Allow download files using gpo

To save your changes and proceed to the next setting, select Apply , and then select Next Setting. The following table summarizes key differences between the current and past versions of WSUS that are relevant to this article. Group Policy extension or extension of Group Policy A collection of settings in Group Policy that control how users and computers to whom the policies apply can configure and use various Windows services and features.

Administrators can use WSUS with Group Policy for client-side configuration of the Automatic Updates client, to help ensure that users can't disable or circumvent corporate update policies. Client configuration can also be applied by using a local group policy or by modifying the Windows registry. You can't manage WSUS on a replica server. Microsoft Update A Microsoft internet site that stores and distributes updates for Windows computers device drivers , Windows operating systems, and other Microsoft software products.

For example, metadata supplies information for the properties of an update so you can find out what the update is useful for. Metadata also includes Microsoft Software License Terms. The metadata package downloaded for an update is typically much smaller than the update file package. A WSUS infrastructure enables you to manage updates for computers on your network to install. You can use WSUS to approve or decline updates before release, to force updates to install by a certain date, and to obtain extensive reports on what updates each computer on your network requires.

You can configure WSUS to approve certain classes of updates automatically including critical updates, security updates, service packs, and drivers. WSUS also enables you to approve updates for detection only, so that you can see what computers will require a particular update without having to install the update. Based on network security and configuration, the administrator can determine how many other servers connect directly to Microsoft Update.

Windows Update is also the name of a service that runs on Windows computers and detects, downloads, and installs updates. Feedback Submit and view feedback for. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note This article assumes that you already use and are familiar with Group Policy. Note If the Configure Automatic Updates policy setting is set to Disabled , this policy has no effect.

Note If the Configure Automatic Updates policy setting is disabled or is not configured, this policy setting has no effect. Note Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft. Note This policy is not supported on Windows RT.

Note If the No auto-restart with logged on users for scheduled automatic updates installations policy setting is enabled, this policy has no effect. Note The Specify intranet Microsoft update service location setting must be enabled for this policy to have effect.

Note This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. Note This policy applies only when the computer is configured to connect to an intranet update service by using the Specify intranet Microsoft update service location policy setting. Note This policy applies only when this computer is configured to support the specified target group names in WSUS. Important This policy applies only when Automatic Updates is configured to perform scheduled installations of updates.

Note This setting is related to option 4 in Configure Automatic Updates. Note If the operating computer's power-wake policy is explicitly disabled, this setting has no effect. Note By default, unless otherwise noted, these settings are not configured. Note To perform these procedures, you must be a member of the Domain Admins group or its equivalent. Submit and view feedback for This product This page. View all page feedback. In this article.

Windows operating systems that are still within their Microsoft Product Support Lifecycle. Specifies that updates are not immediately installed. Local administrators can change this setting by using the Local Group Policy Editor.

Specifies that Automatic Updates immediately installs updates after they're downloaded and ready to install. Specifies that users will always see an Account Control window and require elevated permissions to do these tasks. A local administrator can change this setting by using the Local Group Policy Editor.

Specifies that Windows Automatic Update and Microsoft Update will include non-administrators when determining which signed-in user will receive update notifications. Non-administrative users will be able to install all optional, recommended, and important update content for which they received a notification. Users won't see a User Account Control window. Users don't need elevated permissions to install these updates, except in the case of updates that contain changes to the user interface, Microsoft Software License Terms, or Windows Update settings.

Specifies that only logged-on administrators receive update notifications. Specifies that updates from an intranet Microsoft update service location must be signed by Microsoft. Specifies that Automatic Updates accepts updates received through an intranet Microsoft update service location if they're signed by a certificate found in the local computer's Trusted Publishers certificate store. Specifies that a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the sign-in screen for at least two days.

Specifies that the use of automatic updates is not specified at the Group Policy level. However, a computer administrator can still configure automatic updates in Control Panel. Specifies that Windows recognizes when the computer is online and uses its internet connection to search Windows Update for available updates. Specifies that any client updates that are available from the public Windows Update service must be manually downloaded from the internet and installed.

