1: Enabled)	0, 1
DCPromptForPasswordOnResume_2	Write	SInt32	Require a password when a computer wakes (on battery) (0: Disabled, 1: Enabled)	0, 1
ACPromptForPasswordOnResume_2	Write	SInt32	Require a password when a computer wakes (plugged in) (0: Disabled, 1: Enabled)	0, 1
RA_Solicit	Write	SInt32	Configure Solicited Remote Assistance (0: Disabled, 1: Enabled)	0, 1
RA_Solicit_ExpireUnits_List	Write	SInt32	Maximum ticket time (units): - Depends on RA_Solicit (0: Minutes, 1: Hours, 2: Days)	0, 1, 2
RA_Solicit_ExpireValue_Edt	Write	SInt32	Maximum ticket time (value): - Depends on RA_Solicit
RA_Solicit_Control_List	Write	SInt32	Permit remote control of this computer: - Depends on RA_Solicit (1: Allow helpers to remotely control the computer, 0: Allow helpers to only view the computer)	1, 0
RA_Solicit_Mailto_List	Write	SInt32	Method for sending email invitations: - Depends on RA_Solicit (0: Simple MAPI, 1: Mailto)	0, 1
RpcRestrictRemoteClients	Write	SInt32	Restrict Unauthenticated RPC clients (0: Disabled, 1: Enabled)	0, 1
RpcRestrictRemoteClientsList	Write	SInt32	RPC Runtime Unauthenticated Client Restriction to Apply: - Depends on RpcRestrictRemoteClients (0: None, 1: Authenticated, 2: Authenticated without exceptions)	0, 1, 2
AppxRuntimeMicrosoftAccountsOptional	Write	SInt32	Allow Microsoft accounts to be optional (0: Disabled, 1: Enabled)	0, 1
NoAutoplayfornonVolume	Write	SInt32	Disallow Autoplay for non-volume devices (0: Disabled, 1: Enabled)	0, 1
NoAutorun	Write	SInt32	Set the default behavior for AutoRun (0: Disabled, 1: Enabled)	0, 1
NoAutorun_Dropdown	Write	SInt32	Default AutoRun Behavior - Depends on NoAutorun (1: Do not execute any autorun commands, 2: Automatically execute autorun commands)	1, 2
Autorun	Write	SInt32	Turn off Autoplay (0: Disabled, 1: Enabled)	0, 1
Autorun_Box	Write	SInt32	Turn off Autoplay on: - Depends on Autorun (181: CD-ROM and removable media drives, 255: All drives)	181, 255
FDVDenyWriteAccess_Name	Write	SInt32	Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled)	0, 1
RDVDenyWriteAccess_Name	Write	SInt32	Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled)	0, 1
RDVCrossOrg	Write	SInt32	Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True)	0, 1
EnumerateAdministrators	Write	SInt32	Enumerate administrator accounts on elevation (0: Disabled, 1: Enabled)	0, 1
Channel_LogMaxSize_1	Write	SInt32	Specify the maximum log file size (KB) (0: Disabled, 1: Enabled)	0, 1
Channel_LogMaxSize_1_Channel_LogMaxSize	Write	SInt32	Maximum Log Size (KB) - Depends on Channel_LogMaxSize_1
Channel_LogMaxSize_2	Write	SInt32	Specify the maximum log file size (KB) (0: Disabled, 1: Enabled)	0, 1
Channel_LogMaxSize_2_Channel_LogMaxSize	Write	SInt32	Maximum Log Size (KB) - Depends on Channel_LogMaxSize_2
Channel_LogMaxSize_4	Write	SInt32	Specify the maximum log file size (KB) (0: Disabled, 1: Enabled)	0, 1
Channel_LogMaxSize_4_Channel_LogMaxSize	Write	SInt32	Maximum Log Size (KB) - Depends on Channel_LogMaxSize_4
EnableSmartScreen	Write	SInt32	Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled)	0, 1
EnableSmartScreenDropdown	Write	String	Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn)	block, warn
NoDataExecutionPrevention	Write	SInt32	Turn off Data Execution Prevention for Explorer (0: Disabled, 1: Enabled)	0, 1
NoHeapTerminationOnCorruption	Write	SInt32	Turn off heap termination on corruption (0: Disabled, 1: Enabled)	0, 1
Advanced_InvalidSignatureBlock	Write	SInt32	Allow software to run or install even if the signature is invalid (0: Disabled, 1: Enabled)	0, 1
Advanced_CertificateRevocation	Write	SInt32	Check for server certificate revocation (0: Disabled, 1: Enabled)	0, 1
Advanced_DownloadSignatures	Write	SInt32	Check for signatures on downloaded programs (0: Disabled, 1: Enabled)	0, 1
Advanced_DisableEPMCompat	Write	SInt32	Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled (0: Disabled, 1: Enabled)	0, 1
Advanced_SetWinInetProtocols	Write	SInt32	Turn off encryption support (0: Disabled, 1: Enabled)	0, 1
Advanced_WinInetProtocolOptions	Write	String	Secure Protocol combinations - Depends on Advanced_SetWinInetProtocols (0: Use no secure protocols, 8: Only use SSL 2.0, 32: Only use SSL 3.0, 40: Use SSL 2.0 and SSL 3.0, 128: Only use TLS 1.0, 136: Use SSL 2.0 and TLS 1.0, 160: Use SSL 3.0 and TLS 1.0, 168: Use SSL 2.0, SSL 3.0, and TLS 1.0, 512: Only use TLS 1.1, 520: Use SSL 2.0 and TLS 1.1, 544: Use SSL 3.0 and TLS 1.1, 552: Use SSL 2.0, SSL 3.0, and TLS 1.1, 640: Use TLS 1.0 and TLS 1.1, 648: Use SSL 2.0, TLS 1.0, and TLS 1.1, 672: Use SSL 3.0, TLS 1.0, and TLS 1.1, 680: Use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1, 2048: Only use TLS 1.2, 2056: Use SSL 2.0 and TLS 1.2, 2080: Use SSL 3.0 and TLS 1.2, 2088: Use SSL 2.0, SSL 3.0, and TLS 1.2, 2176: Use TLS 1.0 and TLS 1.2, 2184: Use SSL 2.0, TLS 1.0, and TLS 1.2, 2208: Use SSL 3.0, TLS 1.0, and TLS 1.2, 2216: Use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.2, 2560: Use TLS 1.1 and TLS 1.2, 2568: Use SSL 2.0, TLS 1.1, and TLS 1.2, 2592: Use SSL 3.0, TLS 1.1, and TLS 1.2, 2600: Use SSL 2.0, SSL 3.0, TLS 1.1, and TLS 1.2, 2688: Use TLS 1.0, TLS 1.1, and TLS 1.2, 2696: Use SSL 2.0, TLS 1.0, TLS 1.1, and TLS 1.2, 2720: Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2, 2728: Use SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2, 8192: Only use TLS 1.3, 10240: Use TLS 1.2 and TLS 1.3, 10752: Use TLS 1.1, TLS 1.2, and TLS 1.3, 10880: Use TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3, 10912: Use SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3)	0, 8, 32, 40, 128, 136, 160, 168, 512, 520, 544, 552, 640, 648, 672, 680, 2048, 2056, 2080, 2088, 2176, 2184, 2208, 2216, 2560, 2568, 2592, 2600, 2688, 2696, 2720, 2728, 8192, 10240, 10752, 10880, 10912
Advanced_EnableEnhancedProtectedMode64Bit	Write	SInt32	Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows (0: Disabled, 1: Enabled)	0, 1
Advanced_EnableEnhancedProtectedMode	Write	SInt32	Turn on Enhanced Protected Mode (0: Disabled, 1: Enabled)	0, 1
NoCertError	Write	SInt32	Prevent ignoring certificate errors (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAccessDataSourcesAcrossDomains_1	Write	SInt32	Access data sources across domains (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAccessDataSourcesAcrossDomains_1_IZ_Partname1406	Write	SInt32	Access data sources across domains - Depends on IZ_PolicyAccessDataSourcesAcrossDomains_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyAllowPasteViaScript_1	Write	SInt32	Allow cut, copy or paste operations from the clipboard via script (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAllowPasteViaScript_1_IZ_Partname1407	Write	SInt32	Allow paste operations via script - Depends on IZ_PolicyAllowPasteViaScript_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyDropOrPasteFiles_1	Write	SInt32	Allow drag and drop or copy and paste files (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDropOrPasteFiles_1_IZ_Partname1802	Write	SInt32	Allow drag and drop or copy and paste files - Depends on IZ_PolicyDropOrPasteFiles_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_Policy_XAML_1	Write	SInt32	Allow loading of XAML files (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_XAML_1_IZ_Partname2402	Write	SInt32	XAML Files - Depends on IZ_Policy_XAML_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet	Write	SInt32	Allow only approved domains to use ActiveX controls without prompt (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet_IZ_Partname120b	Write	SInt32	Only allow approved domains to use ActiveX controls without prompt - Depends on IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet (3: Enable, 0: Disable)	3, 0
IZ_PolicyAllowTDCControl_Both_Internet	Write	SInt32	Allow only approved domains to use the TDC ActiveX control (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAllowTDCControl_Both_Internet_IZ_Partname120c	Write	SInt32	Only allow approved domains to use the TDC ActiveX control - Depends on IZ_PolicyAllowTDCControl_Both_Internet (3: Enable, 0: Disable)	3, 0
IZ_PolicyWindowsRestrictionsURLaction_1	Write	SInt32	Allow script-initiated windows without size or position constraints (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyWindowsRestrictionsURLaction_1_IZ_Partname2102	Write	SInt32	Allow script-initiated windows without size or position constraints - Depends on IZ_PolicyWindowsRestrictionsURLaction_1 (0: Enable, 3: Disable)	0, 3
IZ_Policy_WebBrowserControl_1	Write	SInt32	Allow scripting of Internet Explorer WebBrowser controls (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_WebBrowserControl_1_IZ_Partname1206	Write	SInt32	Internet Explorer web browser control - Depends on IZ_Policy_WebBrowserControl_1 (0: Enable, 3: Disable)	0, 3
