Do not allow the BITS client to use Windows Branch

6to4 Relay Name

This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host.

If you enable this policy setting, you can specify a relay name for a 6to4 host.

If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host.

=== Detailed values: === text: Id: RouterNameBox; ValueName: 6to4_RouterName

Go to GPS

6to4 Relay Name Resolution Interval

This policy setting allows you to specify the interval at which the relay name is resolved. The

6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.

If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically.

If you disable or do not configure this policy setting, the local host setting is used.

=== Detailed values: === decimal: Id: RouterNameResolutionIntervalBox; ValueName:

6to4_RouterNameResolutionInterval

Go to GPS

6to4 State

This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between

IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix:

2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global

IPv4 address (w.x.y.z) assigned to a site.


If you enable this policy setting, you will be able to configure 6to4 with one of the following settings:

Policy Default State: 6to4 is enabled if the host has only link-local IPv6 connectivity and a public IPv4 address. If no global IPv6 address is present and no global IPv4 address is present, the host will not have a 6to4 interface. If no global IPv6 address is present and a global IPv4 address is present, the host will have a 6to4 interface.

Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface.

Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available.

=== Detailed values: === enum: Id: StateSelect; ValueName: 6to4_State item: value item: value item: value

Go to GPS

Add Search Internet link to Start Menu

If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.

If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.

If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu.

Go to GPS

Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows

Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.

If this policy setting is enabled or not configured, fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista,

Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the "Do not install BitLocker To Go Reader on

FAT formatted fixed drives" check box to help prevent users from running BitLocker To Go

Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or

Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Server 2008, Windows

Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go

Reader installed.

If this policy setting is disabled, fixed data drives formatted with the FAT file system that are

BitLocker-protected cannot be unlocked on computers running Windows Server 2008,

Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

Note: This policy setting does not apply to drives that are formatted with the NTFS file system.

=== Detailed values: === boolean: Id: FDVNoBitLockerToGoReader_Name; ValueName:

FDVNoBitLockerToGoReader trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Allow access to BitLocker-protected removable data drives from earlier versions of Windows

This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008,

Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack

2 (SP2) operating systems.

If this policy setting is enabled or not configured, removable data drives formatted with the

FAT file system can be unlocked on computers running Windows Server 2008, Windows

Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed.

These operating systems have read-only access to BitLocker-protected drives.

When this policy setting is enabled, select the "Do not install BitLocker To Go Reader on

FAT formatted removable drives" check box to help prevent users from running BitLocker To

Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or

Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Server 2008, Windows

Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go

Reader installed.

If this policy setting is disabled, removable data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Server

2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.

Note: This policy setting does not apply to drives that are formatted with the NTFS file system.

=== Detailed values: === boolean: Id: RDVNoBitLockerToGoReader_Name; ValueName:

RDVNoBitLockerToGoReader trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Allow Applications to Prevent Automatic Sleep (On

Battery)

Allow applications and services to prevent automatic sleep.

If you enable this policy setting, any application, service or device driver may prevent

Windows from automatically transitioning to sleep after a period of user inactivity.

If you disable this policy setting, applications, services or drivers may not prevent Windows from automatically transitioning to sleep. Only user input will be used to determine if

Windows should automatically sleep.

Go to GPS

Allow Applications to Prevent Automatic Sleep (Plugged

In)

Allow applications and services to prevent automatic sleep.

If you enable this policy setting, any application, service or device driver may prevent

Windows from automatically transitioning to sleep after a period of user inactivity.

If you disable this policy setting, applications, services or drivers may not prevent Windows from automatically transitioning to sleep. Only user input will be used to determine if

Windows should automatically sleep.

Go to GPS

Allow Automatic Sleep with Open Network Files (On

Battery)

Allow Automatic Sleep with Open Network Files.

If you enable this policy setting, the computer will automatically sleep when network files are open.

If you disable this policy setting, the computer will not automatically sleep when network files are open.

Go to GPS

Allow Automatic Sleep with Open Network Files (Plugged

In)

Allow Automatic Sleep with Open Network Files.

If you enable this policy setting, the computer will automatically sleep when network files are open.

If you disable this policy setting, the computer will not automatically sleep when network files are open.

Go to GPS

Allow desktop composition for remote desktop sessions

This policy setting allows you to specify whether desktop composition is allowed for remote desktop sessions. This policy setting does not apply to RemoteApp sessions.

Desktop composition provides the user interface elements of Windows Aero, such as translucent windows, for remote desktop sessions. Because Windows Aero requires additional system and bandwidth resources, allowing desktop composition for remote desktop sessions can reduce connection performance, particularly over slow links, and increase the load on the remote computer.

If you enable this policy setting, desktop composition will be allowed for remote desktop sessions. On the client computer, you can configure desktop composition on the Experience tab in Remote Desktop Connection (RDC) or by using the "allow desktop composition" setting in a Remote Desktop Protocol (.rdp) file. In addition, the client computer must have the necessary hardware to support Windows Aero features.

Note: Additional configuration might be necessary on the remote computer to make Windows

Aero features available for remote desktop sessions. For example, the Desktop Experience feature must be installed on the remote computer, and the maximum color depth on the remote computer must be set to 32 bits per pixel. Also, the Themes service must be started on the remote computer.

If you disable or do not configure this policy setting, desktop composition is not allowed for remote desktop sessions, even if desktop composition is enabled in RDC or in the .rdp file.

Go to GPS

Allow domain users to log on using biometrics

This policy setting determines whether domain users can log on or elevate User Account

Control (UAC) permissions using biometrics.

By default, domain users cannot use biometrics to log on. If you enable this policy setting, domain users can log on to a Windows-based computer using biometrics. Depending on the biometrics you use, enabling this policy setting can reduce the security of users who use biometrics to log on.

If you disable or do not configure this policy setting, domain users will not be able to log on to a Windows-based computer using biometrics.

Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.

Go to GPS

Allow ECC certificates to be used for logon and authentication

This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.

If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain.

If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain.

Note: This policy setting only affects a userÂ´s ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.

Note: If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network.

Go to GPS

Allow enhanced PINs for startup

This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.

Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.

Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.

If you disable or do not configure this policy setting, enhanced PINs will not be used.

Go to GPS

Allow Enhanced Storage certificate provisioning

This policy setting configures whether or not users can provision certificates on Enhanced

Storage certificate silo devices.

If you enable this policy setting, users can provision certificates on Enhanced Storage certificate silo devices.

If you disable or do not configure this policy setting, users cannot provision certificates on

Enhanced Storage certificate silo devices.

Go to GPS

Allow only USB root hub connected Enhanced Storage devices

This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device.

If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed.

If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.

Go to GPS

Allow OpenSearch queries in Windows Explorer

This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in Windows Explorer. Search Connectors allow rich searching of remote sources from within Windows Explorer. Search results will be returned in

Windows Explorer and can be acted upon like local files.

If you enable this policy setting, users can perform OpenSearch queries in this zone using

Search Connectors.

If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.

If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.

Go to GPS





Search Connectors.



Go to GPS





Search Connectors.



Go to GPS





Search Connectors.



Go to GPS





Search Connectors.


If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors.

Go to GPS





Search Connectors.



Go to GPS





Search Connectors.



Go to GPS


This policy setting allows you to manage whether OpenSearch queries in this zone can be

performed using Search Connectors in Windows Explorer. Search Connectors allow rich searching of remote sources from within Windows Explorer. Search results will be returned in



Search Connectors.



Go to GPS





Search Connectors.



Go to GPS





Search Connectors.


If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors.

Go to GPS

Allow previewing and custom thumbnails of OpenSearch query results in Windows Explorer

This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in Windows Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors

(which allow rich searching of remote sources from within the Windows Explorer), it might affect other items as well that are marked from this zone. For example, some applicationspecific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in Windows Explorer will be affected. MAPI items reside in the

Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.

If you enable this policy setting, users can preview items and get custom thumbnails from

OpenSearch query results in this zone using Windows Explorer.

If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using Windows Explorer.

If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using Windows Explorer.

Changes to this setting may not be applied until the user logs off from Windows.

Go to GPS










Go to GPS










Go to GPS










Go to GPS








If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


Go to GPS










Go to GPS










Go to GPS










Go to GPS










Go to GPS








If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


Go to GPS

Allow restore of system to default state

Requirements: At least Windows 7

Description: This policy setting controls whether users can access the options in Recovery (in

Control Panel) to restore the computer to the original state or from a user-created system image.

If you enable or do not configure this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (or "Return your computer to factory condition") appears on the "Advanced recovery methods" page of Recovery (in

Control Panel) and will allow the user to restore the computer to the original state or from a user-created system image. This is the default setting.

If you disable this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (or "Return your computer to factory condition") in

Recovery (in Control Panel) will be unavailable. However, with this policy setting disabled, users can still restore the computer to the original state or from a user-created system image by restarting the computer and accessing the System Recovery Options menu, if it is available.

Go to GPS

Allow the use of biometrics

If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the "Allow users to log on using biometrics" policy setting.

If you disable this policy setting, the Windows Biometric Service will not be available, and users will be unable to use any biometric features in Windows.


Go to GPS

Allow users to log on using biometrics

This policy setting determines whether users can log on or elevate User Account Control

(UAC) permissions using biometrics. By default, local users will be able to log on to the local computer, but the "Allow domain users to log on using biometrics" policy setting will need to be enabled for domain users to log on to the domain.

If you enable or do not configure this policy setting, all users can log on to a local Windowsbased computer and will be able to elevate permissions with UAC using biometrics.

If you disable this policy setting, biometrics cannot be used by any users to log on to a local

Windows-based computer.


Go to GPS

Always use custom logon background

Ignores Windows Logon Background.

This policy setting may be used to make Windows give preference to a custom logon background.

If you enable this policy setting, the logon screen will always attempt to load a custom background instead of the Windows-branded logon background.

If you disable or do not configure this policy setting, Windows will use the default Windows logon background or custom background.

Go to GPS

Background upload of a roaming user profileÂ´s registry file while user is logged on

Sets the schedule for background uploading of a roaming user profileÂ´s registry file

(ntuser.dat). This setting will only upload the user profileÂ´s registry file (other user data will not be uploaded) and will only upload it if the user is logged on. Only the registry file of a roaming user profile will be uploaded--regular profiles will not be affected. This policy does not stop the roaming user profileÂ´s registry file from being uploaded at user logoff.

If this setting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the background while the user is logged on.

To use this setting, first choose which scheduling method to use.

If "Run at set interval" is chosen, then an interval must be set, with a value of 1-720 hours.

Once set, the profileÂ´s registry file will be uploaded at the specified interval after the user logs on. For example, with a value of 6 hours, if a user logs on at 6:00am and is still logged in at 12:00pm, their registry file will be uploaded at that time. Further, if they are still logged in at 6pm, it will upload then, as well, and again every 6 hours until logoff. The next time the user logs on, the timer will start again, so the registry file will upload 6 hours later (in our example.)