Specifies that after updates are installed, the default wait time of 15 minutes will elapse before any scheduled restart occurs. Specifies that when the installation is finished, a scheduled restart will occur after the specified number of minutes has expired.

Specifies that Install Updates and Shut Down will be the default option in the Shut Down Windows dialog if updates are available for installation at the time the user selects the Shut Down option to shut down the computer. If you enable this policy setting, the user's last shutdown choice for example, Hibernate or Restart is the default option in the Shut Down Windows dialog, regardless of whether the Install Updates and Shut Down option is available on the What do you want the computer to do? Starting with Windows Server R2, Windows 8.

Specifies that computers can retrieve information from public update services such as Windows Update and the Microsoft Store. Specifies that Windows will no longer connect to public update services such as Windows Update or the Microsoft Store.

This will cause most functionality of the Microsoft Store app to stop working. Specifies that the Install Updates and Shut Down option is available in the Shut Down Windows dialog if updates are available when the user selects the Shut Down option to shut down the computer. Was this information helpful? Yes No. Thank you! Any more feedback? The more you tell us the more we can help.

Can you help us improve? Resolved my issue. Enabling Remote Work. Small and Medium Business. Humans of IT. Green Tech. MVP Award Program. Video Hub Azure. Microsoft Business. Microsoft Enterprise. Browse All Community Hubs.

Turn on suggestions. Specify the character encodings supported by the search provider. They are tried in the order provided. Starting in Microsoft Edge 84, you can set this policy as a recommended policy. If the user has already set a default search provider, the default search provider configured by this recommended policy will not be added to the list of search providers the user can choose from. If this is the desired behavior, use the ManagedSearchEngines policy.

Specifies the URL to the search engine used for image search. Search requests are sent using the GET method. If you enable this policy, it specifies the parameters used when an image search that uses POST is performed.

Specifies the keyword, which is the shortcut used in the Address Bar to trigger the search for this provider. If you don't enable this policy or if you leave it empty, the host name specified by the search URL is used. Specifies the URL of the search engine used for a default search.

This policy is required when you enable the DefaultSearchProviderEnabled policy; if you don't enable the latter policy, this policy is ignored. Specifies the URL for the search engine used to provide search suggestions. This policy is optional. If you don't configure it, users won't see search suggestions; they will see suggestions from their browsing history and favorites. You can configure the new tab page search box to use "Search box Recommended " or "Address bar" to search on new tabs.

Configures users ability to override state of feature flags. External extensions and their installation are documented at Alternate extension distribution methods. Setting the policy controls which apps and extensions may be installed in Microsoft Edge, which hosts they can interact with, and limits runtime access. If you don't set this policy, there aren't any restrictions on acceptable extension and app types. Extensions and apps which have a type that's not on the list won't be installed.

Each value should be one of these strings:. Note: This policy also affects extensions and apps to be force-installed using ExtensionInstallForcelist. By default, all extensions are allowed. However, if you prohibited extensions by policy, you can use the list of allowed extensions to change that policy. Extensions already installed will be disabled if blocked, without a way for the user to enable them. After a disabled extension is removed from the blocklist it will automatically get re-enabled.

Set this policy to specify a list of apps and extensions that install silently, without user interaction. Users can't uninstall or turn off this setting. Permissions are granted implicitly, including the enterprise. Note: These 2 APIs aren't available to apps and extensions that aren't force-installed. If you don't set this policy, no apps or extensions are autoinstalled and users can uninstall any app in Microsoft Edge.

This policy supercedes ExtensionInstallBlocklist policy. If a previously force-installed app or extension is removed from this list, Microsoft Edge automatically uninstalls it. For Windows instances not joined to a Microsoft Active Directory domain, forced installation is limited to apps and extensions listed in the Microsoft Edge Add-ons website.

