Policy
Allow only per user or approved shell extensions
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows2000, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2003, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry. For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnforceShellExtensionSecurity | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerAllow the use of remote paths in file shortcut iconsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure Windows Defender SmartScreenAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerDisable binding directly to IPropertySetStorage without intermediate layers.At least Windows Vista
- UserDisable binding directly to IPropertySetStorage without intermediate layers.At least Windows Vista
- UserDisable Known FoldersAt least Windows Server 2008 R2 or Windows 7
- UserDisplay confirmation dialog when deleting filesAt least Windows Server 2003 operating systems or Windows XP Professional
- UserDisplay the menu bar in File ExplorerAt least Windows Vista
- UserDo not allow Folder Options to be opened from the Options button on the View tab of the ribbonAt least Windows 2000
- ComputerDo not apply the Mark of the Web tag to files copied from insecure sourcesAt least Windows Server 2012, Windows 8 or Windows RT
- UserDo not display the Welcome Center at user logonWindows Vista only
- UserDo not move deleted files to the Recycle BinAt least Windows Server 2003 operating systems or Windows XP Professional
- ComputerDo not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first timeAt least Windows Server 2012, Windows 8 or Windows RT