If "Run at specified time of day" is chosen, then a time of day must be specified. Once set, the registry hive will be uploaded at that same time every day, assuming the user is logged on at that time.

For both scheduling options, there is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example, if the settings dictate that the userÂ´s registry file is to be uploaded at 6pm, it will actually upload at a random time between 6pm and 7pm.

Note: If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise, if

"Run at set time of day" is chosen, the "Interval (hours)" option is disregarded.

=== Presentation information ===

Scheduling method:

The following settings are only required and applicable if "Run at set interval" is selected.

Interval (hours):

The following settings are only required and applicable

if "Run at specified time of day" is selected.

Time of day:

=== Detailed values: === enum: Id: UploadHiveMethod; ValueName: UploadHiveMethod item: decimal: 1 => Run at set interval item: decimal: 2 => Run at specified time of day decimal: Id: UploadHiveInterval; ValueName: UploadHiveInterval enum: Id: UploadHiveTime; ValueName: UploadHiveTime item: decimal: 0 => 00:00 item: decimal: 1 => 01:00 item: decimal: 2 => 02:00 item: decimal: 3 => 03:00 item: decimal: 4 => 04:00 item: decimal: 5 => 05:00 item: decimal: 6 => 06:00 item: decimal: 7 => 07:00 item: decimal: 8 => 08:00 item: decimal: 9 => 09:00 item: decimal: 10 => 10:00 item: decimal: 11 => 11:00 item: decimal: 12 => 12:00 item: decimal: 13 => 13:00 item: decimal: 14 => 14:00 item: decimal: 15 => 15:00 item: decimal: 16 => 16:00 item: decimal: 17 => 17:00 item: decimal: 18 => 18:00 item: decimal: 19 => 19:00

item: decimal: 20 => 20:00 item: decimal: 21 => 21:00 item: decimal: 22 => 22:00 item: decimal: 23 => 23:00

Go to GPS

CD and DVD: Deny execute access

This policy setting denies execute access to the CD and DVD removable storage class.

If you enable this policy setting, execute access will be denied to this removable storage class.

If you disable or do not configure this policy setting, execute access will be allowed to this removable storage class.

Go to GPS

Change Start Menu power button

Set the default action of the power button on the Start menu.

If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action.

If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down.

If you disable or do not configure this setting, the Start Menu power button will be set to Shut

Down by default, and the user can change this setting to another action.

=== Detailed values: === enum: Id: PowerButtonActionDropdown; ValueName: PowerButtonAction item: decimal: 2 => Shut Down item: decimal: 16 => Sleep item: decimal: 1 => Log off item: decimal: 512 => Lock

item: decimal: 4 => Restart item: decimal: 256 => Switch User item: decimal: 64 => Hibernate

Go to GPS

Choose how BitLocker-protected fixed drives can be recovered

This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy

Management Console or the Local Group Policy Editor. Consult the BitLocker Drive

Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker, instead

BitLocker recovery options for the drive are determined by the policy setting.

In "Save BitLocker recovery information to Active Directory Doman Services" choose which

BitLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to

AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS


Allow data recovery agent

Configure user storage of BitLocker recovery information:

Omit recovery options from the BitLocker setup wizard

Save BitLocker recovery information to AD DS for fixed data drives

Configure storage of BitLocker recovery information to AD DS:

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

=== Detailed values: === enum: Id: FDVRecoveryPasswordUsageDropDown_Name; ValueName:

FDVRecoveryPassword item: decimal: 2 => Allow 48-digit recovery password item: decimal: 1 => Require 48-digit recovery password item: decimal: 0 => Do not allow 48-digit recovery password enum: Id: FDVRecoveryKeyUsageDropDown_Name; ValueName: FDVRecoveryKey item: decimal: 2 => Allow 256-bit recovery key item: decimal: 1 => Require 256-bit recovery key item: decimal: 0 => Do not allow 256-bit recovery key boolean: Id: FDVAllowDRA_Name; ValueName: FDVManageDRA trueValue: decimal: 1 falseValue: decimal: 0 boolean: Id: FDVHideRecoveryPage_Name; ValueName: FDVHideRecoveryPage trueValue: decimal: 1 falseValue: decimal: 0 boolean: Id: FDVActiveDirectoryBackup_Name; ValueName: FDVActiveDirectoryBackup trueValue: decimal: 1 falseValue: decimal: 0

boolean: Id: FDVRequireActiveDirectoryBackup_Name; ValueName:

FDVRequireActiveDirectoryBackup trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: FDVActiveDirectoryBackupDropDown_Name; ValueName:

FDVActiveDirectoryInfoToStore item: decimal: 1 => Backup recovery passwords and key packages item: decimal: 2 => Backup recovery passwords only

Go to GPS

Choose how BitLocker-protected operating system drives can be recovered

This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.

The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the

Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker

Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.




In "Save BitLocker recovery information to Active Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker

unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.





Save BitLocker recovery information to AD DS for operating system drives


Do not enable BitLocker until recovery information is stored to AD DS for operating system drives

=== Detailed values: === boolean: Id: OSAllowDRA_Name; ValueName: OSManageDRA trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: OSRecoveryPasswordUsageDropDown_Name; ValueName: OSRecoveryPassword item: decimal: 2 => Allow 48-digit recovery password item: decimal: 1 => Require 48-digit recovery password item: decimal: 0 => Do not allow 48-digit recovery password enum: Id: OSRecoveryKeyUsageDropDown_Name; ValueName: OSRecoveryKey item: decimal: 2 => Allow 256-bit recovery key item: decimal: 1 => Require 256-bit recovery key item: decimal: 0 => Do not allow 256-bit recovery key boolean: Id: OSHideRecoveryPage_Name; ValueName: OSHideRecoveryPage trueValue: decimal: 1

falseValue: decimal: 0 boolean: Id: OSActiveDirectoryBackup_Name; ValueName: OSActiveDirectoryBackup trueValue: decimal: 1 falseValue: decimal: 0 boolean: Id: OSRequireActiveDirectoryBackup_Name; ValueName:

OSRequireActiveDirectoryBackup trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: OSActiveDirectoryBackupDropDown_Name; ValueName:

OSActiveDirectoryInfoToStore item: decimal: 1 => Store recovery passwords and key packages item: decimal: 2 => Store recovery passwords only

Go to GPS

Choose how BitLocker-protected removable drives can be recovered

This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.

The "Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy

Management Console or the Local Group Policy Editor. Consult the BitLocker Drive

Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.




In "Save BitLocker recovery information to Active Directory Domain Services" choose which

BitLocker recovery information to store in AD DS for removable data drives. If you select

"Backup recovery password and key package", both the BitLocker recovery password and key package are stored in AD DS. If you select "Backup recovery password only" only the recovery password is stored in AD DS.

Select the "Do not enable BitLocker until recovery information is stored in AD DS for removable data drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.

If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected removable data drives.

If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS





Save BitLocker recovery information to AD DS for removable data drives


Do not enable BitLocker until recovery information is stored to AD DS for removable data drives

=== Detailed values: === enum: Id: RDVRecoveryPasswordUsageDropDown_Name; ValueName:

RDVRecoveryPassword item: decimal: 2 => Allow 48-digit recovery password item: decimal: 1 => Require 48-digit recovery password item: decimal: 0 => Do not allow 48-digit recovery password enum: Id: RDVRecoveryKeyUsageDropDown_Name; ValueName: RDVRecoveryKey item: decimal: 2 => Allow 256-bit recovery key item: decimal: 1 => Require 256-bit recovery key item: decimal: 0 => Do not allow 256-bit recovery key boolean: Id: RDVAllowDRA_Name; ValueName: RDVManageDRA trueValue: decimal: 1

falseValue: decimal: 0 boolean: Id: RDVHideRecoveryPage_Name; ValueName: RDVHideRecoveryPage trueValue: decimal: 1 falseValue: decimal: 0 boolean: Id: RDVActiveDirectoryBackup_Name; ValueName: RDVActiveDirectoryBackup trueValue: decimal: 1 falseValue: decimal: 0 boolean: Id: RDVRequireActiveDirectoryBackup_Name; ValueName:

RDVRequireActiveDirectoryBackup trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: RDVActiveDirectoryBackupDropDown_Name; ValueName:

RDVActiveDirectoryInfoToStore item: decimal: 1 => Backup recovery passwords and key packages item: decimal: 2 => Backup recovery passwords only

Go to GPS

Configure Background Sync

This is a machine-specific setting which applies to any user who logs onto the specified machine while this policy is in effect.

This policy is in effect when a network folder is determined, as specified by the

â€œConfigure slow-link modeâ€ policy, to be in â€œslow-linkâ€ mode.

For network folders in "slow-link" mode, a sync will be initiated in the background on a regular basis, according to these settings, to synchronize the files in those shares/folders between the client and server.

By default, network folders in the "slow-link" mode will be synchronized with the server every 360 minutes with the start of the sync varying between 0 and 60 additional minutes.

You can override the default sync interval and variance by setting Â´Sync IntervalÂ´ and

Â´Sync VarianceÂ´ values. You can also set a period of time where background sync is disabled by setting Â´Blockout Start TimeÂ´ and Â´Blockout DurationÂ´. To ensure that all the network folders on the machine are synchronized with the server on a regular basis, you may also set the Â´Maximum Allowed Time Without A SyncÂ´.

You may also configure Background Sync for network shares that are in user selected "Work

Offline" mode. This mode is in effect when a user selects the "Work Offline" button for a specific share. When selected, all configured settings will apply to shares in user selected

"Work Offline" mode as well.

If you disable this setting or do not configure it, the default behavior for Background Sync will apply.


Configure background sync:

Sync Interval (minutes)

Sync Variance (minutes)

Maximum Allowed Time Without A Sync (minutes)

Blockout Start Time (HHMM)

HHMM is a value where

HH must be between 0 and 24, and

MM must be between 0 and 59.

Blockout Duration (minutes)

Enable Background Sync for shares in user selected "Work Offline" mode

=== Detailed values: === decimal: Id: Lbl_BackgroundSyncDefaultSyncTime; ValueName:

BackgroundSyncPeriodMin decimal: Id: Lbl_BackgroundSyncVariance; ValueName: BackgroundSyncMaxStartMin decimal: Id: Lbl_BackgroundSyncIgnoreBlockOutTime; ValueName:

BackgroundSyncIgnoreBlockOutAfterMin decimal: Id: Lbl_BackgroundSyncBlockOutPeriodStartTime; ValueName:

BackgroundSyncBlockOutStartTime decimal: Id: Lbl_BackgroundSyncBlockOutPeriodDuration; ValueName:

BackgroundSyncBlockOutDurationMin boolean: Id: Lbl_BackgroundSyncInForcedOffline; ValueName:

BackgroundSyncEnabledForForcedOffline trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Configure BranchCache for network files

This policy setting changes the default round trip network latency value above which network files are cached by client computers in the branch. BranchCache for network files enables computers in a branch office to cache data from Intranet servers on which BranchCache is enabled, and then securely share the files with other computers in the branch. One of the content types that can be cached in a branch office is network files using the Server Message

Block (SMB) protocol.