The source code of any extension can be altered by users with developer tools, potentially rendering the extension unfunctional.

If this is a concern, configure the DeveloperToolsDisabled policy. Each list item of the policy is a string that contains an extension ID and, optionally, an "update" URL separated by a semicolon ;. The "update" URL set in this policy is only used for the initial installation; subsequent updates of the extension use the update URL in the extension's manifest.

Note: This policy doesn't apply to InPrivate mode. Read about hosting extensions at Publish and update extensions in the Microsoft Edge Add-ons website. Users can easily install items from any URL that matches an item in this list. Do not host the files at a location that requires authentication.

The ExtensionInstallBlocklist policy takes precedence over this policy. Any extensions that's on the block list won't be installed, even if it comes from a site on this list.

Setting this policy controls extension management settings for Microsoft Edge, including any controlled by existing extension-related policies. This policy supersedes any legacy policies that might be set. Note: For Windows instances not joined to a Microsoft Active Directory domain, forced installation is limited to apps and extensions listed in the Microsoft Edge Add-ons website.

Typically, this is disabled as a phishing defense. If you don't configure this policy, it's disabled and third-party images can't show an authentication prompt. If you don't configure this policy Microsoft Edge won't delegate user credentials even if a server is detected as Intranet. You can configure the policy by using these values: 'basic', 'digest', 'ntlm', and 'negotiate'. Separate multiple values with commas. Specifies which servers to enable for integrated authentication.

Integrated authentication is only enabled when Microsoft Edge receives an authentication challenge from a proxy or from a server in this list. If you don't configure this policy, Microsoft Edge tries to detect if a server is on the intranet - only then will it respond to IWA requests. If you enable this policy or leave it unset, Basic authentication challenges received over non-secure HTTP will be allowed.

This policy setting is ignored and Basic is always forbidden if the AuthSchemes policy is set and does not include Basic. If you disable this policy or don't configure it, the canonical name of the server is used. If you enable this policy, and a user includes a non-standard port a port other than 80 or in a URL, that port is included in the generated Kerberos SPN. If you don't configure or disable this policy, the generated Kerberos SPN won't include a port in any case.

You should only disable NTLMv2 to address issues with backwards compatibility as it reduces the security of authentication. If you disable this policy, a basic username and password prompt will be used to respond to NTLM and Negotiate challenges. If you enable or don't configure this policy, Windows Credential UI will be used.

If you have configured the BrowserSignin policy to 'Disable browser sign-in', this policy will not take any effect. If you enable or don't configure this setting, implicit sign-in will be enabled, Edge will attempt to sign the user into their profile based on what and how they sign in to their OS.

This policy allows users to decide whether to use the OneAuth library for sign-in and token fetch in Microsoft Edge on Windows 10 RS3 and above. If you disable or don't configure this policy, signin process will use Windows Account Manager.

Microsoft Edge would be able to use accounts you logged in to Windows, Microsoft Office, or other Microsoft applications for login, without the needing of password. Or you can provide valid account and password to sign in, which will be stored in Windows Account Manager for future usage. If you enable this policy, OneAuth authentication flow will be used for account signin.

The OneAuth authentication flow has fewer dependencies and can work without Windows shell. The account you use would not be stored in the Email and accounts page. This policy will only take effect on Windows 10 RS3 and above. Configure this policy to decide whether only on-premises accounts are enabled for implicit sign-in. If you enable this policy, only on-premises accounts will be enabled for implicit sign-in.

Upgrade from on-premises accounts to AAD accounts will be stopped as well. If you disable or don't configure this policy, all accounts will be enabled for implicit sign-in. Note that if this policy is enabled, then previous sign-in sessions which used OneAuth by default cannot be used. Please sign out of those profiles. This policy only applies to Microsoft Edge kiosk mode while using the public browsing experience.