IZ_Policy_AllowScriptlets_1	Write	SInt32	Allow scriptlets (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_AllowScriptlets_1_IZ_Partname1209	Write	SInt32	Scriptlets - Depends on IZ_Policy_AllowScriptlets_1 (0: Enable, 3: Disable)	0, 3
IZ_Policy_ScriptStatusBar_1	Write	SInt32	Allow updates to status bar via script (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_ScriptStatusBar_1_IZ_Partname2103	Write	SInt32	Status bar updates via script - Depends on IZ_Policy_ScriptStatusBar_1 (0: Enable, 3: Disable)	0, 3
IZ_PolicyAllowVBScript_1	Write	SInt32	Allow VBScript to run in Internet Explorer (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAllowVBScript_1_IZ_Partname140C	Write	SInt32	Allow VBScript to run in Internet Explorer - Depends on IZ_PolicyAllowVBScript_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyNotificationBarDownloadURLaction_1	Write	SInt32	Automatic prompting for file downloads (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyNotificationBarDownloadURLaction_1_IZ_Partname2200	Write	SInt32	Automatic prompting for file downloads - Depends on IZ_PolicyNotificationBarDownloadURLaction_1 (0: Enable, 3: Disable)	0, 3
IZ_PolicyAntiMalwareCheckingOfActiveXControls_1	Write	SInt32	Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_1_IZ_Partname270C	Write	SInt32	Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 (3: Enable, 0: Disable)	3, 0
IZ_PolicyDownloadSignedActiveX_1	Write	SInt32	Download signed ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDownloadSignedActiveX_1_IZ_Partname1001	Write	SInt32	Download signed ActiveX controls - Depends on IZ_PolicyDownloadSignedActiveX_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyDownloadUnsignedActiveX_1	Write	SInt32	Download unsigned ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDownloadUnsignedActiveX_1_IZ_Partname1004	Write	SInt32	Download unsigned ActiveX controls - Depends on IZ_PolicyDownloadUnsignedActiveX_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet	Write	SInt32	Enable dragging of content from different domains across windows (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet_IZ_Partname2709	Write	SInt32	Enable dragging of content from different domains across windows - Depends on IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet (0: Enable, 3: Disable)	0, 3
IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet	Write	SInt32	Enable dragging of content from different domains within a window (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet_IZ_Partname2708	Write	SInt32	Enable dragging of content from different domains within a window - Depends on IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet (0: Enable, 3: Disable)	0, 3
IZ_Policy_LocalPathForUpload_1	Write	SInt32	Include local path when user is uploading files to a server (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_LocalPathForUpload_1_IZ_Partname160A	Write	SInt32	Include local directory path when uploading files to a server - Depends on IZ_Policy_LocalPathForUpload_1 (0: Enable, 3: Disable)	0, 3
IZ_PolicyScriptActiveXNotMarkedSafe_1	Write	SInt32	Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyScriptActiveXNotMarkedSafe_1_IZ_Partname1201	Write	SInt32	Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyJavaPermissions_1	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_1_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_1 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyLaunchAppsAndFilesInIFRAME_1	Write	SInt32	Launching applications and files in an IFRAME (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyLaunchAppsAndFilesInIFRAME_1_IZ_Partname1804	Write	SInt32	Launching applications and files in an IFRAME - Depends on IZ_PolicyLaunchAppsAndFilesInIFRAME_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyLogon_1	Write	SInt32	Logon options (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyLogon_1_IZ_Partname1A00	Write	String	Logon options - Depends on IZ_PolicyLogon_1 (196608: Anonymous logon, 131072: Automatic logon only in Intranet zone, 0: Automatic logon with current username and password, 65536: Prompt for user name and password)	196608, 131072, 0, 65536
IZ_PolicyNavigateSubframesAcrossDomains_1	Write	SInt32	Navigate windows and frames across different domains (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyNavigateSubframesAcrossDomains_1_IZ_Partname1607	Write	SInt32	Navigate windows and frames across different domains - Depends on IZ_PolicyNavigateSubframesAcrossDomains_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyUnsignedFrameworkComponentsURLaction_1	Write	SInt32	Run .NET Framework-reliant components not signed with Authenticode (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyUnsignedFrameworkComponentsURLaction_1_IZ_Partname2004	Write	SInt32	Run .NET Framework-reliant components not signed with Authenticode - Depends on IZ_PolicyUnsignedFrameworkComponentsURLaction_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicySignedFrameworkComponentsURLaction_1	Write	SInt32	Run .NET Framework-reliant components signed with Authenticode (0: Disabled, 1: Enabled)	0, 1
IZ_PolicySignedFrameworkComponentsURLaction_1_IZ_Partname2001	Write	SInt32	Run .NET Framework-reliant components signed with Authenticode - Depends on IZ_PolicySignedFrameworkComponentsURLaction_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_Policy_UnsafeFiles_1	Write	SInt32	Show security warning for potentially unsafe files (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_UnsafeFiles_1_IZ_Partname1806	Write	SInt32	Launching programs and unsafe files - Depends on IZ_Policy_UnsafeFiles_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyTurnOnXSSFilter_Both_Internet	Write	SInt32	Turn on Cross-Site Scripting Filter (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyTurnOnXSSFilter_Both_Internet_IZ_Partname1409	Write	SInt32	Turn on Cross-Site Scripting (XSS) Filter - Depends on IZ_PolicyTurnOnXSSFilter_Both_Internet (0: Enable, 3: Disable)	0, 3
IZ_Policy_TurnOnProtectedMode_1	Write	SInt32	Turn on Protected Mode (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_TurnOnProtectedMode_1_IZ_Partname2500	Write	SInt32	Protected Mode - Depends on IZ_Policy_TurnOnProtectedMode_1 (0: Enable, 3: Disable)	0, 3
IZ_Policy_Phishing_1	Write	SInt32	Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_Phishing_1_IZ_Partname2301	Write	SInt32	Use SmartScreen Filter - Depends on IZ_Policy_Phishing_1 (0: Enable, 3: Disable)	0, 3
IZ_PolicyBlockPopupWindows_1	Write	SInt32	Use Pop-up Blocker (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyBlockPopupWindows_1_IZ_Partname1809	Write	SInt32	Use Pop-up Blocker - Depends on IZ_PolicyBlockPopupWindows_1 (0: Enable, 3: Disable)	0, 3
IZ_PolicyUserdataPersistence_1	Write	SInt32	Userdata persistence (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyUserdataPersistence_1_IZ_Partname1606	Write	SInt32	Userdata persistence - Depends on IZ_PolicyUserdataPersistence_1 (0: Enable, 3: Disable)	0, 3
IZ_PolicyZoneElevationURLaction_1	Write	SInt32	Web sites in less privileged Web content zones can navigate into this zone (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyZoneElevationURLaction_1_IZ_Partname2101	Write	SInt32	Web sites in less privileged Web content zones can navigate into this zone - Depends on IZ_PolicyZoneElevationURLaction_1 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_UNCAsIntranet	Write	SInt32	Intranet Sites: Include all network paths (UNCs) (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_3	Write	SInt32	Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_3_IZ_Partname270C	Write	SInt32	Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 (3: Enable, 0: Disable)	3, 0
IZ_PolicyScriptActiveXNotMarkedSafe_3	Write	SInt32	Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyScriptActiveXNotMarkedSafe_3_IZ_Partname1201	Write	SInt32	Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_3 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyJavaPermissions_3	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_3_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_3 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyAntiMalwareCheckingOfActiveXControls_9	Write	SInt32	Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_9_IZ_Partname270C	Write	SInt32	Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 (3: Enable, 0: Disable)	3, 0