By default, network files are cached in the branch office when the round trip network latency of the wide area network (WAN) link is above 80 ms. To always cache network files downloaded to computers in the branch office, set the network latency value to 0. To disable branch caching for network files, set the latency value to a very high value.

If you enable this policy setting, you can configure the round trip network latency above which network files should be cached by client computers in the branch office.

If you disable or do not configure this policy setting, the client computer will cache network files if the round trip network latency of the wide area network (WAN) link is above 80 ms.

=== Detailed values: === decimal: Id: WBC_SMBLatency_DecimalTextBox; ValueName:

PeerCachingLatencyThreshold

Go to GPS

Configure list of Enhanced Storage devices usable on your computer

This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.

This policy setting only applies to Enhanced Storage devices that support a Certificate

Authentication Silo.

If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.

If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.


Usable Enhanced Storage Devices:

The device identifier should be entered in the form "Vendor ID-Product ID" where "Vendor

ID" is the Institute of Electrical and Electronics Engineers, Inc. (IEEE) issued organizationally unique identifier (OUI) of the manufacturer and "Product ID" is a string assigned by the manufacturer.

For more information on how to obtain the manufacturer and product ID from the device search for "Enhanced Storage Access" on Microsoft TechNet.

=== Detailed values: === list: Id: ApprovedEnStorDevices_List

Go to GPS

Configure list of IEEE 1667 silos usable on your computer

This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.

If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.

If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.


Usable IEEE 1667 Silo Type Identifiers:

Each silo type identifier must be a separate entry.

For more information on how to set a silo type identifier for this policy search for "Enhanced

Storage Access" on Microsoft TechNet.

=== Detailed values: === list: Id: ApprovedSilos_List

Go to GPS

Configure minimum PIN length for startup

This policy setting allows you to configure a minimum length for a Trusted Platform Module

(TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup

PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.

If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits.

=== Detailed values: === decimal: Id: MinPINLength; ValueName: MinimumPIN

Go to GPS

Configure Reliability WMI Providers

This policy controls the Windows Management Instrumentation (WMI) providers

Win32_ReliabilityStabilityMetrics and Win32_ReliabilityRecords.

If this setting is disabled, the Reliability Monitor will not display system reliability information nor will WMI capable applications have access to reliability information.

Go to GPS

Configure Scenario Execution Level

If you enable this policy setting, the Diagnostic Policy Service (DPS) will detect, troubleshoot and attempt to resolve automatically any heap corruption problems.

If you disable this policy setting, Windows will not be able to detect, troubleshoot and attempt to resolve automatically any heap corruption problems that are handled by the DPS.

If you do not configure this policy setting, the DPS will enable Fault Tolerant Heap for resolution by default.

This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.

No system restart or service restart is required for this policy to take effect: changes take effect immediately.

This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The

DPS can be configured with the Services snap-in to the Microsoft Management Console.

Go to GPS

Configure Scheduled Maintenance Behavior

Determines whether scheduled diagnostics will run to proactively detect and resolve system problems.

If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution.

If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input.

If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis.

If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default.

No reboots or service restarts are required for this policy to take effect: changes take effect immediately.

This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed.

The Task Scheduler service can be configured with the Services snap-in to the Microsoft

Management Console.


Execution Level

=== Detailed values: === enum: Id: ScheduledDiagnosticsExecutionPolicyLevel; ValueName: EnabledExecutionLevel item: decimal: 1 => Troubleshooting Only item: decimal: 2 => Regular

Go to GPS

Configure Security Policy for Scripted Diagnostics

Determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.

If you enable this policy setting, the scripted diagnostics execution engine will validate the signer of any diagnostic package and only run those signed by trusted publishers.

If you disable this policy setting, the scripted diagnostics execution engine will run all digitally signed packages.

Go to GPS

Configure use of passwords for fixed data drives

This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a

password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the

Group Policy setting "Password must meet complexity requirements" located in Computer

Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.

Note: These settings are enforced when turning on BitLocker, not when unlocking a volume.

BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements you define. To require the use of a password, select "Require password for fixed data drive".

To enforce complexity requirements on the password, select "Require complexity".

When set to "Require complexity" a connection to a domain controller is necessary when

BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box.

If you disable this policy setting, the user is not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography:

Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.


Require password for fixed data drive

Configure password complexity for fixed data drives:

Minimum password length for fixed data drive:

Note: You must enable the "Password must meet complexity requirements" policy setting for the password complexity setting to take effect.

=== Detailed values: === boolean: Id: FDVRequirePassphrase; ValueName: FDVEnforcePassphrase trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: FDVPassphraseComplexity; ValueName: FDVPassphraseComplexity

item: decimal: 2 => Allow password complexity item: decimal: 0 => Do not allow password complexity item: decimal: 1 => Require password complexity decimal: Id: FDVMinPassphraseLength; ValueName: FDVPassphraseLength

Go to GPS

Configure use of passwords for removable data drives

This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security

Settings\Account Policies\Password Policy\ must be also enabled.

Note: These settings are enforced when turning on BitLocker, not when unlocking a volume.


If you enable this policy setting, users can configure a password that meets the requirements that you define. To require the use of a password, select "Require password for removable data drive". To enforce complexity requirements on the password, select "Require complexity".

When set to "Require complexity" a connection to a domain controller is necessary when

BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done.

Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box.

If you disable this policy setting, the user is not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.

Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography:

Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.


Require password for removable data drive

Configure password complexity for removable data drives:

Minimum password length for removable data drive:

Note: You must enable the "Password must meet complexity requirements" policy setting for the password complexity setting to take effect.

=== Detailed values: === boolean: Id: RDVRequirePassphrase; ValueName: RDVEnforcePassphrase trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: RDVPassphraseComplexity; ValueName: RDVPassphraseComplexity item: decimal: 2 => Allow password complexity item: decimal: 0 => Do not allow password complexity item: decimal: 1 => Require password complexity decimal: Id: RDVMinPassphraseLength; ValueName: RDVPassphraseLength

Go to GPS

Configure use of smart cards on fixed data drives

This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart cards on fixed data drives" check box.

Note: These settings are enforced when turning on BitLocker, not when unlocking a drive.


If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drives.

If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive.

=== Detailed values: ===

boolean: Id: FDVRequireSmartCard_Name; ValueName: FDVEnforceUserCert trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Configure use of smart cards on removable data drives

This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.

If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart cards on removable data drives" check box.

Note: These settings are enforced when turning on BitLocker, not when unlocking a drive.


If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.

If you do not configure this policy setting, smart cards are available to authenticate user access to a BitLocker-protected removable data drive.

=== Detailed values: === boolean: Id: RDVRequireSmartCard_Name; ValueName: RDVEnforceUserCert trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Control use of BitLocker on removable drives

This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.

When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the BitLocker setup wizard on a removable data drive.

Choose "Allow users to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend the encryption while maintenance is performed. Consult the BitLocker Drive Encryption Deployment Guide on

Microsoft TechNet for more information on suspending BitLocker protection.

If you do not configure this policy setting, users can use BitLocker on removable disk drives.

If you disable this policy setting, users cannot use BitLocker on removable disk drives.

=== Detailed values: === boolean: Id: RDVAllowBDE_Name; ValueName: RDVAllowBDE trueValue: decimal: 1 falseValue: decimal: 0 boolean: Id: RDVDisableBDE_Name; ValueName: RDVDisableBDE trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Corporate DNS Probe Host Address

This is the expected address of the host name used as for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.


Corporate DNS Probe Address:

Specify the expected DNS address for the corporate host name to probe.

Example:

2001:4898:28:3:38a1:c31:7b3d:bf0

=== Detailed values: === text: Id: NCSI_CorpDnsProbeContentBox; ValueName: DnsProbeContent

Go to GPS

Corporate DNS Probe Host Name

This is the host name of a PC known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.


Corporate DNS Probe Hostname:

Specify a corporate host name to resolve to probe for corporate connectivity.

Example: ncsi.corp.microsoft.com

=== Detailed values: === text: Id: NCSI_CorpDnsProbeHostBox; ValueName: DnsProbeHost

Go to GPS

Corporate Site Prefix List

This is the list of IPv6 corporate site prefixes that should be monitored for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.


Corporate Site Prefix List:

Specify the list of corporate IPv6 site prefixes to check for reachability to detect corporate connectivity.

Syntax:

The list should be comma-separated with no extra whitespace.

Example: fe80::/9,fe81::/9

=== Detailed values: === text: Id: NCSI_CorpSitePrefixesBox; ValueName: SitePrefixes

Go to GPS

Corporate Website Probe URL

This is the URL of the corporate website that will be used to perform an active probe against.


Corporate Website Probe URL:

Specify the URL of the corporate website to use to probe for corporate connectivity.

Example:

http://ncsi.corp.microsoft.com/

=== Detailed values: === text: Id: NCSI_CorpWebProbeUrlBox; ValueName: WebProbeUrl

Go to GPS

Deny write access to fixed drives not protected by

BitLocker

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

Go to GPS

Deny write access to removable drives not protected by

BitLocker

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computerÂ´s identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.

If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

Note: This policy setting can be overridden by the policy settings under User

Configuration\Administrative Templates\System\Removable Storage Access. If the

"Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.

=== Detailed values: === boolean: Id: RDVCrossOrg; ValueName: RDVDenyCrossOrg trueValue: decimal: 1 falseValue: decimal: 0

Go to GPS

Disable delete notifications on all volumes

Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.

A value of 0, the default, will enable delete notifications for all volumes.

A value of 1 will disable delete notifications for all volumes.

Go to GPS

Disable Known Folders

This policy setting allows you to specify a list of known folders that should be disabled.

Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder.

You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-

4739-ae1a-d4a54907c53f} or SampleVideos.

Note: Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder.

=== Detailed values: === list: Id: DisableKnownFolders_Prompt

Go to GPS

Disable text prediction

Prevents the Tablet PC Input Panel from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab.

Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an onscreen keyboard to enter text, symbols, numbers, or keyboard shortcuts.

If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.

If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.

If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options.

Go to GPS

Disable text prediction

Prevents the Tablet PC Input Panel from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab.

Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an onscreen keyboard to enter text, symbols, numbers, or keyboard shortcuts.

If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.

If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.

If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options.

Go to GPS

Do not allow compression on all NTFS volumes

Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.

Go to GPS

Do not allow encryption on all NTFS volumes

Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files

Go to GPS

Do not allow font smoothing

This policy setting allows you to specify whether font smoothing is allowed for remote connections.