If you enable this policy, files downloaded as part of the kiosk session are deleted each time Microsoft Edge closes. If you disable this policy or don't configure it, files downloaded as part of the kiosk session are not deleted when Microsoft Edge closes. Allows the Microsoft Edge browser to retrieve policies from the Intune application management services and apply them to users' profiles. Setting the policy specifies which native messaging hosts aren't subject to the deny list. All native messaging hosts are allowed by default.

However, if a native messaging host is denied by policy, the admin can use the allow list to change that policy. Setting this policy specifies which native messaging hosts shouldn't be loaded.

If you set this policy to Enabled or leave it unset, Microsoft Edge can use native messaging hosts installed at the user level. If you set this policy to Disabled, Microsoft Edge can only use these hosts if they're installed at the system level. If you enable or don't configure this policy, then Password Generator will offer users a strong and unique password suggestion via a dropdown on Signup and Change Password pages.

If you disable this policy, users will no longer see strong password suggestions on Signup or Change Password pages. If you enable this policy, users can save their passwords in Microsoft Edge.

The next time they visit the site, Microsoft Edge will enter the password automatically. If you disable this policy, users can't save new passwords, but they can still use previously saved passwords. If you enable or disable this policy, users can't change or override it in Microsoft Edge. If you don't configure it, users can save passwords, as well as turn this feature off. If you enable this policy and a user consents to enabling the policy, the user will get alerted if any of their passwords stored in Microsoft Edge are found to be unsafe.

If you disable this policy, users will not be asked for permission to enable this feature. Their passwords will not be scanned and they will not be alerted either. This policy can be set as both Recommended as well as Mandatory, however with an important callout. Mandatory enabled: Given that individual user consent is a pre-condition to enabling this feature for a given user, this policy does not have a Mandatory enabled setting. Example Error state message: "This policy value is ignored because Password Monitor requires the consent of the individual user for it to be turned on.

Recommended enabled: If the policy is set to Recommended enabled, the UI in Settings will remain in 'Off' state, but a briefcase icon will be made visible next to it with this description displayed on hover - "Your organization recommends a specific value for this setting and you have chosen a different value".

Mandatory and Recommended disabled: Both these states will work the normal way, with the usual captions being shown to users. Password protection service will send users to this URL to change their password after seeing a warning in the browser.

If you enable this policy, then password protection service sends users to this URL to change their password. If you disable this policy or don't configure it, then password protection service will not redirect users to a change password URL.

If you enable this policy, the password protection service captures fingerprints of passwords on the defined URLs. Allows you to control when to trigger password protection warning. Password protection alerts users when they reuse their protected password on potentially suspicious sites. Set to 'PasswordProtectionWarningOnPasswordReuse' to show password protection warnings when the user reuses their protected password on a non-allowlisted site. Lets you configure the default display of the browser password reveal button for password input fields on websites.

If you enable or don't configure this policy, the browser user setting defaults to displaying the password reveal button. This policy only affects the browser password reveal button, it doesn't affect websites' custom reveal buttons. The feature helps users add an additional layer of privacy to their online accounts by requiring device authentication as a way of confirming the user's identity before the saved password is auto-filled into a web form. This ensures that non-authorized persons can't use saved passwords for autofill.

This group policy configures the radio button selector that enables this feature for users. It also has a frequency control where users can specify how often they would like to be prompted for authentication. If you set this policy to 'Automatically, disable this policy, or don't configure this policy, autofill will not have any authentication flow.

If you set this policy to 'With device password', then users will need to enter their device password or preferred mode of authentication under Windows Hello if on Windows - PIN, face recognition or fingerprint and equivalent options on mac to prove their identity, and only then will their password get auto-filled.

Also, The frequency for authentication prompt would be set to 'Always' by default, however users can change it to the other option as well which is 'Once every browsing session'. This policy setting lets you configure when efficiency mode will become active. By default, efficiency mode will be active when the device is unplugged and the battery is low.

On devices with no battery, the default is for efficiency mode to never become active. Set this policy to 'ActiveWhenUnplugged' and efficiency mode will become active when the device is unplugged.