IZ_PolicyJavaPermissions_9	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_9_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_9 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_Policy_Phishing_2	Write	SInt32	Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_Phishing_2_IZ_Partname2301	Write	SInt32	Use SmartScreen Filter - Depends on IZ_Policy_Phishing_2 (0: Enable, 3: Disable)	0, 3
IZ_PolicyJavaPermissions_4	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_4_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_4 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyJavaPermissions_10	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_10_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_10 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyJavaPermissions_8	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_8_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_8 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_Policy_Phishing_8	Write	SInt32	Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_Phishing_8_IZ_Partname2301	Write	SInt32	Use SmartScreen Filter - Depends on IZ_Policy_Phishing_8 (0: Enable, 3: Disable)	0, 3
IZ_PolicyJavaPermissions_6	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_6_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_6 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyAccessDataSourcesAcrossDomains_7	Write	SInt32	Access data sources across domains (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAccessDataSourcesAcrossDomains_7_IZ_Partname1406	Write	SInt32	Access data sources across domains - Depends on IZ_PolicyAccessDataSourcesAcrossDomains_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyActiveScripting_7	Write	SInt32	Allow active scripting (0: Disabled, 1: Enabled)	0, 1
IZ_Partname1400	Write	SInt32	Allow active scripting - Depends on IZ_PolicyActiveScripting_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyBinaryBehaviors_7	Write	SInt32	Allow binary and script behaviors (0: Disabled, 1: Enabled)	0, 1
IZ_Partname2000	Write	SInt32	Allow Binary and Script Behaviors - Depends on IZ_PolicyBinaryBehaviors_7 (0: Enable, 65536: Administrator approved, 3: Disable)	0, 65536, 3
IZ_PolicyAllowPasteViaScript_7	Write	SInt32	Allow cut, copy or paste operations from the clipboard via script (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAllowPasteViaScript_7_IZ_Partname1407	Write	SInt32	Allow paste operations via script - Depends on IZ_PolicyAllowPasteViaScript_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyDropOrPasteFiles_7	Write	SInt32	Allow drag and drop or copy and paste files (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDropOrPasteFiles_7_IZ_Partname1802	Write	SInt32	Allow drag and drop or copy and paste files - Depends on IZ_PolicyDropOrPasteFiles_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyFileDownload_7	Write	SInt32	Allow file downloads (0: Disabled, 1: Enabled)	0, 1
IZ_Partname1803	Write	SInt32	Allow file downloads - Depends on IZ_PolicyFileDownload_7 (0: Enable, 3: Disable)	0, 3
IZ_Policy_XAML_7	Write	SInt32	Allow loading of XAML files (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_XAML_7_IZ_Partname2402	Write	SInt32	XAML Files - Depends on IZ_Policy_XAML_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyAllowMETAREFRESH_7	Write	SInt32	Allow META REFRESH (0: Disabled, 1: Enabled)	0, 1
IZ_Partname1608	Write	SInt32	Allow META REFRESH - Depends on IZ_PolicyAllowMETAREFRESH_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted	Write	SInt32	Allow only approved domains to use ActiveX controls without prompt (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted_IZ_Partname120b	Write	SInt32	Only allow approved domains to use ActiveX controls without prompt - Depends on IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted (3: Enable, 0: Disable)	3, 0
IZ_PolicyAllowTDCControl_Both_Restricted	Write	SInt32	Allow only approved domains to use the TDC ActiveX control (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAllowTDCControl_Both_Restricted_IZ_Partname120c	Write	SInt32	Only allow approved domains to use the TDC ActiveX control - Depends on IZ_PolicyAllowTDCControl_Both_Restricted (3: Enable, 0: Disable)	3, 0
IZ_PolicyWindowsRestrictionsURLaction_7	Write	SInt32	Allow script-initiated windows without size or position constraints (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyWindowsRestrictionsURLaction_7_IZ_Partname2102	Write	SInt32	Allow script-initiated windows without size or position constraints - Depends on IZ_PolicyWindowsRestrictionsURLaction_7 (0: Enable, 3: Disable)	0, 3
IZ_Policy_WebBrowserControl_7	Write	SInt32	Allow scripting of Internet Explorer WebBrowser controls (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_WebBrowserControl_7_IZ_Partname1206	Write	SInt32	Internet Explorer web browser control - Depends on IZ_Policy_WebBrowserControl_7 (0: Enable, 3: Disable)	0, 3
IZ_Policy_AllowScriptlets_7	Write	SInt32	Allow scriptlets (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_AllowScriptlets_7_IZ_Partname1209	Write	SInt32	Scriptlets - Depends on IZ_Policy_AllowScriptlets_7 (0: Enable, 3: Disable)	0, 3
IZ_Policy_ScriptStatusBar_7	Write	SInt32	Allow updates to status bar via script (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_ScriptStatusBar_7_IZ_Partname2103	Write	SInt32	Status bar updates via script - Depends on IZ_Policy_ScriptStatusBar_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyAllowVBScript_7	Write	SInt32	Allow VBScript to run in Internet Explorer (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAllowVBScript_7_IZ_Partname140C	Write	SInt32	Allow VBScript to run in Internet Explorer - Depends on IZ_PolicyAllowVBScript_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyNotificationBarDownloadURLaction_7	Write	SInt32	Automatic prompting for file downloads (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyNotificationBarDownloadURLaction_7_IZ_Partname2200	Write	SInt32	Automatic prompting for file downloads - Depends on IZ_PolicyNotificationBarDownloadURLaction_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyAntiMalwareCheckingOfActiveXControls_7	Write	SInt32	Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_7_IZ_Partname270C	Write	SInt32	Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 (3: Enable, 0: Disable)	3, 0
IZ_PolicyDownloadSignedActiveX_7	Write	SInt32	Download signed ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDownloadSignedActiveX_7_IZ_Partname1001	Write	SInt32	Download signed ActiveX controls - Depends on IZ_PolicyDownloadSignedActiveX_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyDownloadUnsignedActiveX_7	Write	SInt32	Download unsigned ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDownloadUnsignedActiveX_7_IZ_Partname1004	Write	SInt32	Download unsigned ActiveX controls - Depends on IZ_PolicyDownloadUnsignedActiveX_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted	Write	SInt32	Enable dragging of content from different domains across windows (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted_IZ_Partname2709	Write	SInt32	Enable dragging of content from different domains across windows - Depends on IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted (0: Enable, 3: Disable)	0, 3
IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted	Write	SInt32	Enable dragging of content from different domains within a window (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted_IZ_Partname2708	Write	SInt32	Enable dragging of content from different domains within a window - Depends on IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted (0: Enable, 3: Disable)	0, 3
IZ_Policy_LocalPathForUpload_7	Write	SInt32	Include local path when user is uploading files to a server (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_LocalPathForUpload_7_IZ_Partname160A	Write	SInt32	Include local directory path when uploading files to a server - Depends on IZ_Policy_LocalPathForUpload_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyScriptActiveXNotMarkedSafe_7	Write	SInt32	Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyScriptActiveXNotMarkedSafe_7_IZ_Partname1201	Write	SInt32	Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyJavaPermissions_7	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_7_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_7 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyLaunchAppsAndFilesInIFRAME_7	Write	SInt32	Launching applications and files in an IFRAME (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyLaunchAppsAndFilesInIFRAME_7_IZ_Partname1804	Write	SInt32	Launching applications and files in an IFRAME - Depends on IZ_PolicyLaunchAppsAndFilesInIFRAME_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyLogon_7	Write	SInt32	Logon options (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyLogon_7_IZ_Partname1A00	Write	String	Logon options - Depends on IZ_PolicyLogon_7 (196608: Anonymous logon, 131072: Automatic logon only in Intranet zone, 0: Automatic logon with current username and password, 65536: Prompt for user name and password)	196608, 131072, 0, 65536