Font smoothing provides ClearType functionality for a remote connection. ClearType is a technology for displaying computer fonts so that they appear clear and smooth, especially when you are using an LCD monitor. Because font smoothing requires additional bandwidth resources, not allowing font smoothing for remote connections can improve connection performance, particularly over slow links.

By default, font smoothing is allowed for remote connections. You can configure font smoothing on the Experience tab in Remote Desktop Connection (RDC) or by using the

"allow font smoothing" setting in a Remote Desktop Protocol (.rdp) file.

If you enable this policy setting, font smoothing will not be allowed for remote connections, even if font smoothing is enabled in RDC or in the .rdp file.

If you disable or do not configure this policy setting, font smoothing is allowed for remote connections.

Go to GPS

Do not allow non-Enhanced Storage removable devices

This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.

If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.

If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.

Go to GPS

Do not allow password authentication of Enhanced

Storage devices

This policy setting configures whether or not a password can be used to unlock an Enhanced

Storage device.

If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.

If you disable or do not configure this policy setting, a password can be used to unlock an

Enhanced Storage device.

Go to GPS

Do not allow pinning items in Jump Lists

If you enable this setting, users cannot pin files, folders, websites, or other items to their Jump

Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their

Jump Lists. Existing items already pinned to their Jump Lists will continue to show.

If you disable this setting or do not configure it, users can pin files, folders, websites, and other items to a programÂ´s Jump List so that the items is always present in this menu.

Go to GPS

Do not allow pinning programs to the Taskbar

If you enable this setting, users cannot change the programs currently pinned to the Taskbar.

If any programs are already pinned to their Taskbar, these programs will continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.

If you disable this setting or do not configure it, users can pin programs so that the program shortcuts stay on the Taskbar.

Go to GPS

Do not allow the BITS client to use Windows Branch

Cache

This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the

Windows Branch Cache component is installed and enabled on a computer, then BITS jobs on that computer can use Windows Branch Cache by default.

If you enable this setting, then the BITS client does not use Windows Branch Cache.

If you disable or do not configure this setting, then the BITS client uses Windows Branch

Cache.

Note: This setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy does not apply to BITS transfers over SMB. This setting has no effect if the computerÂ´s administrative settings for Windows Branch Cache disable its use entirely.

Go to GPS

Do not display or track items in Jump Lists from remote locations

The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.

If you disable or do not configure this setting, all files that the user opens will appear in the menus, including files located remotely on another computer.

If you enable this setting, the Start Menu and Taskbar will only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers will not be tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.

Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" setting.

Go to GPS

Do not show the "local access only" network icon

Specifies whether or not the "local access only" network icon will be shown.

When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only.

If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only.

Go to GPS

Do not use Remote Desktop Session Host server IP address when virtual IP address is not available

This policy setting specifies whether a session uses the IP address of the Remote Desktop

Session Host server if a virtual IP address is not available.

If you enable this policy setting, the IP address of the RD Session Host server is not used if a virtual IP is not available. The session will not have network connectivity.

If you disable or do not configure this policy setting, the IP address of the RD Session Host server is used if a virtual IP is not available.

Go to GPS

Domain Location Determination URL

This is the HTTPS URL of the corporate website that will be used to determine the current domain location i.e. inside or outside corporate. Reachability of the URL indicates that the location is inside corporate else it is outside.


Corporate Domain Location Determination URL:

Specify the HTTPS URL of the corporate website to use to determine inside or outside domain location.

Example: https://nid.corp.microsoft.com/

=== Detailed values: === text: Id: NCSI_DomainLocationDeterminationUrlBox; ValueName:

DomainLocationDeterminationUrl

Go to GPS

Enable NTFS pagefile encryption

Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will

cause the page files to be encrypted.

Go to GPS

Enable Transparent Caching

Enabling this policy optimizes subsequent reads to network files by a user or an application.

This is done by caching reads to remote files over a slow network in the Offline Files cache.

Subsequent reads to the same file are then satisfied from the client after verifying the integrity of the cached copy. This policy not only yields improved end-user response times but also decreased bandwidth consumption over the WAN links to the server.

The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads.

This policy is triggered by the configured round trip network latency value. We recommend using this policy when the network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less than 60ms, reads to remote files will not be cached.

If you do not configure this setting, remote files will be not be transparently cached on enduser clients.


Enter the network latency value above which network files will be temporarily cached on the client.

Enter network latency value in milliseconds

=== Detailed values: === decimal: Id: Lbl_OnlineCachingSettingsList; ValueName: OnlineCachingLatencyThreshold

Go to GPS

Exclude files from being cached

This policy enables administrators to exclude certain file types from being made available offline.

You need to specify file extensions of the file types that should be excluded. A user will then be unable to create a file of this type in the folders that have been made available offline.


Enter semi-colon separated file extensions that you want to be excluded from being made available offline by Offline Files.

Extensions must be preceded by an asterisk and period. "e.g. *.dbf;*.jpg"

Extensions:

=== Detailed values: === text: Id: Lbl_ExclusionListSettingsList; ValueName: ExcludedFileTypes

Go to GPS

Execute print drivers in isolated processes

This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail.

If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default.

If you disable this policy setting, the print spooler will execute print drivers in the print spooler process.

Notes:

-Other system or driver policy settings may alter the process in which a print driver is executed.

-This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected.

-This policy setting takes effect without restarting the print spooler service.

Go to GPS

Extend Point and Print connection to search Windows

Update

This policy setting allows you to manage where client computers search for Point and Printer drivers.

If you enable this policy setting, the client computer will continue to search for compatible

Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache.

If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail.

This policy setting is not configured by default, and the behavior depends on the version of

Windows that you are using.

By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows

Enterprise, and all versions of Windows Server 2008 R2) to have the same behavior.

Go to GPS

Floppy Drives: Deny execute access

This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives.



Go to GPS

Hash Publication for BranchCache

This policy enables a hash generation service to generate hashes for data stored in shared folders, and then provide these hashes to client computers on which BranchCache is enabled.

Hashes are mathematically-derived digital fingerprints of files that uniquely identify the contents of files. These digital fingerprints are very small, enabling Windows to compare files without consuming a significant amount of Wide Area Network (WAN) bandwidth.

A client computer in a branch office can obtain a hash for a file across a WAN link if all of the following conditions are true:

1) The user has permissions to access the file.

2) BranchCache is enabled on the client computer.

3) Hash publication is permitted on the shared folder that the client computer is accessing.

If the client computer obtains the hash, the computer can then search for an identical version of the file in the cache of other computers in the branch office. If Windows finds an identical version of the file in the branch office, the client computer downloads the locally-cached copy instead of downloading the file across the WAN link.

If you configure this policy to "Allow hash publication only for shared folders on which

BranchCache is enabled" (value = 0), hashes are generated only for shared folders on which

BranchCache is enabled. Hashes for these shared folders are generated when either of the following events occurs:

1) A file is accessed in a shared folder on which BranchCache is enabled by a client with

BranchCache support enabled.

2) An administrator manually generates hashes using the command-line tool Hashgen.

If you configure this policy to "Disallow hash publication on all shared folders" (value = 1), hashes are never generated or provided by computers on which this policy is applied.

If you configure this policy to "Allow hash publication for all shared folders" (value = 2), hashes are generated for all shared folders on the server when either of the following events occurs:

1) A file is accessed in a shared folder on the server by a client with BranchCache support enabled.

2) An administrator manually generates hashes using the command-line tool Hashgen.


Values:

0 = Allow hash publication only for shared folders on which BranchCache is enabled

1 = Disallow hash publication on all shared folders

2 = Allow hash publication for all shared folder

Hash publication actions:

=== Detailed values: === enum: Id: Lbl_HashPublicationActionCombo; ValueName: HashPublicationForPeerCaching item: decimal: 0 => Allow hash publication only for shared folders on which BranchCache is enabled item: decimal: 1 => Disallow hash publication on all shared folders item: decimal: 2 => Allow hash publication for all shared folder

Go to GPS

IP-HTTPS State

This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the

HTTPS protocol to provide IP connectivity to a remote network.

If you disable or do not configure this policy setting, the local host settings is used.

If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings:

Policy Default State: The IP-HTTPS interface is used when there are no other connectivity

options.

Policy Enabled State: The IP-HTTPS interface is always present, even if the host has other connectivity options.

Policy Disabled State: No IP-HTTPS interfaces are present on the host.


Enter the IPHTTPS Url:

Select Interface state from the following options:

=== Detailed values: === enum: Id: StateSelect; ValueName: IPHTTPS_ClientState item: decimal: 0 => Default State item: decimal: 2 => Enabled State item: decimal: 3 => Disabled State text: Id: IPHTTPSClientUrlBox; ValueName: IPHTTPS_ClientUrl

Go to GPS

ISATAP Router Name

This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.

If you enable this policy setting, you can specify a router name or IPv4 address for an

ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required.


=== Detailed values: === text: Id: RouterNameBox; ValueName: ISATAP_RouterName

Go to GPS

ISATAP State

This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol

(ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.


If you enable this policy setting, you will be able to configure ISATAP with one of the following settings:

Policy Default State: If the ISATAP router name is resolved successfully, the host will have

ISATAP configured with a link-local address and an address for each prefix received from the

ISATAP router through stateless address auto-configuration. If the ISATAP router name is not resolved successfully, ISATAP connectivity is not available on the host using the corresponding IPv4 address.

Policy Enabled State: If the ISATAP name is resolved successfully, the host will have

ISATAP configured with a link-local address and an address for each prefix received from the

ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local address.

Policy Disabled State: No ISATAP interfaces are present on the host.

=== Detailed values: === enum: Id: StateSelect; ValueName: ISATAP_State item: value item: value item: value

Go to GPS

Limit audio playback quality

This policy setting allows you to limit the audio playback quality for a Remote Desktop

Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links.

If you enable this policy setting, you must select one of the following: High, Medium, or

Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression

that is determined by the bandwidth of the remote connection.

The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used.

Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic.

If you disable or do not configure this policy setting, audio playback quality will be set to

Dynamic.

=== Detailed values: === enum: Id: TS_AUDIO_QUALITY_LEVEL; ValueName: AllowedAudioQualityMode item: decimal: 1 => Dynamic item: decimal: 3 => Medium item: decimal: 7 => High

Go to GPS

Limit maximum display resolution

This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load.

If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session.

If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host

Configuration tool.


Width

Height

=== Detailed values: === decimal: Id: TS_DisplayRes_Width; ValueName: XResolution decimal: Id: TS_DisplayRes_Height; ValueName: YResolution

Go to GPS

Limit maximum number of monitors

This policy setting allows you to limit the number of monitors that a user can use to display a

Remote Desktop Services session. Limiting the number of monitors to display a Remote

Desktop Services session can improve connection performance, particularly over slow links, and reduce server load.

If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 10.

If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is determined by the value specified in the

"Maximum number of monitors per session" box on the Display Settings tab in the Remote

Desktop Session Host Configuration tool.