If the device does not have a battery, efficiency mode will never become active. Set this policy to 'ActiveWhenUnpluggedBatteryLow' and efficiency mode will become active when the device is unplugged and the battery is low. Allows Microsoft Edge processes to start at OS sign-in and restart in background after the last browser window is closed. If Microsoft Edge is running in background mode, the browser might not close when the last window is closed and the browser won't be restarted in background when the window closes.

See the BackgroundModeEnabled policy for information about what happens after configuring Microsoft Edge background mode behavior. If you don't configure this policy, startup boost may initially be off or on. Setting the policy lets you set a list of URL patterns that can capture tabs with their same Origin. Leaving the policy unset means that sites will not be considered for an override at this scope of capture.

This policy only matches based on origin, so any path in the URL pattern is ignored. Leaving the policy unset means that sites will not be considered for an override at this scope of Capture. Overrides Microsoft Edge default printer selection rules. This policy determines the rules for selecting the default printer in Microsoft Edge, which happens the first time a user tries to print a page. When this policy is set, Microsoft Edge tries to find a printer that matches all of the specified attributes and uses it as default printer.

If there are multiple printers that meet the criteria, the first printer that matches is used. If you don't configure this policy or no matching printers are found within the timeout, the printer defaults to the built-in PDF printer or no printer, if the PDF printer isn't available.

Omitting a field means all values match; for example, if you don't specify connectivity Print Preview starts discovering all kinds of local printers. Regular expression patterns must follow the JavaScript RegExp syntax and matches are case sensitive.

Printing to a PostScript printer on Microsoft Windows different PostScript generation methods can affect printing performance. If you set this policy to Default, Microsoft Edge will use a set of default options when generating PostScript.

For text in particular, text will always be rendered using Type 3 fonts. If you set this policy to Type42, Microsoft Edge will render text using Type 42 fonts if possible. This should increase printing speed for some PostScript printers. Tells Microsoft Edge to use the system default printer as the default choice in Print Preview instead of the most recently used printer.

If you disable this policy or don't configure it, Print Preview uses the most recently used printer as the default destination choice. If you enable this policy, Print Preview uses the OS system default printer as the default destination choice. When printing to a non-PostScript printer on Windows, sometimes print jobs need to be rasterized to print correctly.

If you set this policy to 'Full' or don't configure it, Microsoft Edge will do full page rasterization if necessary. If you set this policy to 'Fast', Microsoft Edge will reduce the amount of rasterization which can help reduce print job sizes and increase printing speed.

When printing a PDF using the Print to image option, it can be beneficial to specify a print resolution other than a device's printer setting or the PDF default. A high resolution will significantly increase the processing and printing time while a low resolution can lead to poor imaging quality. If you set this policy, it allows a particular resolution to be specified for use when rasterizing PDFs for printing.

If you set this policy to zero or don't configure it, the system default resolution will be used during rasterization of page images.

Placing all printer types on the deny list effectively disables printing, because there's no print destination for documents. If you don't configure this policy, or the printer list is empty, all printer types are discoverable. Printer destinations include extension printers and local printers.

Extension printers are also known as print provider destinations, and include any destination that belongs to a Microsoft Edge extension.

Local printers are also known as native printing destinations, and include destinations available to the local machine and shared network printers. In Microsoft version 93 or later, if you set this policy to 'pdf' it also disables the 'save as Pdf' option from the right click context menu. Restricts background graphics printing mode. If this policy isn't set there's no restriction on printing background graphics. Overrides the last used setting for printing background graphics.

If you enable this setting, background graphics printing is enabled. If you disable this setting, background graphics printing is disabled. If you disable this policy, users can't print from Microsoft Edge. Printing is disabled in the wrench menu, extensions, JavaScript applications, and so on. Users can still print from plug-ins that bypass Microsoft Edge while printing. For example, certain Adobe Flash applications have the print option in their context menu, which isn't covered by this policy.

