Group Policies

Deploy Code Integrity PolicyThis policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine.If you deploy a Code Integrity Policy Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be rebooted. The file path must be either a UNC path (for example -> -> ServerName -> ShareName -> SIPolicy.p7b) or a locally valid path (for example C: -> FolderName -> SIPolicy.p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file. If using a signed and protected policy then disabling this policy setting doesn’t remove the feature from the computer. Instead you must either: 1) first update the policy to a non-protected policy and then disable the setting or 2) disable the setting and then remove the policy from each computer with a physically present user.

Specifies whether Virtualization Based Security is enabled.Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.Virtualization Based Protection of Code IntegrityThis setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled kernel mode memory protections are enforced and the Code Integrity validation path is protected by the virtualization based security feature.Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Credential GuardThis setting lets you decide whether users can turn on Credential Guard with virtualization-based security to help protect credentials. Disabling these settings does not remove the feature from the computer. Instead you must also remove the security functionality from each computer with a physically present user in order to clear configuration persisted in Secure Boot.Please refer to the documentation for a complete set of requirements to securely configure this feature.

This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations.If you disable this policy setting all experimentations will be turned off.If you do not configure this policy setting user can configure the “Let Microsoft try features on this build” option in Settings.

This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 indicates that no telemetry data from OS components is sent to Microsoft. Setting a value of 0 is applicable to enterprise and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1. A value of 1 sends only a limited or basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. A value of 2 sends enhanced diagnostic and usage data. A value of 3 sends the same data as a value of 2 plus additional diagnostics data such as the system state at the time of a hang or crash and the files and content that may have caused the problem.If you disable or do not configure this policy setting users can configure the Telemetry level in Settings.