Maximum Monitors

=== Detailed values: === decimal: Id: TS_Max_Monitor; ValueName: MaxMonitors

Go to GPS

Limit the size of the entire roaming user profile cache

This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop

Session Host role service is installed.

Note: If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User

Profiles.

If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked.

When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified.

If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.

Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative

Templates\System\User Profiles is enabled.


Monitoring interval (minutes):

Maximum cache size (GBs):

=== Detailed values: === decimal: Id: TS_PROFILE_DIRECTORY_MONITORING_INTERVAL; ValueName:

MonitoringInterval decimal: Id: TS_PROFILE_DIRECTORY_QUOTA; ValueName: ProfileDirectoryQuota

Go to GPS

Load a specific theme

Specifies which theme file is applied to the computer the first time a user logs on.

If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, window color, sounds, or screen saver after the first logon.

If you disable or do not configure this setting, the default theme will be applied at the first logon.

=== Detailed values: === text: Id: ThemeFilename; ValueName: ThemeFile

Go to GPS

Lock Enhanced Storage when the computer is locked

This policy will enable the Enhanced Storage device to be locked when the computer is locked.

This policy is supported in Windows Enterprise and Business SKUs only.

If you enable this policy setting, the Enhanced Storage device will remain locked when the

computer is locked.

If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked.

Go to GPS

Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider

Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.

If you leave this policy setting enabled, Users will be able to use MSDT to collect and send diagnostic data to a support professional to resolve a problem.

By default, the support provider is set to Microsoft Corporation.

If you disable this policy setting, MSDT will not be able to run in support mode and no data can be collected or sent to the support provider.

If you do not configure this policy setting, MSDT Support mode will be enabled by default.

No reboots or service restarts are required for this policy to take effect: changes take effect immediately.

Go to GPS

Network Projector Port Setting

This policy setting allows you to select the TCP port the Network Projector will use to send packets. If you leave the 0, the operating system will select a port. If you select a TCP port that is already in use by a system, the Network Projector will fail to initialize.

If you enable this policy setting, you can customize a TCP port for the Network Projector.


The setting allows you to customize the Network Projector port

The range is 0 to 65535. Default is 5363.

=== Detailed values: === decimal: Id: NetworkProjectionPortNoBox; ValueName: NetworkProjectionPortNo

Go to GPS

Notify user of successful smart card driver installation

This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.

If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed.

If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed.

Note: This policy setting is applied only for smart cards that have passed the Windows

Hardware Quality Labs (WHQL) testing process.

Go to GPS

Optimize visual experience for Remote Desktop Services sessions

This policy setting allows you to specify the visual experience that remote users receive in

Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience.

By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation.

If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.

If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia.


Visual experience:

=== Detailed values: === enum: Id: TS_VISEXP_SETTINGS; ValueName: VisualExperiencePolicy item: decimal: 1 => Rich multimedia item: decimal: 2 => Text

Go to GPS

Override print driver execution compatibility setting reported by print driver

This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility.

If you enable this policy setting, the print spooler will ignore the Driver Isolation compatibility flag value reported by the print driver.

If you disable or do not configure this policy setting, the print spooler will use the Driver

Isolation compatibility flag value reported by the print driver.

Notes:

-Other system or driver policy settings may alter the process in which a print driver is executed.

-This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected.

-This policy setting takes effect without restarting the print spooler service.

Go to GPS

Pin Internet search sites to the "Search again" links and the Start menu

This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in Windows Explorer and the Start menu links. The

"Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}).

You can add up to five additional links to the "Search again" links at the bottom of results returned in Windows Explorer after a search is executed. These links will be shared between

Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.

The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it

is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links.

If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links.

If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links.


Internet search sites to add:

Site URL 1

Site Name 1

Site URL 2

Site Name 2

Site URL 3

Site Name 3

Site URL 4

Site Name 4

Site URL 5

Site Name 5

=== Detailed values: === text: Id: OpenSearch0; ValueName: OpenSearch0 text: Id: OpenSearchLabel0; ValueName: OpenSearchLabel0 text: Id: OpenSearch1; ValueName: OpenSearch1 text: Id: OpenSearchLabel1; ValueName: OpenSearchLabel1 text: Id: OpenSearch2; ValueName: OpenSearch2 text: Id: OpenSearchLabel2; ValueName: OpenSearchLabel2 text: Id: OpenSearch3; ValueName: OpenSearch3 text: Id: OpenSearchLabel3; ValueName: OpenSearchLabel3 text: Id: OpenSearch4; ValueName: OpenSearch4 text: Id: OpenSearchLabel4; ValueName: OpenSearchLabel4

Go to GPS

Pin Libraries or Search Connectors to the "Search again" links and the Start menu

This policy setting allows up to five Libraries or Search Connectors to be pinned to the

"Search again" links and the Start menu links. The "Search again" links at the bottom of the

Search Results view allow the user to reconduct a search but in a different location. To add a

Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms

file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the

Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search

Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file.

You can add up to five additional links to the "Search again" links at the bottom of results returned in Windows Explorer after a search is executed. These links will be shared between

Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.

The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search

Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links.

If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links.

If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links.


Locations to pin:

Location 1

Location 2

Location 3

Location 4

Location 5

=== Detailed values: === text: Id: Library0; ValueName: Library0 text: Id: Library1; ValueName: Library1 text: Id: Library2; ValueName: Library2 text: Id: Library3; ValueName: Library3 text: Id: Library4; ValueName: Library4

Go to GPS

Prevent changing mouse pointers

Prevents users from changing the mouse pointers.

By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers.

If you enable this setting, none of the mouse pointer scheme settings can be changed by the user.

Go to GPS

Prevent changing sounds

Prevents users from changing the sound scheme.

By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme.

If you enable this setting, none of the Sound Scheme settings can be changed by the user.

Go to GPS

Prevent device metadata retrieval from the Internet

This policy setting allows you to prevent Windows from retrieving device metadata from the

Internet.

If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation

Settings dialog box (Control Panel > System and Security > System > Advanced System

Settings > Hardware tab).

If you disable or do not configure this policy setting, the setting in the Device Installation

Settings dialog box controls whether Windows retrieves device metadata from the Internet.

Go to GPS

Prevent redirection of devices that match any of these device Ids

This policy setting prevents redirection of specific USB devices.

If you enable this setting, an alternate driver for the USB device cannot be loaded.

If you disable or do not configure this setting, an alternate driver for the USB device can be loaded.


Prevent redirection of devices that match any of these Device IDs:

To create a list of devices, click Show, specify a USB device hardware ID, and then click OK.

For example, to specify a device that has a VID 058F, PID 6387 and Revision 0142, type the value in the following format "VID_058F&&PID_6387&&REV_0142". You can use Device

Manager to determine the VID, PID, and revision of a USB device. On the Details tab, select

"Hardware Ids" to list the IDs of all USB devices connected to the computer.

As an alternative, you can use class and protocol information to block USB devices. To specify a device that has a value of Class 08, SubClass 06, and Protocol 50, type the value in the following format: "Class_08&&SubClass_06&&Prot_50". This information also is available in Device Manager. On the Details tab, select "Compatible Ids" to list the class and protocol values of all USB devices connected to the computer.

=== Detailed values: === list: Id: Redirect_IDS_Deny_List

Go to GPS

Prevent redirection of USB devices

This policy setting prevents redirection of USB devices.

If you enable this setting, an alternate driver for USB devices cannot be loaded.

If you disable or do not configure this setting, an alternate driver for USB devices can be loaded.

Go to GPS

Prevent the computer from joining a homegroup

By default, users can add their computer to a homegroup on a home network.

If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features.

If you disable or do not configure this policy setting, a user can add this computer to a homegroup. However, data on a domain-joined computer is not shared with the homegroup.

This policy setting is not configured by default.

You must restart the computer for this policy setting to take effect.

Go to GPS

Prevent Windows Anytime Upgrade from running.

By default Windows Anytime Upgrade is available for all administrators.

If you enable this policy setting, Windows Anytime Upgrade will not run.

If you disable this policy setting or set it to Not Configured, Windows Anytime Upgrade will run.

Go to GPS

Prevent Windows Anytime Upgrade from running.

By default Windows Anytime Upgrade is available for all administrators.

If you enable this policy setting, Windows Anytime Upgrade will not run.

If you disable this policy setting or set it to Not Configured, Windows Anytime Upgrade will run.

Go to GPS

Prevent Windows from sending an error report when a device driver requests additional software duri

This policy allows you to prevent Windows from sending an error report when a device driver requests additional software during installation.

If you enable this policy setting, Windows does not send an error report when a device driver that requests additional software is installed.

If you disable or do not configure this policy setting, Windows sends an error report when a device driver that requests additional software is installed.

Go to GPS

Provide the unique identifiers for your organization

This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added

to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the Manage-BDE command-line tool. An identification field is required for management of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLocker To Go

Reader when the identification field on the drive matches the value configured for the identification field.

The allowed identification field is used in combination with the "Deny write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.

You can configure the identification fields on existing drives by using manage-BDE.exe.

If you enable this policy setting, you can configure the identification field on the BitLockerprotected drive and any allowed identification field used by your organization.

When a BitLocker-protected drive is mounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive is from an outside organization.

If you disable or do not configure this policy setting, the identification field is not required.

Note: Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificatebased data recovery agents when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.

=== Detailed values: === text: Id: IdentificationField; ValueName: IdentificationFieldString text: Id: SecIdentificationField; ValueName: SecondaryIdentificationField

Go to GPS

Reduce Display Brightness (On Battery)

Specify the period of inactivity before Windows automatically reduces brightness of the display.

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically reduces the brightness of the display.

Windows will only reduce the brightness of the primary display integrated into the computer.

If you disable this policy setting or do not configure it, users can see and change this setting.

=== Detailed values: === decimal: Id: EnterDisplayDimTimeOut; ValueName: DCSettingIndex

Go to GPS

Reduce Display Brightness (Plugged In)

Specify the period of inactivity before Windows automatically reduces brightness of the display.

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically reduces the brightness of the display.

Windows will only reduce the brightness of the primary display integrated into the computer.


=== Detailed values: === decimal: Id: EnterDisplayDimTimeOut; ValueName: ACSettingIndex

Go to GPS

Removable Disks: Deny execute access

This policy setting denies execute access to removable disks.



Go to GPS

Remove Downloads link from Start Menu

If you enable this policy the start menu will not show a link to the Downloads folder.

Go to GPS

Remove Homegroup link from Start Menu

If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.

If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.

Go to GPS

Remove pinned programs from the Taskbar

If you enable this setting, pinned programs are prevented from being shown on the Taskbar.

Users cannot pin programs to the Taskbar.

If you disable this setting or do not configure it, users can pin programs so that the program shortcuts stay on the Taskbar.