It describes the desired height and width in micrometers. Policy that violates these rules is ignored. If you disable or don't configure this policy, users can decide whether to print webpages in Portrait or Landscape layout.

If you enable this policy, Microsoft Edge opens the system print dialog instead of the built-in print preview when a user prints a page. If you don't configure or disable this policy, print commands trigger the Microsoft Edge print preview screen.

Controls whether insecure websites are allowed to make requests to more-private network endpoints. This policy relates to the Private Network Access specification. Otherwise, it will be treated as an insecure context. When this policy is either not set or set to false, the default behavior for requests from insecure contexts to more-private network endpoints will depend on the user's personal configuration for the BlockInsecurePrivateNetworkRequests feature, which may be set by a field trial or on the command line.

When this policy is set to true, insecure websites are allowed to make requests to any network endpoint, subject to other cross-origin checks. List of URL patterns. Private network requests initiated from insecure websites served by matching origins are allowed.

For origins not covered by the patterns specified here, the global default value will be used either from the InsecurePrivateNetworkRequestsAllowed policy, if it is set, or the user's personal configuration otherwise.

Note that this policy only affects insecure origins, so secure origins e. It is currently supported but will become obsolete in a future release. This policy is deprecated, use ProxySettings instead.

It won't work in Microsoft Edge version If you selected any other mode for configuring proxy policies, don't enable or configure this policy. If you enable this policy, you can create a list of hosts for which Microsoft Edge doesn't use a proxy.

If you don't configure this policy, no list of hosts is created for which Microsoft Edge bypasses a proxy. Leave this policy unconfigured if you've specified any other method for setting proxy policies. If you set this policy to Enabled you can specify the proxy server Microsoft Edge uses and prevents users from changing proxy settings. Microsoft Edge ignores all proxy-related options specified from the command line. The policy is only applied if the ProxySettings policy isn't specified.

If you enable this policy, you can specify the URL for a PAC file, which defines how the browser automatically chooses the appropriate proxy server for fetching a particular website.

If you disable or don't configure this policy, no PAC file is specified. If you disable or don't configure this policy, users can choose their own proxy settings while in this proxy mode. If you enable this policy, Microsoft Edge ignores all proxy-related options specified from the command line. Setting the ProxySettings policy accepts the following fields:. Define a list of sites, based on URL patterns, that are not allowed to be put to sleep by sleeping tabs.

If the policy SleepingTabsEnabled is disabled, this list is not used and no sites will be put to sleep automatically. If you don't configure this policy, all sites will be eligible to be put to sleep unless the user's personal configuration blocks them. This policy setting lets you configure whether to turn on sleeping tabs. Sleeping tabs reduces CPU, battery, and memory usage by putting idle background tabs to sleep.

Microsoft Edge uses heuristics to avoid putting tabs to sleep that do useful work in the background, such as display notifications, play sound, and stream video. By default, sleeping tabs is turned on. Individual sites may be blocked from being put to sleep by configuring the policy SleepingTabsBlockedForUrls. This policy setting lets you configure the timeout, in seconds, after which inactive background tabs will be automatically put to sleep if sleeping tabs is enabled.

By default, this timeout is 7, seconds 2 hours. Tabs are only put to sleep automatically when the policy SleepingTabsEnabled is enabled or is not configured and the user has enabled the sleeping tabs setting.

If you disable or don't configure this policy, Microsoft Edge will continue using the SmartScreen implementation from old library libSmartScreen. This temporary policy was created to support the update of a new SmartScreen client. This policy will be deprecated and removed along with the legacy client.

This policy setting lets you decide whether users can override the Microsoft Defender SmartScreen warnings about potentially malicious websites. If you enable this setting, users can't ignore Microsoft Defender SmartScreen warnings and they are blocked from continuing to the site.

If you disable or don't configure this setting, users can ignore Microsoft Defender SmartScreen warnings and continue to the site.