IZ_PolicyNavigateSubframesAcrossDomains_7	Write	SInt32	Navigate windows and frames across different domains (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyNavigateSubframesAcrossDomains_7_IZ_Partname1607	Write	SInt32	Navigate windows and frames across different domains - Depends on IZ_PolicyNavigateSubframesAcrossDomains_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyUnsignedFrameworkComponentsURLaction_7	Write	SInt32	Run .NET Framework-reliant components not signed with Authenticode (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyUnsignedFrameworkComponentsURLaction_7_IZ_Partname2004	Write	SInt32	Run .NET Framework-reliant components not signed with Authenticode - Depends on IZ_PolicyUnsignedFrameworkComponentsURLaction_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicySignedFrameworkComponentsURLaction_7	Write	SInt32	Run .NET Framework-reliant components signed with Authenticode (0: Disabled, 1: Enabled)	0, 1
IZ_PolicySignedFrameworkComponentsURLaction_7_IZ_Partname2001	Write	SInt32	Run .NET Framework-reliant components signed with Authenticode - Depends on IZ_PolicySignedFrameworkComponentsURLaction_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyRunActiveXControls_7	Write	SInt32	Run ActiveX controls and plugins (0: Disabled, 1: Enabled)	0, 1
IZ_Partname1200	Write	SInt32	Run ActiveX controls and plugins - Depends on IZ_PolicyRunActiveXControls_7 (65536: Administrator approved, 0: Enable, 3: Disable, 1: Prompt)	65536, 0, 3, 1
IZ_PolicyScriptActiveXMarkedSafe_7	Write	SInt32	Script ActiveX controls marked safe for scripting (0: Disabled, 1: Enabled)	0, 1
IZ_Partname1405	Write	SInt32	Script ActiveX controls marked safe for scripting - Depends on IZ_PolicyScriptActiveXMarkedSafe_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyScriptingOfJavaApplets_7	Write	SInt32	Scripting of Java applets (0: Disabled, 1: Enabled)	0, 1
IZ_Partname1402	Write	SInt32	Scripting of Java applets - Depends on IZ_PolicyScriptingOfJavaApplets_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_Policy_UnsafeFiles_7	Write	SInt32	Show security warning for potentially unsafe files (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_UnsafeFiles_7_IZ_Partname1806	Write	SInt32	Launching programs and unsafe files - Depends on IZ_Policy_UnsafeFiles_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyTurnOnXSSFilter_Both_Restricted	Write	SInt32	Turn on Cross-Site Scripting Filter (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyTurnOnXSSFilter_Both_Restricted_IZ_Partname1409	Write	SInt32	Turn on Cross-Site Scripting (XSS) Filter - Depends on IZ_PolicyTurnOnXSSFilter_Both_Restricted (0: Enable, 3: Disable)	0, 3
IZ_Policy_TurnOnProtectedMode_7	Write	SInt32	Turn on Protected Mode (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_TurnOnProtectedMode_7_IZ_Partname2500	Write	SInt32	Protected Mode - Depends on IZ_Policy_TurnOnProtectedMode_7 (0: Enable, 3: Disable)	0, 3
IZ_Policy_Phishing_7	Write	SInt32	Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)	0, 1
IZ_Policy_Phishing_7_IZ_Partname2301	Write	SInt32	Use SmartScreen Filter - Depends on IZ_Policy_Phishing_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyBlockPopupWindows_7	Write	SInt32	Use Pop-up Blocker (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyBlockPopupWindows_7_IZ_Partname1809	Write	SInt32	Use Pop-up Blocker - Depends on IZ_PolicyBlockPopupWindows_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyUserdataPersistence_7	Write	SInt32	Userdata persistence (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyUserdataPersistence_7_IZ_Partname1606	Write	SInt32	Userdata persistence - Depends on IZ_PolicyUserdataPersistence_7 (0: Enable, 3: Disable)	0, 3
IZ_PolicyZoneElevationURLaction_7	Write	SInt32	Web sites in less privileged Web content zones can navigate into this zone (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyZoneElevationURLaction_7_IZ_Partname2101	Write	SInt32	Web sites in less privileged Web content zones can navigate into this zone - Depends on IZ_PolicyZoneElevationURLaction_7 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_5	Write	SInt32	Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyAntiMalwareCheckingOfActiveXControls_5_IZ_Partname270C	Write	SInt32	Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 (3: Enable, 0: Disable)	3, 0
IZ_PolicyScriptActiveXNotMarkedSafe_5	Write	SInt32	Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyScriptActiveXNotMarkedSafe_5_IZ_Partname1201	Write	SInt32	Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_5 (0: Enable, 3: Disable, 1: Prompt)	0, 3, 1
IZ_PolicyJavaPermissions_5	Write	SInt32	Java permissions (0: Disabled, 1: Enabled)	0, 1
IZ_PolicyJavaPermissions_5_IZ_Partname1C00	Write	String	Java permissions - Depends on IZ_PolicyJavaPermissions_5 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)	65536, 131072, 196608, 8388608, 0
IZ_PolicyWarnCertMismatch	Write	SInt32	Turn on certificate address mismatch warning (0: Disabled, 1: Enabled)	0, 1
DisableSafetyFilterOverride	Write	SInt32	Prevent bypassing SmartScreen Filter warnings (0: Disabled, 1: Enabled)	0, 1
DisableSafetyFilterOverrideForAppRepUnknown	Write	SInt32	Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled)	0, 1
Disable_Managing_Safety_Filter_IE9	Write	SInt32	Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled)	0, 1
IE9SafetyFilterOptions	Write	SInt32	Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On)	0, 1
DisablePerUserActiveXInstall	Write	SInt32	Prevent per-user installation of ActiveX controls (0: Disabled, 1: Enabled)	0, 1
VerMgmtDisableRunThisTime	Write	SInt32	Remove 'Run this time' button for outdated ActiveX controls in Internet Explorer (0: Disabled, 1: Enabled)	0, 1
VerMgmtDisable	Write	SInt32	Turn off blocking of outdated ActiveX controls for Internet Explorer (0: Disabled, 1: Enabled)	0, 1
Advanced_EnableSSL3Fallback	Write	SInt32	Allow fallback to SSL 3.0 (Internet Explorer) (0: Disabled, 1: Enabled)	0, 1
Advanced_EnableSSL3FallbackOptions	Write	SInt32	Allow insecure fallback for: - Depends on Advanced_EnableSSL3Fallback (0: No Sites, 1: Non-Protected Mode Sites, 3: All Sites)	0, 1, 3
IESF_PolicyExplorerProcesses_5	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_6	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_3	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_10	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_9	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_11	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_12	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
IESF_PolicyExplorerProcesses_8	Write	SInt32	Internet Explorer Processes (0: Disabled, 1: Enabled)	0, 1
Security_zones_map_edit	Write	SInt32	Security Zones: Do not allow users to add/delete sites (0: Disabled, 1: Enabled)	0, 1
Security_options_edit	Write	SInt32	Security Zones: Do not allow users to change policies (0: Disabled, 1: Enabled)	0, 1
Security_HKLM_only	Write	SInt32	Security Zones: Use only machine settings (0: Disabled, 1: Enabled)	0, 1
OnlyUseAXISForActiveXInstall	Write	SInt32	Specify use of ActiveX Installer Service for installation of ActiveX controls (0: Disabled, 1: Enabled)	0, 1
AddonManagement_RestrictCrashDetection	Write	SInt32	Turn off Crash Detection (0: Disabled, 1: Enabled)	0, 1
Disable_Security_Settings_Check	Write	SInt32	Turn off the Security Settings Check feature (0: Disabled, 1: Enabled)	0, 1
DisableBlockAtFirstSeen	Write	SInt32	Configure the 'Block at First Sight' feature (0: Disabled, 1: Enabled)	0, 1
RealtimeProtection_DisableScanOnRealtimeEnable	Write	SInt32	Turn on process scanning whenever real-time protection is enabled (0: Disabled, 1: Enabled)	0, 1
Scan_DisablePackedExeScanning	Write	SInt32	Scan packed executables (0: Disabled, 1: Enabled)	0, 1
DisableRoutinelyTakingAction	Write	SInt32	Turn off routine remediation (0: Disabled, 1: Enabled)	0, 1
TS_CLIENT_DISABLE_PASSWORD_SAVING_2	Write	SInt32	Do not allow passwords to be saved (0: Disabled, 1: Enabled)	0, 1
TS_CLIENT_DRIVE_M	Write	SInt32	Do not allow drive redirection (0: Disabled, 1: Enabled)	0, 1
TS_PASSWORD	Write	SInt32	Always prompt for password upon connection (0: Disabled, 1: Enabled)	0, 1
