diff --git a/src/vs/workbench/browser/workbench.contribution.ts b/src/vs/workbench/browser/workbench.contribution.ts
index e0c12723d33..98d32c500de 100644
--- a/src/vs/workbench/browser/workbench.contribution.ts
+++ b/src/vs/workbench/browser/workbench.contribution.ts
@@ -7,7 +7,7 @@ import { Registry } from 'vs/platform/registry/common/platform';
 import { localize } from 'vs/nls';
 import { IConfigurationRegistry, Extensions as ConfigurationExtensions, ConfigurationScope } from 'vs/platform/configuration/common/configurationRegistry';
 import { isMacintosh, isWindows, isLinux, isWeb, isNative } from 'vs/base/common/platform';
-import { ConfigurationMigrationWorkbenchContribution, securityConfigurationNodeBase, workbenchConfigurationNodeBase } from 'vs/workbench/common/configuration';
+import { ConfigurationMigrationWorkbenchContribution, DynamicWorkbenchConfigurationWorkbenchContribution, workbenchConfigurationNodeBase } from 'vs/workbench/common/configuration';
 import { isStandalone } from 'vs/base/browser/browser';
 import { IWorkbenchContributionsRegistry, Extensions as WorkbenchExtensions } from 'vs/workbench/common/contributions';
 import { LifecyclePhase } from 'vs/workbench/services/lifecycle/common/lifecycle';
@@ -20,6 +20,9 @@ const registry = Registry.as<IConfigurationRegistry>(ConfigurationExtensions.Con
 	// Migration support
 	Registry.as<IWorkbenchContributionsRegistry>(WorkbenchExtensions.Workbench).registerWorkbenchContribution(ConfigurationMigrationWorkbenchContribution, LifecyclePhase.Eventually);
 
+	// Dynamic Configuration
+	Registry.as<IWorkbenchContributionsRegistry>(WorkbenchExtensions.Workbench).registerWorkbenchContribution(DynamicWorkbenchConfigurationWorkbenchContribution, LifecyclePhase.Ready);
+
 	// Workbench
 	registry.registerConfiguration({
 		...workbenchConfigurationNodeBase,
@@ -709,30 +712,4 @@ const registry = Registry.as<IConfigurationRegistry>(ConfigurationExtensions.Con
 			}
 		}
 	});
-
-	// Security
-	registry.registerConfiguration({
-		...securityConfigurationNodeBase,
-		'properties': {
-			'security.allowedUNCHosts': {
-				'type': 'array',
-				'items': {
-					'type': 'string',
-					'pattern': '^[^\\\\]+$',
-					'patternErrorMessage': localize('security.allowedUNCHosts.patternErrorMessage', 'UNC host names must not contain backslashes.')
-				},
-				'default': [],
-				'markdownDescription': localize('security.allowedUNCHosts', 'A set of UNC host names (without leading or trailing backslash, for example `192.168.0.1` or `my-server`) to allow without user confirmation. If a UNC host is being accessed that is not allowed via this setting or has not been acknowledged via user confirmation, an error will occur and the operation stopped. A restart is required when changing this setting. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
-				'included': isWeb ? true /* web maybe connected to a windows machine */ : isWindows,
-				'scope': ConfigurationScope.MACHINE
-			},
-			'security.restrictUNCAccess': {
-				'type': 'boolean',
-				'default': true,
-				'markdownDescription': localize('security.restrictUNCAccess', 'If enabled, only allows access to UNC host names that are allowed by the `#security.allowedUNCHosts#` setting or after user confirmation. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
-				'included': isWeb ? true /* web maybe connected to a windows machine */ : isWindows,
-				'scope': ConfigurationScope.MACHINE
-			}
-		}
-	});
 })();
diff --git a/src/vs/workbench/common/configuration.ts b/src/vs/workbench/common/configuration.ts
index abc42742dd9..7efd6138cd8 100644
--- a/src/vs/workbench/common/configuration.ts
+++ b/src/vs/workbench/common/configuration.ts
@@ -4,13 +4,15 @@
  *--------------------------------------------------------------------------------------------*/
 
 import { localize } from 'vs/nls';
-import { ConfigurationScope, IConfigurationNode } from 'vs/platform/configuration/common/configurationRegistry';
+import { ConfigurationScope, IConfigurationNode, IConfigurationRegistry, Extensions as ConfigurationExtensions } from 'vs/platform/configuration/common/configurationRegistry';
 import { Registry } from 'vs/platform/registry/common/platform';
 import { IWorkbenchContribution } from 'vs/workbench/common/contributions';
 import { IWorkspaceContextService, IWorkspaceFolder } from 'vs/platform/workspace/common/workspace';
 import { ConfigurationTarget, IConfigurationOverrides, IConfigurationService, IConfigurationValue } from 'vs/platform/configuration/common/configuration';
 import { Disposable } from 'vs/base/common/lifecycle';
 import { Emitter } from 'vs/base/common/event';
+import { IRemoteAgentService } from 'vs/workbench/services/remote/common/remoteAgentService';
+import { OperatingSystem, isWindows } from 'vs/base/common/platform';
 
 export const applicationConfigurationNodeBase = Object.freeze<IConfigurationNode>({
 	'id': 'application',
@@ -118,3 +120,46 @@ export class ConfigurationMigrationWorkbenchContribution extends Disposable impl
 		await Promise.allSettled(keyValuePairs.map(async ([key, value]) => this.configurationService.updateValue(key, value.value, overrides, target)));
 	}
 }
+
+export class DynamicWorkbenchConfigurationWorkbenchContribution extends Disposable implements IWorkbenchContribution {
+
+	constructor(
+		@IRemoteAgentService remoteAgentService: IRemoteAgentService
+	) {
+		super();
+
+		(async () => {
+			if (!isWindows) {
+				const remoteEnvironment = await remoteAgentService.getEnvironment();
+				if (remoteEnvironment?.os !== OperatingSystem.Windows) {
+					return;
+				}
+			}
+
+			// Windows: UNC allow list security configuration
+			const registry = Registry.as<IConfigurationRegistry>(ConfigurationExtensions.Configuration);
+			registry.registerConfiguration({
+				...securityConfigurationNodeBase,
+				'properties': {
+					'security.allowedUNCHosts': {
+						'type': 'array',
+						'items': {
+							'type': 'string',
+							'pattern': '^[^\\\\]+$',
+							'patternErrorMessage': localize('security.allowedUNCHosts.patternErrorMessage', 'UNC host names must not contain backslashes.')
+						},
+						'default': [],
+						'markdownDescription': localize('security.allowedUNCHosts', 'A set of UNC host names (without leading or trailing backslash, for example `192.168.0.1` or `my-server`) to allow without user confirmation. If a UNC host is being accessed that is not allowed via this setting or has not been acknowledged via user confirmation, an error will occur and the operation stopped. A restart is required when changing this setting. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
+						'scope': ConfigurationScope.MACHINE
+					},
+					'security.restrictUNCAccess': {
+						'type': 'boolean',
+						'default': true,
+						'markdownDescription': localize('security.restrictUNCAccess', 'If enabled, only allows access to UNC host names that are allowed by the `#security.allowedUNCHosts#` setting or after user confirmation. Find out more about this setting at https://aka.ms/vscode-windows-unc.'),
+						'scope': ConfigurationScope.MACHINE
+					}
+				}
+			});
+		})();
+	}
+}