Go to GPS

Remove Recorded TV link from Start Menu

If you enable this policy the start menu will not show a link to the Recorded TV library.

Go to GPS

Remove See More Results / Search Everywhere link

If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.

If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.

Go to GPS

Remove the Action Center icon

Prevents the Action Center in the system control area from being displayed. If you enable this setting, the Action Center icon will not be displayed in the system notification area.

If you disable or do not configure this setting, the Action Center icon will be displayed in the system notification area.

Go to GPS

Remove the Search the Internet "Search again" link

If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window.

If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.

If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window.

Go to GPS

Remove Videos link from Start Menu

If you enable this policy the start menu will not show a link to the Videos library.

Go to GPS

Require additional authentication at startup

This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on

BitLocker.

Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.

If you want to use BitLocker on a computer without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode a USB drive is required for start-up and the key information used to encrypt the drive is stored on the USB drive, creating a USB key.

When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable you will need to use one of the BitLocker

recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number

(PIN), or both.

If you enable this policy setting, users can configure advanced startup options in the

BitLocker setup wizard.

If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.

Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the

BitLocker Drive Encryption setup wizard.


Allow BitLocker without a compatible TPM

(requires a startup key on a USB flash drive)

Settings for computers with a TPM:

Configure TPM startup:

Configure TPM startup PIN:

Configure TPM startup key:

Configure TPM startup key and PIN:

=== Detailed values: === boolean: Id: ConfigureNonTPMStartupKeyUsage_Name; ValueName:

EnableBDEWithNoTPM trueValue: decimal: 1 falseValue: decimal: 0 enum: Id: ConfigureTPMStartupKeyUsageDropDown_Name; ValueName: UseTPMKey item: decimal: 2 => Allow startup key with TPM item: decimal: 1 => Require startup key with TPM item: decimal: 0 => Do not allow startup key with TPM enum: Id: ConfigurePINUsageDropDown_Name; ValueName: UseTPMPIN item: decimal: 2 => Allow startup PIN with TPM item: decimal: 1 => Require startup PIN with TPM item: decimal: 0 => Do not allow startup PIN with TPM

enum: Id: ConfigureTPMPINKeyUsageDropDown_Name; ValueName: UseTPMKeyPIN item: decimal: 2 => Allow startup key and PIN with TPM item: decimal: 1 => Require startup key and PIN with TPM item: decimal: 0 => Do not allow startup key and PIN with TPM enum: Id: ConfigureTPMUsageDropDown_Name; ValueName: UseTPM item: decimal: 2 => Allow TPM item: decimal: 1 => Require TPM item: decimal: 0 => Do not allow TPM

Go to GPS

Require domain users to elevate when setting a networkÂ´s location

This policy setting determines whether to require domain users to elevate when setting a networkÂ´s location.

If you enable this policy setting, domain users must elevate when setting a networkÂ´s location.

If you disable or do not configure this policy setting, domain users can set a networkÂ´s location without elevating.

Go to GPS

Require strict target SPN match on remote procedure calls

When an application attempts to make a remote procedure call (RPC) to this server with a

NULL value for the service principal name (SPN), computers running Windows 7 will attempt to use Kerberos by generating an SPN. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN.

If you enable this policy setting, only services running as LocalSystem or NetworkService will be allowed to accept these connections. Services running as identities different from

LocalSystem or NetworkService might fail to authenticate.

If you disable or do not configure this policy setting, then any service will be allowed to accept incoming connections by using this system-generated SPN.

Go to GPS

Reserve Battery Notification Level

Specify the percentage of battery capacity remaining that triggers the reserve power mode.

If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification.



Reserve Battery Notification Level (percent):

=== Detailed values: === decimal: Id: EnterReserveBatteryNotificationLevel; ValueName: DCSettingIndex

Go to GPS

Route all traffic through the internal network

This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly.

When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway.

If you enable this policy setting, all traffic between a remote client computer running

DirectAccess and the Internet is routed through the internal network.

If you disable this policy setting, traffic between remote client computers running

DirectAccess and the Internet is not routed through the internal network.

If you do not configure this policy setting, traffic between remote client computers running

DirectAccess and the Internet is not routed through the internal network.

=== Detailed values: === enum: Id: StateSelect; ValueName: Force_Tunneling item: value item: value

Go to GPS

Run Windows PowerShell scripts first at computer startup, shutdown

This policy setting determines whether Windows PowerShell scripts will run before non-

PowerShell scripts during computer startup and shutdown. By default, PowerShell scripts run after non-PowerShell scripts.

If you enable this policy setting, within each applicable Group Policy object (GPO),

PowerShell scripts will run before non-PowerShell scripts during computer startup and shutdown.

For example, assume the following scenario:

There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO

A.

GPO B and GPO C include the following computer startup scripts:

GPO B: B.cmd, B.ps1

GPO C: C.cmd, C.ps1

Assume also that there are two computers, DesktopIT and DesktopSales.

For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:

Within GPO B: B.ps1, B.cmd

Within GPO C: C.ps1, C.cmd

For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs

B and C run in the following order for DesktopSales:

Within GPO B: B.cmd, B.ps1

Within GPO C: C.cmd, C.ps1

Note: This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:

Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup

Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown

Go to GPS

Run Windows PowerShell scripts first at user logon, logoff


PowerShell scripts during user logon and logoff. By default, PowerShell scripts run after non-

PowerShell scripts.


PowerShell scripts will run before non-PowerShell scripts during user logon and logoff.



A.

GPO B and GPO C include the following user logon scripts:

GPO B: B.cmd, B.ps1

GPO C: C.cmd, C.ps1

Assume also that there are two users, Qin Hong and Tamara Johnston.

For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:



For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:



Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:

User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon

User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff

This setting appears in the Computer Configuration and User Configuration folders. The setting set in Computer Configuration takes precedence over the setting set in User

Configuration.

Go to GPS

Run Windows PowerShell scripts first at user logon, logoff


PowerShell scripts during user logon and logoff. By default, PowerShell scripts run after non-

PowerShell scripts.


PowerShell scripts will run before non-PowerShell scripts during user logon and logoff.



A.

GPO B and GPO C include the following user logon scripts:

GPO B: B.cmd, B.ps1

GPO C: C.cmd, C.ps1

Assume also that there are two users, Qin Hong and Tamara Johnston.

For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:



For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:



Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:

User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon

User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff

This setting appears in the Computer Configuration and User Configuration folders. The setting set in Computer Configuration takes precedence over the setting set in User

Configuration.

Go to GPS

Select the network adapter to be used for Remote Desktop

IP Virtualization

This policy setting specifies the IP address and network mask that corresponds to the network adapter used for virtual IP addresses. The IP address and network mask should be entered in

Classless Inter-Domain Routing notation; for example, 192.0.2.96/24.

If you enable this policy setting, the specified IP address and network mask are used to select the network adapter used for the virtual IP addresses.

If you disable or do not configure this policy setting, Remote Desktop IP Virtualization is turned off. A network adapter must be configured for Remote Desktop IP Virtualization to work.


Define IP address and network mask corresponding to the network adapter to be used for

Remote Desktop IP Virtualization:

The format is [IP address]/[network mask]. For Example:192.0.2.96/24

=== Detailed values: === text: Id: TS_NET_ID_IP_VIRTUALIZATION; ValueName: VIPAdapter

Go to GPS

Set a support web page link

Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.


Support Web page URLhttp://msdn.microsoft.com

=== Detailed values: === text: Id: AdminInfoUrl_TextBox; ValueName: AdminInfoUrl

Go to GPS

Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background trans

This policy setting limits the network bandwidth that Background Intelligent Transfer Service

(BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers.

If you enable this setting, then you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.

You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, then you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.

If you disable or do not configure this policy setting, then the limits defined for work and/or non-work schedules will be used.

Note: The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.


Maintenance Days

From

To

Daily Maintenance Hours

From

To

Bandwidth Limits During Maintenance Hours

High Priority Limit:

High Priority Unit:

Normal Priority Limit:

Normal Priority Unit:

Low Priority Limit:

Low Priority Unit:

=== Detailed values: === enum: Id: BITS_MaintenanceDaysFrom; ValueName: StartDay item: decimal: 0 => Sunday item: decimal: 1 => Monday item: decimal: 2 => Tuesday item: decimal: 3 => Wednesday item: decimal: 4 => Thursday item: decimal: 5 => Friday item: decimal: 6 => Saturday enum: Id: BITS_MaintenanceDaysTo; ValueName: EndDay item: decimal: 0 => Sunday item: decimal: 1 => Monday

item: decimal: 2 => Tuesday item: decimal: 3 => Wednesday item: decimal: 4 => Thursday item: decimal: 5 => Friday item: decimal: 6 => Saturday enum: Id: BITS_MaintenanceHoursFrom; ValueName: StartHour item: decimal: 0 => 12 AM item: decimal: 1 => 1 AM item: decimal: 2 => 2 AM item: decimal: 3 => 3 AM item: decimal: 4 => 4 AM item: decimal: 5 => 5 AM item: decimal: 6 => 6 AM item: decimal: 7 => 7 AM item: decimal: 8 => 8 AM item: decimal: 9 => 9 AM item: decimal: 10 => 10 AM item: decimal: 11 => 11 AM item: decimal: 12 => 12 PM item: decimal: 13 => 1 PM item: decimal: 14 => 2 PM item: decimal: 15 => 3 PM item: decimal: 16 => 4 PM item: decimal: 17 => 5 PM item: decimal: 18 => 6 PM item: decimal: 19 => 7 PM

item: decimal: 20 => 8 PM item: decimal: 21 => 9 PM item: decimal: 22 => 10 PM item: decimal: 23 => 11 PM enum: Id: BITS_MaintenanceHoursTo; ValueName: EndHour item: decimal: 0 => 12 AM item: decimal: 1 => 1 AM item: decimal: 2 => 2 AM item: decimal: 3 => 3 AM item: decimal: 4 => 4 AM item: decimal: 5 => 5 AM item: decimal: 6 => 6 AM item: decimal: 7 => 7 AM item: decimal: 8 => 8 AM item: decimal: 9 => 9 AM item: decimal: 10 => 10 AM item: decimal: 11 => 11 AM item: decimal: 12 => 12 PM item: decimal: 13 => 1 PM item: decimal: 14 => 2 PM item: decimal: 15 => 3 PM item: decimal: 16 => 4 PM item: decimal: 17 => 5 PM item: decimal: 18 => 6 PM item: decimal: 19 => 7 PM item: decimal: 20 => 8 PM

item: decimal: 21 => 9 PM item: decimal: 22 => 10 PM item: decimal: 23 => 11 PM decimal: Id: BITS_MaintenanceHighPriorityLimit; ValueName: HighBandwidthLimit enum: Id: BITS_MaintenanceHighPriorityUnit; ValueName: HighBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited decimal: Id: BITS_MaintenanceNormalPriorityLimit; ValueName: NormalBandwidthLimit enum: Id: BITS_MaintenanceNormalPriorityUnit; ValueName: NormalBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited decimal: Id: BITS_MaintenanceLowPriorityLimit; ValueName: LowBandwidthLimit enum: Id: BITS_MaintenanceLowPriorityUnit; ValueName: LowBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited

Go to GPS

Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers

This policy setting limits the network bandwidth that Background Intelligent Transfer Service

(BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.