TS_RPC_ENCRYPTION	Write	SInt32	Require secure RPC communication (0: Disabled, 1: Enabled)	0, 1
TS_ENCRYPTION_POLICY	Write	SInt32	Set client connection encryption level (0: Disabled, 1: Enabled)	0, 1
TS_ENCRYPTION_LEVEL	Write	SInt32	Encryption Level - Depends on TS_ENCRYPTION_POLICY (1: Low Level, 2: Client Compatible, 3: High Level)	1, 2, 3
Disable_Downloading_of_Enclosures	Write	SInt32	Prevent downloading of enclosures (0: Disabled, 1: Enabled)	0, 1
EnableMPRNotifications	Write	SInt32	Enable MPR notifications for the system (0: Disabled, 1: Enabled)	0, 1
AutomaticRestartSignOn	Write	SInt32	Sign-in and lock last interactive user automatically after a restart (0: Disabled, 1: Enabled)	0, 1
EnableScriptBlockLogging	Write	SInt32	Turn on PowerShell Script Block Logging (0: Disabled, 1: Enabled)	0, 1
EnableScriptBlockInvocationLogging	Write	SInt32	Log script block invocation start / stop events: - Depends on EnableScriptBlockLogging (0: False, 1: True)	0, 1
AllowBasic_2	Write	SInt32	Allow Basic authentication (0: Disabled, 1: Enabled)	0, 1
AllowUnencrypted_2	Write	SInt32	Allow unencrypted traffic (0: Disabled, 1: Enabled)	0, 1
DisallowDigest	Write	SInt32	Disallow Digest authentication (0: Disabled, 1: Enabled)	0, 1
AllowBasic_1	Write	SInt32	Allow Basic authentication (0: Disabled, 1: Enabled)	0, 1
AllowUnencrypted_1	Write	SInt32	Allow unencrypted traffic (0: Disabled, 1: Enabled)	0, 1
DisableRunAs	Write	SInt32	Disallow WinRM from storing RunAs credentials (0: Disabled, 1: Enabled)	0, 1
AccountLogon_AuditCredentialValidation	Write	SInt32	Account Logon Audit Credential Validation (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountLogonLogoff_AuditAccountLockout	Write	SInt32	Account Logon Logoff Audit Account Lockout (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountLogonLogoff_AuditGroupMembership	Write	SInt32	Account Logon Logoff Audit Group Membership (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountLogonLogoff_AuditLogon	Write	SInt32	Account Logon Logoff Audit Logon (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
PolicyChange_AuditAuthenticationPolicyChange	Write	SInt32	Audit Authentication Policy Change (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
PolicyChange_AuditPolicyChange	Write	SInt32	Audit Changes to Audit Policy (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
ObjectAccess_AuditFileShare	Write	SInt32	Audit File Share Access (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountLogonLogoff_AuditOtherLogonLogoffEvents	Write	SInt32	Audit Other Logon Logoff Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountManagement_AuditSecurityGroupManagement	Write	SInt32	Audit Security Group Management (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
System_AuditSecuritySystemExtension	Write	SInt32	Audit Security System Extension (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountLogonLogoff_AuditSpecialLogon	Write	SInt32	Audit Special Logon (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AccountManagement_AuditUserAccountManagement	Write	SInt32	Audit User Account Management (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
DetailedTracking_AuditPNPActivity	Write	SInt32	Detailed Tracking Audit PNP Activity (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
DetailedTracking_AuditProcessCreation	Write	SInt32	Detailed Tracking Audit Process Creation (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
ObjectAccess_AuditDetailedFileShare	Write	SInt32	Object Access Audit Detailed File Share (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
ObjectAccess_AuditOtherObjectAccessEvents	Write	SInt32	Object Access Audit Other Object Access Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
ObjectAccess_AuditRemovableStorage	Write	SInt32	Object Access Audit Removable Storage (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
PolicyChange_AuditMPSSVCRuleLevelPolicyChange	Write	SInt32	Policy Change Audit MPSSVC Rule Level Policy Change (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
PolicyChange_AuditOtherPolicyChangeEvents	Write	SInt32	Policy Change Audit Other Policy Change Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
PrivilegeUse_AuditSensitivePrivilegeUse	Write	SInt32	Privilege Use Audit Sensitive Privilege Use (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
System_AuditOtherSystemEvents	Write	SInt32	System Audit Other System Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
System_AuditSecurityStateChange	Write	SInt32	System Audit Security State Change (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
System_AuditSystemIntegrity	Write	SInt32	System Audit System Integrity (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)	0, 1, 2, 3
AllowPasswordManager	Write	SInt32	Allow Password Manager (0: Not allowed., 1: Allowed.)	0, 1
AllowSmartScreen	Write	SInt32	Allow Smart Screen (0: Turned off. Do not protect users from potential threats and prevent users from turning it on., 1: Turned on. Protect users from potential threats and prevent users from turning it off.)	0, 1
PreventCertErrorOverrides	Write	SInt32	Prevent Cert Error Overrides (0: Allowed/turned on. Override the security warning to sites that have SSL errors., 1: Prevented/turned on.)	0, 1
Browser_PreventSmartScreenPromptOverride	Write	SInt32	Prevent Smart Screen Prompt Override (0: Allowed/turned off. Users can ignore the warning and continue to the site., 1: Prevented/turned on.)	0, 1
PreventSmartScreenPromptOverrideForFiles	Write	SInt32	Prevent Smart Screen Prompt Override For Files (0: Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s)., 1: Prevented/turned on.)	0, 1
AllowDirectMemoryAccess	Write	SInt32	Allow Direct Memory Access (0: Not allowed., 1: Allowed.)	0, 1
AllowArchiveScanning	Write	SInt32	Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.)	0, 1
AllowBehaviorMonitoring	Write	SInt32	Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.)	0, 1
AllowCloudProtection	Write	SInt32	Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.)	0, 1
AllowFullScanRemovableDriveScanning	Write	SInt32	Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.)	0, 1
AllowOnAccessProtection	Write	SInt32	Allow On Access Protection (0: Not allowed., 1: Allowed.)	0, 1
AllowRealtimeMonitoring	Write	SInt32	Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.)	0, 1
AllowIOAVProtection	Write	SInt32	Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.)	0, 1
AllowScriptScanning	Write	SInt32	Allow Script Scanning (0: Not allowed., 1: Allowed.)	0, 1
BlockExecutionOfPotentiallyObfuscatedScripts	Write	String	Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockWin32APICallsFromOfficeMacros	Write	String	Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion	Write	String	Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockOfficeCommunicationAppFromCreatingChildProcesses	Write	String	Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockAllOfficeApplicationsFromCreatingChildProcesses	Write	String	Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockAdobeReaderFromCreatingChildProcesses	Write	String	Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem	Write	String	Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent	Write	String	Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockWebshellCreationForServers	Write	String	Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockWebshellCreationForServers_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockUntrustedUnsignedProcessesThatRunFromUSB	Write	String	Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockPersistenceThroughWMIEventSubscription	Write	String	Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockUseOfCopiedOrImpersonatedSystemTools	Write	String	Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockAbuseOfExploitedVulnerableSignedDrivers	Write	String	Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockProcessCreationsFromPSExecAndWMICommands	Write	String	Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockOfficeApplicationsFromCreatingExecutableContent	Write	String	Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses	Write	String	Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockRebootingMachineInSafeMode	Write	String	Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
UseAdvancedProtectionAgainstRansomware	Write	String	Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
BlockExecutableContentFromEmailClientAndWebmail	Write	String	Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)	off, block, audit, warn
BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions	Write	StringArray[]	ASR Only Per Rule Exclusions
CloudBlockLevel	Write	SInt32	Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance)	0, 2, 4, 6
CloudExtendedTimeout	Write	SInt32	Cloud Extended Timeout
DisableLocalAdminMerge	Write	SInt32	Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge)	0, 1
EnableFileHashComputation	Write	SInt32	Enable File Hash Computation (0: Disable, 1: Enable)	0, 1
EnableNetworkProtection	Write	SInt32	Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode))	0, 1, 2
HideExclusionsFromLocalAdmins	Write	SInt32	Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.)	1, 0
PUAProtection	Write	SInt32	PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.)	0, 1, 2
RealTimeScanDirection	Write	SInt32	Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.)	0, 1, 2
SubmitSamplesConsent	Write	SInt32	Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.)	0, 1, 2, 3
ConfigureSystemGuardLaunch	Write	SInt32	Configure System Guard Launch (0: Unmanaged Configurable by Administrative user, 1: Unmanaged Enables Secure Launch if supported by hardware, 2: Unmanaged Disables Secure Launch)	0, 1, 2
LsaCfgFlags	Write	SInt32	Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.)	0, 1, 2
EnableVirtualizationBasedSecurity	Write	SInt32	Enable Virtualization Based Security (0: disable virtualization based security., 1: enable virtualization based security.)	0, 1
RequirePlatformSecurityFeatures	Write	SInt32	Require Platform Security Features (1: Turns on VBS with Secure Boot., 3: Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.)	1, 3
DevicePasswordEnabled	Write	SInt32	Device Password Enabled (0: Enabled, 1: Disabled)	0, 1
DevicePasswordExpiration	Write	SInt32	Device Password Expiration - Depends on DevicePasswordEnabled
MinDevicePasswordLength	Write	SInt32	Min Device Password Length - Depends on DevicePasswordEnabled
AlphanumericDevicePasswordRequired	Write	SInt32	Alphanumeric Device Password Required - Depends on DevicePasswordEnabled (0: Password or Alphanumeric PIN required., 1: Password or Numeric PIN required., 2: Password, Numeric PIN, or Alphanumeric PIN required.)	0, 1, 2
MaxDevicePasswordFailedAttempts	Write	SInt32	Max Device Password Failed Attempts - Depends on DevicePasswordEnabled
MinDevicePasswordComplexCharacters	Write	SInt32	Min Device Password Complex Characters - Depends on DevicePasswordEnabled (1: Digits only, 2: Digits and lowercase letters are required, 3: Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts, 4: Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop)	1, 2, 3, 4
MaxInactivityTimeDeviceLock	Write	SInt32	Max Inactivity Time Device Lock - Depends on DevicePasswordEnabled
DevicePasswordHistory	Write	SInt32	Device Password History - Depends on DevicePasswordEnabled
AllowSimpleDevicePassword	Write	SInt32	Allow Simple Device Password - Depends on DevicePasswordEnabled (0: Not allowed., 1: Allowed.)	0, 1
DeviceEnumerationPolicy	Write	SInt32	Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive))	0, 1, 2
EnableInsecureGuestLogons	Write	SInt32	Enable Insecure Guest Logons (0: Disabled, 1: Enabled)	0, 1
Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly	Write	SInt32	Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only (0: Disabled, 1: Enabled)	0, 1
InteractiveLogon_MachineInactivityLimit	Write	SInt32	Interactive Logon Machine Inactivity Limit
InteractiveLogon_SmartCardRemovalBehavior	Write	SInt32	Interactive Logon Smart Card Removal Behavior (0: No Action, 1: Lock Workstation, 2: Force Logoff, 3: Disconnect if a Remote Desktop Services session)	0, 1, 2, 3
MicrosoftNetworkClient_DigitallySignCommunicationsAlways	Write	SInt32	Microsoft Network Client Digitally Sign Communications Always (1: Enable, 0: Disable)	1, 0
MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers	Write	SInt32	Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers (1: Enable, 0: Disable)	1, 0
MicrosoftNetworkServer_DigitallySignCommunicationsAlways	Write	SInt32	Microsoft Network Server Digitally Sign Communications Always (1: Enable, 0: Disable)	1, 0
NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts	Write	SInt32	Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts (1: Enabled, 0: Disabled)	1, 0
NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares	Write	SInt32	Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares (1: Enabled, 0: Disabled)	1, 0
NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares	Write	SInt32	Network Access Restrict Anonymous Access To Named Pipes And Shares (1: Enable, 0: Disable)	1, 0
NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM	Write	String	Network Access Restrict Clients Allowed To Make Remote Calls To SAM
NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange	Write	SInt32	Network Security Do Not Store LAN Manager Hash Value On Next Password Change (1: Enable, 0: Disable)	1, 0
NetworkSecurity_LANManagerAuthenticationLevel	Write	SInt32	Network Security LAN Manager Authentication Level (0: Send LM and NTLM responses, 1: Send LM and NTLM-use NTLMv2 session security if negotiated, 2: Send LM and NTLM responses only, 3: Send LM and NTLMv2 responses only, 4: Send LM and NTLMv2 responses only. Refuse LM, 5: Send LM and NTLMv2 responses only. Refuse LM and NTLM)	0, 1, 2, 3, 4, 5
NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients	Write	String	Network Security Minimum Session Security For NTLMSSP Based Clients (0: None, 524288: Require NTLMv2 session security, 536870912: Require 128-bit encryption, 537395200: Require NTLM and 128-bit encryption)	0, 524288, 536870912, 537395200
NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers	Write	String	Network Security Minimum Session Security For NTLMSSP Based Servers (0: None, 524288: Require NTLMv2 session security, 536870912: Require 128-bit encryption, 537395200: Require NTLM and 128-bit encryption)	0, 524288, 536870912, 537395200
UserAccountControl_BehaviorOfTheElevationPromptForAdministrators	Write	SInt32	User Account Control Behavior Of The Elevation Prompt For Administrators (0: Elevate without prompting, 1: Prompt for credentials on the secure desktop, 2: Prompt for consent on the secure desktop, 3: Prompt for credentials, 4: Prompt for consent, 5: Prompt for consent for non-Windows binaries)	0, 1, 2, 3, 4, 5
UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers	Write	SInt32	User Account Control Behavior Of The Elevation Prompt For Standard Users (0: Automatically deny elevation requests, 1: Prompt for credentials on the secure desktop, 3: Prompt for credentials)	0, 1, 3
UserAccountControl_DetectApplicationInstallationsAndPromptForElevation	Write	SInt32	User Account Control Detect Application Installations And Prompt For Elevation (1: Enable, 0: Disable)	1, 0
UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations	Write	SInt32	User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations (0: Disabled: Application runs with UIAccess integrity even if it does not reside in a secure location., 1: Enabled: Application runs with UIAccess integrity only if it resides in secure location.)	0, 1
UserAccountControl_RunAllAdministratorsInAdminApprovalMode	Write	SInt32	User Account Control Run All Administrators In Admin Approval Mode (0: Disabled, 1: Enabled)	0, 1
UserAccountControl_UseAdminApprovalMode	Write	SInt32	User Account Control Use Admin Approval Mode (1: Enable, 0: Disable)	1, 0
UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations	Write	SInt32	User Account Control Virtualize File And Registry Write Failures To Per User Locations (0: Disabled, 1: Enabled)	0, 1
ConfigureLsaProtectedProcess	Write	SInt32	Configure Lsa Protected Process (0: Disabled. Default value. LSA will not run as protected process., 1: Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked., 2: Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked.)	0, 1, 2
AllowGameDVR	Write	SInt32	Allow Game DVR (0: Not allowed., 1: Allowed.)	0, 1
MSIAllowUserControlOverInstall	Write	SInt32	MSI Allow User Control Over Install (0: Disabled, 1: Enabled)	0, 1
MSIAlwaysInstallWithElevatedPrivileges	Write	SInt32	MSI Always Install With Elevated Privileges (0: Disabled, 1: Enabled)	0, 1
SmartScreenEnabled	Write	SInt32	Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)	0, 1
MicrosoftEdge_SmartScreen_PreventSmartScreenPromptOverride	Write	SInt32	Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)	0, 1
LetAppsActivateWithVoiceAboveLock	Write	SInt32	Let Apps Activate With Voice Above Lock (0: User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device., 1: Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it., 2: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.)	0, 1, 2