If you enable this setting, then you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.

You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00

P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours.

If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers.


Ignore bandwidth limits if the source and the destination are on the same subnet.

Work Days

From

To

Daily Work Hours

From

To

Bandwidth Limits During Work Hours


High Priority Unit:



Low Priority Limit:

Low Priority Unit:

Bandwidth Limits During Non-Work Hours


High Priority Unit:



Low Priority Limit:

Low Priority Unit:

=== Detailed values: === boolean: Id: BITS_IgnoreLimitsOnLan; ValueName: IgnoreBandwidthLimitsOnLan enum: Id: BITS_WorkDaysFrom; ValueName: StartDay item: decimal: 0 => Sunday item: decimal: 1 => Monday item: decimal: 2 => Tuesday item: decimal: 3 => Wednesday item: decimal: 4 => Thursday item: decimal: 5 => Friday item: decimal: 6 => Saturday

enum: Id: BITS_WorkDaysTo; ValueName: EndDay item: decimal: 0 => Sunday item: decimal: 1 => Monday item: decimal: 2 => Tuesday item: decimal: 3 => Wednesday item: decimal: 4 => Thursday item: decimal: 5 => Friday item: decimal: 6 => Saturday enum: Id: BITS_WorkHoursFrom; ValueName: StartHour item: decimal: 0 => 12 AM item: decimal: 1 => 1 AM item: decimal: 2 => 2 AM item: decimal: 3 => 3 AM item: decimal: 4 => 4 AM item: decimal: 5 => 5 AM item: decimal: 6 => 6 AM item: decimal: 7 => 7 AM item: decimal: 8 => 8 AM item: decimal: 9 => 9 AM item: decimal: 10 => 10 AM item: decimal: 11 => 11 AM item: decimal: 12 => 12 PM item: decimal: 13 => 1 PM item: decimal: 14 => 2 PM item: decimal: 15 => 3 PM item: decimal: 16 => 4 PM item: decimal: 17 => 5 PM

item: decimal: 18 => 6 PM item: decimal: 19 => 7 PM item: decimal: 20 => 8 PM item: decimal: 21 => 9 PM item: decimal: 22 => 10 PM item: decimal: 23 => 11 PM enum: Id: BITS_WorkHoursTo; ValueName: EndHour item: decimal: 0 => 12 AM item: decimal: 1 => 1 AM item: decimal: 2 => 2 AM item: decimal: 3 => 3 AM item: decimal: 4 => 4 AM item: decimal: 5 => 5 AM item: decimal: 6 => 6 AM item: decimal: 7 => 7 AM item: decimal: 8 => 8 AM item: decimal: 9 => 9 AM item: decimal: 10 => 10 AM item: decimal: 11 => 11 AM item: decimal: 12 => 12 PM item: decimal: 13 => 1 PM item: decimal: 14 => 2 PM item: decimal: 15 => 3 PM item: decimal: 16 => 4 PM item: decimal: 17 => 5 PM item: decimal: 18 => 6 PM

item: decimal: 19 => 7 PM item: decimal: 20 => 8 PM item: decimal: 21 => 9 PM item: decimal: 22 => 10 PM item: decimal: 23 => 11 PM decimal: Id: BITS_WorkHighPriorityLimit; ValueName: HighBandwidthLimit enum: Id: BITS_WorkHighPriorityUnit; ValueName: HighBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited decimal: Id: BITS_WorkNormalPriorityLimit; ValueName: NormalBandwidthLimit enum: Id: BITS_WorkNormalPriorityUnit; ValueName: NormalBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited decimal: Id: BITS_WorkLowPriorityLimit; ValueName: LowBandwidthLimit enum: Id: BITS_WorkLowPriorityUnit; ValueName: LowBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited decimal: Id: BITS_NonWorkHighPriorityLimit; ValueName: HighBandwidthLimit enum: Id: BITS_NonWorkHighPriorityUnit; ValueName: HighBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited decimal: Id: BITS_NonWorkNormalPriorityLimit; ValueName: NormalBandwidthLimit enum: Id: BITS_NonWorkNormalPriorityUnit; ValueName: NormalBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited

decimal: Id: BITS_NonWorkLowPriorityLimit; ValueName: LowBandwidthLimit enum: Id: BITS_NonWorkLowPriorityUnit; ValueName: LowBandwidthType item: decimal: 1 => Kbps item: decimal: 2 => Mbps item: decimal: 3 => Unlimited

Go to GPS

Short name creation options

These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.

If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.


Short name creation options

=== Detailed values: === enum: Id: ShortNameCreationSetting_Levels; ValueName: NtfsDisable8dot3NameCreation item: decimal: 0 => Enable on all volumes item: decimal: 1 => Disable on all volumes item: decimal: 2 => Enable / disable on a per volume basis item: decimal: 3 => Disable on all data volumes

Go to GPS

Specify search order for device driver source locations

This policy setting allows you to specify the order in which Windows searches source locations for device drivers.

If you enable this policy setting, you can select whether Windows searches Windows Update

first, searches Windows Update last, or does not search Windows Update.

If you disable or do not configure this policy setting, members of the Administrators group can determine the order in which Windows searches source locations for device drivers.


Select search order:

=== Detailed values: === enum: Id: DriverSearchPlaces_SearchOrderConfiguration_dropdown; ValueName:

SearchOrderConfig item: decimal: 1 => Search Windows Update First item: decimal: 2 => Search Windows Update Last item: decimal: 0 => Do not search Windows Update

Go to GPS

Specify the Display Dim Brightness (On Battery)

Specify the brightness of the display when Windows automatically reduces brightness of the display.

If you enable this policy setting, you must provide a value, in percentage, indicating the display brightness when Windows automatically reduces brightness of the display.


=== Detailed values: === decimal: Id: EnterDisplayDimBrightness; ValueName: DCSettingIndex

Go to GPS

Specify the Display Dim Brightness (Plugged In)

Specify the brightness of the display when Windows automatically reduces brightness of the display.

If you enable this policy setting, you must provide a value, in percentage, indicating the display brightness when Windows automatically reduces brightness of the display.


=== Detailed values: === decimal: Id: EnterDisplayDimBrightness; ValueName: ACSettingIndex

Go to GPS

Specify the Unattended Sleep Timeout (On Battery)

Specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows will not automatically transition to sleep.


=== Detailed values: === decimal: Id: EnterUnattendedSleepTimeOut; ValueName: DCSettingIndex

Go to GPS

Specify the Unattended Sleep Timeout (Plugged In)

Specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows will not automatically transition to sleep.


=== Detailed values: === decimal: Id: EnterUnattendedSleepTimeOut; ValueName: ACSettingIndex

Go to GPS

Tape Drives: Deny execute access

This policy setting denies execute access to the Tape Drive removable storage class.



Go to GPS

Teredo Client Port

This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended).

If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize.

If you enable this policy setting, you can customize a UDP port for the Teredo client.


=== Detailed values: === decimal: Id: TeredoClientPortBox; ValueName: Teredo_ClientPort

Go to GPS

Teredo Default Qualified

This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.


This policy setting contains only one state:

Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and remain qualified if the qualification process succeeds.

=== Detailed values: === enum: Id: StateSelect; ValueName: Teredo_DefaultQualified item: value

Go to GPS

Teredo Refresh Rate

This policy setting allows you to configure the Teredo refresh rate.

Note: On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router

Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement

Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo clientÂ´s NAT device.

If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo clientÂ´s NAT device, Teredo might stop working or connectivity might be intermittent.

If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds.

=== Detailed values: === decimal: Id: TeredoRefreshRateBox; ValueName: Teredo_RefreshRate

Go to GPS

Teredo Server Name

This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied.

If you enable this policy setting, you can specify a Teredo server name that applies to a

Teredo client.

If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name.

=== Detailed values: === text: Id: TeredoServerNameBox; ValueName: Teredo_ServerName

Go to GPS

Teredo State

This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet.

If you disable or do not configure this policy setting, the local host settings is used.

If you enable this policy setting, you will be able to configure Teredo with one of the following settings:

Default: The default state is "Client."

Disabled: No Teredo interfaces are present on the host.

Client: The Teredo interface is present only when the host is not on a network that includes a domain controller.

Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller.

=== Detailed values: === enum: Id: StateSelect; ValueName: Teredo_State item: value item: value item: value item: value

Go to GPS

Time (in seconds) to force reboot when required for policy changes to take effect

Set the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.

If you enable this setting, set the amount of seconds you want the system to wait until a reboot.

If you disable or do not configure this setting, the system will not force a reboot.

NOTE: If no reboot is forced, the device installation restriction right will not take effect until

the system is restarted.


Reboot Timeout (in seconds)

=== Detailed values: === decimal: Id: DeviceInstall_Policy_RebootTime_Time; ValueName: RebootTime

Go to GPS

Timeout for fast user switching events

This policy setting specifies the number of seconds a pending fast-user switch event will remain active before the switch is initiated. By default, a fast user switch event is active for 10 seconds before becoming inactive.

If you enable this policy setting, you can configure the fast user switch event timeout to specify the number of seconds the event remains active. This value cannot exceed 60 seconds.

If you disable or do not configure this policy setting, the default value of 10 seconds will be used for fast-user switch event timeouts.


Timeout in seconds:

=== Detailed values: === decimal: Id: Pol_Biometrics_FUSTimeout; ValueName: SwitchTimeoutInSeconds

Go to GPS

Troubleshooting: Allow users to access and run

Troubleshooting Wizards

This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.

If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.

If you disable this policy setting, users cannot access or run the troubleshooting tools from the

Control Panel.

Note that this setting also controls a userÂ´s ability to launch standalone troubleshooting

packs such as those found in .diagcab files.

Go to GPS

Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the

This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking

Â´YesÂ´ when they are prompted by a message that states, Â´Do you want the most up-todate troubleshooting content?Â´

If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers, from within the Troubleshooting Control Panel user interface.

If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They will be prevented from connecting to the Microsoft servers that host the Windows Online

Troubleshooting Service.

Go to GPS

Turn off Aero Shake window minimizing mouse gesture

Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse.

If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse.

If you disable or do not configure this policy, this window minimizing and restoring gesture will apply.

Go to GPS

Turn off Application Telemetry

The policy controls the state of the Application Telemetry engine in the system.

Application Telemetry is a mechanism that tracks anonymous usage of specific Windows

system components by applications.

Turning Application Telemetry off by selecting "enable" will stop the collection of usage data.

If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.

Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.

Go to GPS

Turn off automatic promotion of notification icons to the taskbar

If you enable this setting, newly added notification icons will not be temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control

Panel.

If you disable this setting or do not configure it, newly added notification icons will sometimes be temporarily promoted to the Taskbar.

Go to GPS

Turn off Autoplay for non-volume devices

If this policy is enabled, autoplay will not be enabled for non-volume devices like MTP devices. If you disable or not configure this policy, autoplay will continue to be enabled for non-volume devices.

Go to GPS

Turn off Autoplay for non-volume devices

If this policy is enabled, autoplay will not be enabled for non-volume devices like MTP devices. If you disable or not configure this policy, autoplay will continue to be enabled for non-volume devices.

Go to GPS

Turn off Data Execution Prevention for Explorer

Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.

Go to GPS

Turn off Data Execution Prevention for HTML Help

Executible

This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP.

DEP is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. If you enable this policy setting, DEP for HTML Help Executable will be turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable.

If you disable or do not configure this policy setting, DEP will be turned on for HTML Help

Executable.

Note : Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely.

Go to GPS

Turn off display of recent search entries in the Windows

Explorer search box

Disables suggesting recent queries for the Search Box and prevents entries into the Search

Box from being stored in the registry for future references.

Windows Explorer shows suggestion pop-ups as users type into the Search Box. These suggestions are based on their past entries into the Search Box.

Note: If you enable this policy, Windows Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box.

Go to GPS

Turn off Fair Share CPU Scheduling

Fair Share CPU Scheduling dynamically distributes processor time across all Remote Desktop

Services sessions on the same RD Session Host server, based on the number of sessions and the demand for processor time within each session.

If you enable this policy setting, Fair Share CPU Scheduling is turned off.

If you disable or do not configure this policy setting, Fair Share CPU Scheduling is turned on.

Go to GPS

Turn off feature advertisement balloon notifications

If you enable this setting, certain notification balloons that are marked as feature advertisements will not be shown.

If you disable this setting or do not configure it, feature advertisement balloons will be shown.

Go to GPS

Turn off handwriting personalization data sharing

Turns off data sharing from the handwriting recognition personalization tool.

The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection.

If you enable this policy, Tablet PC users cannot choose to share writing samples from the handwriting recognition personalization tool with Microsoft.

If you disable this policy, Tablet PC user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.

If you do not configure this policy, Tablet PC users can choose whether or not they want to share their writing samples from the handwriting recognition personalization tool with

Microsoft.

Go to GPS

Turn off location

This policy setting turns off the location feature for this computer.

If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature.

If you disable or do not configure this policy setting, all programs on this computer can use location information from the location feature.

Go to GPS

Turn off location

This policy setting turns off the location feature for this computer.

If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature.

If you disable or do not configure this policy setting, all programs on this computer can use location information from the location feature.

Go to GPS

Turn off location scripting

This policy setting turns off scripting for the location feature.

If you enable this policy setting, scripts for the location feature will not run.

If you disable or do not configure this policy setting, all location scripts will run.

Go to GPS

Turn off location scripting

This policy setting turns off scripting for the location feature.

If you enable this policy setting, scripts for the location feature will not run.

If you disable or do not configure this policy setting, all location scripts will run.

Go to GPS

Turn off numerical sorting in Windows Explorer

This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order.

If you enable this policy setting, Windows Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3).

If you disable or do not configure this policy setting, Windows Explorer will sort file names by increasing number value (for example, 3 < 22 < 111).

Go to GPS

Turn off Problem Steps Recorder

This policy controls the state of the Problem Steps Recorder feature in the system.

Problem Steps Recorder enables capturing the steps taken by the user before encountering a problem. The output data generated by Problem Steps Recorder will be another type of data collection enabled through feedback scenarios such as Windows Error Reporting to help developers in understanding problems. The captured data will contain descriptions about the user actions involving information such as user inputs on keyboard and mouse, meta data about the UI objects interacted along with screen shots. Problem Steps Recorder provides specific options to turn on and off the data collection whenever required.

By default, Problem Steps Recorder will be available for customers to turn on during a problem reporting scenario.

If you enable this policy setting, then the Problem Steps Recorder feature will be disabled on this machine.

If you disable or do not configure this policy setting, then Problem Steps Recorder will be available for customers.

Go to GPS

Turn off Program Inventory

This policy controls the state of the Program Inventory collector in the system.

The PDU inventories programs and files on the system and sends information about those files to Microsoft. This information is used to help associate files to programs and diagnose application compatibility problems.

The PDU is on by default.

If you enable this policy setting, inventory collection will be turned off and data will not be sent to Microsoft. Enabling this setting also disables collection of installation data through

PCA.

If you disable or do not configure this policy setting, inventory collection will be turned on.

Go to GPS

Turn off sensors

This policy setting turns off the sensor feature for this computer.

If you enable this policy setting, the sensor feature will be turned off, and all programs on this computer will not be able to use the sensor feature.

If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature.

Go to GPS

Turn off sensors

This policy setting turns off the sensor feature for this computer.

If you enable this policy setting, the sensor feature will be turned off, and all programs on this computer will not be able to use the sensor feature.

If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature.

Go to GPS

Turn off SwitchBack Compatibility Engine

The policy controls the state of the Switchback compatibility engine in the system.

Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.

Switchback is on by default.

If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using.

If you disable or do not configure this policy setting, the Switchback will be turned on.

Please reboot the system after changing the setting to ensure that your system accurately reflects those changes.

Go to GPS

Turn off the display of snippets in Content view mode

Disables the display of snippets when Content view mode is turned on.

Windows Explorer shows snippets in Content view mode by default.

If you enable this policy, Windows Explorer will not display snippets in Content view mode.

Go to GPS

Turn off Touch Panning

Turn off Panning

Turns off touch panning, which allows users pan inside windows by touch. On a compatible

PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content.

If you enable this setting, the user will not be able to pan windows by touch.

If you disable this setting, the user can pan windows by touch.

If you do not configure this setting, Touch Panning is on by default.

Note: Changes to this setting will not take effect until the user logs off.

Go to GPS

Turn off Touch Panning

Turn off Panning

Turns off touch panning, which allows users pan inside windows by touch. On a compatible

PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content.

If you enable this setting, the user will not be able to pan windows by touch.

If you disable this setting, the user can pan windows by touch.

If you do not configure this setting, Touch Panning is on by default.

Note: Changes to this setting will not take effect until the user logs off.

Go to GPS

Turn off Windows Installer RDS Compatibility

This policy setting specifies whether Windows Installer RDS Compatibility runs on a per user basis for fully installed applications. Windows Installer allows one instance of the msiexec process to run at a time. By default, Windows Installer RDS Compatibility is turned on.

If you enable this policy setting, Windows Installer RDS Compatibility is turned off, and only one instance of the msiexec process can run at a time.

If you disable or do not configure this policy setting, Windows Installer RDS Compatibility is turned on, and multiple per user application installation requests are queued and handled by the msiexec process in the order in which they are received.

Go to GPS

Turn off Windows Libraries features that rely on indexed file data

This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations.

Setting this policy will:

* Disable all Arrangement views except for "By Folder"

* Disable all Search filter suggestions other than "Date Modified" and "Size"

* Disable view of file content snippets in Content mode when search results are returned

* Disable ability to stack in the Context menu and Column headers

* Exclude Libraries from the scope of Start search

This policy will not enable users to add unsupported locations to Libraries.

If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled.

If you disable or do not configure this policy, all default Windows Libraries features will be enabled.

Go to GPS

Turn On Desktop Background Slideshow (On Battery)

Specify if Windows should enable the desktop background slideshow.

If you enable this policy setting, desktop background slideshow is enabled.

If you disable this policy setting, the desktop background slideshow is disabled. if you do not configure this setting, users can see and change this setting.

Go to GPS

Turn On Desktop Background Slideshow (Plugged In)

Specify if Windows should enable the desktop background slideshow.

If you enable this policy setting, desktop background slideshow is enabled.

If you disable this policy setting, the desktop background slideshow is disabled. if you do not configure this setting, users can see and change this setting.

Go to GPS

Turn on Remote Desktop IP Virtualization

This policy setting specifies whether Remote Desktop IP Virtualization is turned on.

By default, Remote Desktop IP Virtualization is turned off.

If you enable this policy setting, Remote Desktop IP Virtualization is turned on. You can select the mode in which this setting is applied. If you are using Per Program mode, you must enter a list of programs to use virtual IP addresses. List each program on a separate line (do not enter any blank lines between programs). For example:

explorer.exe mstsc.exe

If you disable or do not configure this policy setting, Remote Desktop IP Virtualization is turned off.


Turn on Remote Desktop IP Virtualization mode:

Assign virtual IP addresses to these programs:

If you are listing more than one program, list each program on a separate line (do not enter any blank lines between programs). For example: explorer.exe mstsc.exe

=== Detailed values: === enum: Id: TS_ENABLE_IP_VIRTUALIZATION; ValueName: VirtualMode item: decimal: 1 => Per Program item: decimal: 0 => Per Session multiText: Id: TS_ENABLE_IP_VIRTUALIZATION_EDIT; ValueName: PerApp

Go to GPS

Turn on Smart Card Plug and Play service

This policy setting allows you to control whether Smart Card Plug and Play is enabled.

If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.

If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader.

Note: This policy setting is applied only for smart cards that have passed the Windows

Hardware Quality Labs (WHQL) testing process.

Go to GPS

Use forest search order

This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).

If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.

If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.

=== Detailed values: === text: Id: ForestSearchList; ValueName: ForestSearchList

Go to GPS

Use Remote Desktop Easy Print printer driver first

This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.

If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD

Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.

If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.

Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use

Remote Desktop Easy Print printer driver first" policy setting is ignored.

Go to GPS

Use Remote Desktop Easy Print printer driver first

This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.

If you enable or do not configure this policy setting, the RD Session Host server first tries to

use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD

Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.

If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.

Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use

Remote Desktop Easy Print printer driver first" policy setting is ignored.

Go to GPS

Validate smart card certificate usage rule compliance

This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker.

The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLockerprotected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.

Default object identifier is 1.3.6.1.4.1.311.67.1.1

Note: BitLocker does not require that a certificate have an EKU attribute, but if one is configured for the certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker.

If you enable this policy setting, the object identifier specified in the "Object identifier" box must match the object identifier in the smart card certificate.

If you disable or do not configure this policy setting, a default object identifier is used.

=== Detailed values: === text: Id: UserCertificateOID; ValueName: CertificateOID

Go to GPS

Verify old and new Folder Redirection targets point to the same share before redirecting

This policy setting allows you to prevent data loss when you change the target location for

Folder Redirection, and the new and old targets point to the same network share, but have different network paths.

If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted.

If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different.

Note: If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled.

Go to GPS