AllowIndexingEncryptedStoresOrItems	Write	SInt32	Allow Indexing Encrypted Stores Or Items (0: Not allowed., 1: Allowed.)	0, 1
EnableSmartScreenInShell	Write	SInt32	Enable Smart Screen In Shell (0: Disabled., 1: Enabled.)	0, 1
NotifyMalicious	Write	SInt32	Notify Malicious (0: Disabled, 1: Enabled)	0, 1
NotifyPasswordReuse	Write	SInt32	Notify Password Reuse (0: Disabled, 1: Enabled)	0, 1
NotifyUnsafeApp	Write	SInt32	Notify Unsafe App (0: Disabled, 1: Enabled)	0, 1
ServiceEnabled	Write	SInt32	Service Enabled (0: Disabled, 1: Enabled)	0, 1
PreventOverrideForFilesInShell	Write	SInt32	Prevent Override For Files In Shell (0: Do not prevent override., 1: Prevent override.)	0, 1
ConfigureXboxAccessoryManagementServiceStartupMode	Write	SInt32	Configure Xbox Accessory Management Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)	2, 3, 4
ConfigureXboxLiveAuthManagerServiceStartupMode	Write	SInt32	Configure Xbox Live Auth Manager Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)	2, 3, 4
ConfigureXboxLiveGameSaveServiceStartupMode	Write	SInt32	Configure Xbox Live Game Save Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)	2, 3, 4
ConfigureXboxLiveNetworkingServiceStartupMode	Write	SInt32	Configure Xbox Live Networking Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)	2, 3, 4
EnableXboxGameSaveTask	Write	SInt32	Enable Xbox Game Save Task (0: Disabled, 1: Enabled)	0, 1
AccessFromNetwork	Write	StringArray[]	Access From Network
AllowLocalLogOn	Write	StringArray[]	Allow Local Log On
BackupFilesAndDirectories	Write	StringArray[]	Backup Files And Directories
CreateGlobalObjects	Write	StringArray[]	Create Global Objects
CreatePageFile	Write	StringArray[]	Create Page File
DebugPrograms	Write	StringArray[]	Debug Programs
DenyAccessFromNetwork	Write	StringArray[]	Deny Access From Network
DenyRemoteDesktopServicesLogOn	Write	StringArray[]	Deny Remote Desktop Services Log On
ImpersonateClient	Write	StringArray[]	Impersonate Client
LoadUnloadDeviceDrivers	Write	StringArray[]	Load Unload Device Drivers
ManageAuditingAndSecurityLog	Write	StringArray[]	Manage Auditing And Security Log
ManageVolume	Write	StringArray[]	Manage Volume
ModifyFirmwareEnvironment	Write	StringArray[]	Modify Firmware Environment
ProfileSingleProcess	Write	StringArray[]	Profile Single Process
RemoteShutdown	Write	StringArray[]	Remote Shutdown
RestoreFilesAndDirectories	Write	StringArray[]	Restore Files And Directories
TakeOwnership	Write	StringArray[]	Take Ownership
HypervisorEnforcedCodeIntegrity	Write	SInt32	Hypervisor Enforced Code Integrity (0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock., 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.)	0, 1, 2
AllowAutoConnectToWiFiSenseHotspots	Write	SInt32	Allow Auto Connect To Wi Fi Sense Hotspots (0: Not allowed., 1: Allowed.)	0, 1
AllowInternetSharing	Write	SInt32	Allow Internet Sharing (0: Not allowed., 1: Allowed.)	0, 1
FacialFeaturesUseEnhancedAntiSpoofing	Write	String	Facial Features Use Enhanced Anti Spoofing (false: Disabled, true: Enabled)	false, true
AllowWindowsInkWorkspace	Write	SInt32	Allow Windows Ink Workspace (0: access to ink workspace is disabled. The feature is turned off., 1: ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen., 2: ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.)	0, 1, 2
BackupDirectory	Write	SInt32	Backup Directory (0: Disabled (password will not be backed up), 1: Backup the password to Azure AD only, 2: Backup the password to Active Directory only)	0, 1, 2
ADEncryptedPasswordHistorySize	Write	SInt32	AD Encrypted Password History Size - Depends on BackupDirectory
passwordagedays	Write	SInt32	Password Age Days - Depends on BackupDirectory
ADPasswordEncryptionEnabled	Write	String	AD Password Encryption Enabled - Depends on BackupDirectory (false: Store the password in clear-text form in Active Directory, true: Store the password in encrypted form in Active Directory)	false, true
passwordagedays_aad	Write	SInt32	Password Age Days - Depends on BackupDirectory
ADPasswordEncryptionPrincipal	Write	String	AD Password Encryption Principal - Depends on BackupDirectory
PasswordExpirationProtectionEnabled	Write	String	Password Expiration Protection Enabled - Depends on BackupDirectory (false: Allow configured password expiriration timestamp to exceed maximum password age, true: Do not allow configured password expiriration timestamp to exceed maximum password age)	false, true
EnableConvertWarnToBlock	Write	SInt32	Enable Convert Warn To Block (1: Warn verdicts are converted to block, 0: Warn verdicts are not converted to block)	1, 0
HideExclusionsFromLocalUsers	Write	SInt32	Hide Exclusions From Local Users (1: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.)	1, 0
OobeEnableRtpAndSigUpdate	Write	SInt32	Oobe Enable Rtp And Sig Update (1: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE., 0: If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.)	1, 0
PassiveRemediation	Write	SInt32Array[]	Passive Remediation (0: Passive Remediation is turned off (default), 1: PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation, 2: PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit, 4: PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation)	0, 1, 2, 4
QuickScanIncludeExclusions	Write	SInt32	Quick Scan Include Exclusions (0: If you set this setting to 0 or do not configure it, exclusions are not scanned during quick scans., 1: If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.)	0, 1
PKInitHashAlgorithmConfiguration	Write	SInt32	PK Init Hash Algorithm Configuration (0: Disabled / Not Configured, 1: Enabled)	0, 1
PKInitHashAlgorithmSHA256	Write	SInt32	PK Init Hash Algorithm SHA256 - Depends on PKInitHashAlgorithmConfiguration (0: Not Supported, 1: Default, 2: Audited, 3: Supported)	0, 1, 2, 3
PKInitHashAlgorithmSHA512	Write	SInt32	PK Init Hash Algorithm SHA512 - Depends on PKInitHashAlgorithmConfiguration (0: Not Supported, 1: Default, 2: Audited, 3: Supported)	0, 1, 2, 3
PKInitHashAlgorithmSHA384	Write	SInt32	PK Init Hash Algorithm SHA384 - Depends on PKInitHashAlgorithmConfiguration (0: Not Supported, 1: Default, 2: Audited, 3: Supported)	0, 1, 2, 3
PKInitHashAlgorithmSHA1	Write	SInt32	PK Init Hash Algorithm SHA1 - Depends on PKInitHashAlgorithmConfiguration (0: Not Supported, 1: Default, 2: Audited, 3: Supported)	0, 1, 2, 3
EnableSudo	Write	SInt32	Enable Sudo (0: Sudo is disabled., 1: Sudo is allowed in 'force new window' mode., 2: Sudo is allowed in 'disable input' mode., 3: Sudo is allowed in 'inline' mode.)	0, 1, 2, 3
MachineIdentityIsolation	Write	SInt32	Machine Identity Isolation (0: (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key., 1: (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It is stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys., 2: (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.)	0, 1, 2
AuditClientDoesNotSupportEncryption	Write	SInt32	Audit Client Does Not Support Encryption (0: Disabled, 1: Enabled)	0, 1
AuditClientDoesNotSupportSigning	Write	SInt32	Audit Client Does Not Support Signing (0: Disabled, 1: Enabled)	0, 1
LanmanServer_AuditInsecureGuestLogon	Write	SInt32	Audit Insecure Guest Logon (0: Disabled, 1: Enabled)	0, 1
AuthRateLimiterDelayInMs	Write	SInt32	Auth Rate Limiter Delay In Ms
EnableAuthRateLimiter	Write	SInt32	Enable Auth Rate Limiter (0: Disabled, 1: Enabled)	0, 1
LanmanServer_EnableMailslots	Write	SInt32	Enable Mailslots (0: Disabled, 1: Enabled)	0, 1
LanmanServer_MaxSmb2Dialect	Write	SInt32	Max Smb2 Dialect (514: SMB 2.0.2, 528: SMB 2.1.0, 768: SMB 3.0.0, 770: SMB 3.0.2, 785: SMB 3.1.1)	514, 528, 768, 770, 785
LanmanServer_MinSmb2Dialect	Write	SInt32	Min Smb2 Dialect (514: SMB 2.0.2, 528: SMB 2.1.0, 768: SMB 3.0.0, 770: SMB 3.0.2, 785: SMB 3.1.1)	514, 528, 768, 770, 785
LanmanWorkstation_AuditInsecureGuestLogon	Write	SInt32	Audit Insecure Guest Logon (0: Disabled, 1: Enabled)	0, 1
AuditServerDoesNotSupportEncryption	Write	SInt32	Audit Server Does Not Support Encryption (0: Disabled, 1: Enabled)	0, 1
AuditServerDoesNotSupportSigning	Write	SInt32	Audit Server Does Not Support Signing (0: Disabled, 1: Enabled)	0, 1
LanmanWorkstation_EnableMailslots	Write	SInt32	Enable Mailslots (0: Disabled, 1: Enabled)	0, 1
LanmanWorkstation_MaxSmb2Dialect	Write	SInt32	Max Smb2 Dialect (514: SMB 2.0.2, 528: SMB 2.1.0, 768: SMB 3.0.0, 770: SMB 3.0.2, 785: SMB 3.1.1)	514, 528, 768, 770, 785
LanmanWorkstation_MinSmb2Dialect	Write	SInt32	Min Smb2 Dialect (514: SMB 2.0.2, 528: SMB 2.1.0, 768: SMB 3.0.0, 770: SMB 3.0.2, 785: SMB 3.1.1)	514, 528, 768, 770, 785
RequireEncryption	Write	SInt32	Require Encryption (0: Disabled, 1: Enabled)	0, 1

MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10

Parameters

Parameter	Attribute	DataType	Description	Allowed Values
NoLockScreenToastNotification	Write	SInt32	Turn off toast notifications on the lock screen (User) (0: Disabled, 1: Enabled)	0, 1
RestrictFormSuggestPW	Write	SInt32	Turn on the auto-complete feature for user names and passwords on forms (User) (0: Disabled, 1: Enabled)	0, 1
ChkBox_PasswordAsk	Write	SInt32	Prompt me to save passwords (User) - Depends on RestrictFormSuggestPW (0: False, 1: True)	0, 1
AllowWindowsSpotlight	Write	SInt32	Allow Windows Spotlight (User) (0: Not allowed., 1: Allowed.)	0, 1
AllowWindowsTips	Write	SInt32	Allow Windows Tips - Depends on AllowWindowsSpotlight (0: Disabled., 1: Enabled.)	0, 1
AllowTailoredExperiencesWithDiagnosticData	Write	SInt32	Allow Tailored Experiences With Diagnostic Data (User) - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)	0, 1
AllowWindowsSpotlightOnActionCenter	Write	SInt32	Allow Windows Spotlight On Action Center (User) - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)	0, 1
AllowWindowsConsumerFeatures	Write	SInt32	Allow Windows Consumer Features - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)	0, 1
ConfigureWindowsSpotlightOnLockScreen	Write	SInt32	Configure Windows Spotlight On Lock Screen (User) - Depends on AllowWindowsSpotlight (0: Windows spotlight disabled., 1: Windows spotlight enabled., 2: Windows spotlight is always enabled, the user cannot disable it, 3: Windows spotlight is always enabled, the user cannot disable it. For special configurations only)	0, 1, 2, 3
AllowWindowsSpotlightWindowsWelcomeExperience	Write	SInt32	Allow Windows Spotlight Windows Welcome Experience (User) - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)	0, 1
AllowThirdPartySuggestionsInWindowsSpotlight	Write	SInt32	Allow Third Party Suggestions In Windows Spotlight (User) - Depends on AllowWindowsSpotlight (0: Third-party suggestions not allowed., 1: Third-party suggestions allowed.)	0, 1

Description

Intune Security Baseline for Windows10

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

• Read

  • DeviceManagementConfiguration.Read.All, Group.Read.All

• Update

  • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Application permissions

• Read

  • DeviceManagementConfiguration.Read.All, Group.Read.All

• Update

  • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10'
        {
            DisplayName           = 'test'
            DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10
            {
                Pol_MSS_DisableIPSourceRoutingIPv6 = '1'
                DisableIPSourceRoutingIPv6 = '0'
                BlockExecutionOfPotentiallyObfuscatedScripts = 'block'                             
                HardenedUNCPaths_Pol_HardenedPaths = '1'
                pol_hardenedPaths = @(
                    MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{
                        Key = '\\*\SYSVOL'
                        Value = 'RequireMutualAuthentication=1,RequireIntegrity=1'
                    }
                )
            }
            UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10
            {
                AllowWindowsSpotlight = '1'
            }
            Ensure                = 'Present'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}

Example 2

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10'
        {
            DisplayName           = 'test'
            DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10
            {
                Pol_MSS_DisableIPSourceRoutingIPv6 = '1'
                DisableIPSourceRoutingIPv6 = '0'
                BlockExecutionOfPotentiallyObfuscatedScripts = 'block'                         
                HardenedUNCPaths_Pol_HardenedPaths = '1'
                pol_hardenedPaths = @(
                    MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{
                        Key = '\\*\SYSVOL'
                        Value = 'RequireMutualAuthentication=1,RequireIntegrity=1'
                    }
                )
            }
            UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10
            {
                AllowWindowsSpotlight = '1' #drift
            }
            Ensure                = 'Present'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}

Example 3

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10'
        {
            DisplayName           = 'test'
            Ensure                = 'Absent'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}