Windows 10 and Windows Server 2016 Policy Settings

Group Policy Settings Reference
Windows 10
This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files (.admx and
Windows 10, version 1607. The policy settings included in this spreadsheet also cover Windows Server 2016, Windows 10, Windows Server 2
Windows 8.1, Windows 8, Windows 7, Windows Vista with SP1,Windows XP Professional with SP2 or earlier service packs, and Microsoft W
These files are used to expose policy settings when you use the Group Policy Management Console (GPMC) to edit Group Policy Objects (GP
You can use the filtering capabilities that are included in this spreadsheet to view a specific subset of data, based on one value or a combinati
in one or more of the columns. In addition, you can click Custom in the drop-down list of any of the column headings to add additional filtering
To view a specific subset of data, click the drop-down arrow in the column heading of cells that contain the value or combination of values on w
and then click the desired value in the drop-down list. For example, to view policy settings that are available for Windows Server 2012 or Wind
Administrative Template worksheet, click the drop-down arrow next to Supported On, and then click At least Microsoft Windows Server 2
Legal Notice
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change witho
Some examples depicted herein are provided for illustration only and are fictitious.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your in
2015 Microsoft Corporation. All rights reserved.
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows Server,
and Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.

nistrative template files (.admx and .adml) delivered with
6, Windows 10, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008,Windows Server 2003 with SP2 or ear
er service packs, and Microsoft Windows 2000 with SP5 or earlier service packs.
C) to edit Group Policy Objects (GPOs).
based on one value or a combination of values that are available

headings to add additional filtering criteria within that column.
alue or combination of values on which you want to filter,
for Windows Server 2012 or Windows 8, in the
ast Microsoft Windows Server 2012 or Windows 8.
Web site references, may change without notice.
opy and use this document for your internal, reference purposes.
dows Server 2003 with SP2 or earlier service packs,
File name
activexinstallservice.admx
activexinstallservice.admx
addremoveprograms.admx
allowbuildpreview.admx
appcompat.admx
appcompat.admx
appcompat.admx
appcompat.admx
appcompat.admx
appcompat.admx
appcompat.admx
appcompat.admx
appcompat.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appprivacy.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appv.admx
appxpackagemanager.admx
appxruntime.admx
appxruntime.admx
appxruntime.admx
appxruntime.admx
appxruntime.admx
appxruntime.admx
appxruntime.admx
attachmentmanager.admx
auditsettings.admx
autoplay.admx
autoplay.admx
autoplay.admx
autoplay.admx
autoplay.admx
autoplay.admx
autoplay.admx
autoplay.admx
avsvalidationgp.admx
avsvalidationgp.admx
biometrics.admx
biometrics.admx
biometrics.admx
biometrics.admx
biometrics.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
bits.admx
camera.admx
ceipenable.admx
ceipenable.admx
ciphersuiteorder.admx
ciphersuiteorder.admx
cloudcontent.admx
cloudcontent.admx
cloudcontent.admx
cloudcontent.admx
com.admx
com.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
conf.admx
controlpanel.admx
controlpanel.admx
controlpanel.admx
controlpanel.admx
controlpaneldisplay.admx
cpls.admx
credentialproviders.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credssp.admx
credui.admx
credui.admx
credui.admx
credui.admx
ctrlaltdel.admx
ctrlaltdel.admx
ctrlaltdel.admx
ctrlaltdel.admx
datacollection.admx
datacollection.admx
datacollection.admx
datacollection.admx
datacollection.admx
dcom.admx
dcom.admx
deliveryoptimization.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
desktop.admx
devicecompat.admx
devicecompat.admx
devicecredential.admx
deviceguard.admx
deviceguard.admx
deviceinstallation.admx
deviceredirection.admx
deviceredirection.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
devicesetup.admx
dfs.admx
digitallocker.admx
digitallocker.admx
diskdiagnostic.admx
diskdiagnostic.admx
disknvcache.admx
disknvcache.admx
disknvcache.admx
disknvcache.admx
diskquota.admx
diskquota.admx
diskquota.admx
diskquota.admx
diskquota.admx
diskquota.admx
distributedlinktracking.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dnsclient.admx
dwm.admx
dwm.admx
dwm.admx
dwm.admx
dwm.admx
dwm.admx
dwm.admx
dwm.admx
dwm.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
eaime.admx
earlylauncham.admx
edgeui.admx
edgeui.admx
edgeui.admx
edgeui.admx
edgeui.admx
edgeui.admx
edgeui.admx
edgeui.admx
edgeui.admx
encryptfilesonmove.admx
enhancedstorage.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
errorreporting.admx
eventforwarding.admx
eventforwarding.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlog.admx
eventlogging.admx
eventviewer.admx
eventviewer.admx
eventviewer.admx
explorer.admx
explorer.admx
explorer.admx
explorer.admx
explorer.admx
explorer.admx
explorer.admx
externalboot.admx
externalboot.admx
externalboot.admx
feedbacknotifications.admx
filehistory.admx
filerecovery.admx
filerevocation.admx
fileservervssprovider.admx
filesys.admx
filesys.admx
filesys.admx
filesys.admx
filesys.admx
filesys.admx
filesys.admx
filesys.admx
folderredirection.admx
framepanes.admx
framepanes.admx
fthsvc.admx
gameexplorer.admx
gameexplorer.admx
gameexplorer.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
globalization.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicy.admx
grouppolicypreferences.admx
grouppolicy-server.admx
help.admx
help.admx
help.admx
help.admx
helpandsupport.admx
helpandsupport.admx
helpandsupport.admx
helpandsupport.admx
hotspotauth.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
icm.admx
iis.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inetres.admx
inkwatson.admx
inkwatson.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
iscsi.admx
kdc.admx
kdc.admx
kdc.admx
kdc.admx
kdc.admx
kdc.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
kerberos.admx
lanmanserver.admx
lanmanserver.admx
lanmanserver.admx
lanmanserver.admx
lanmanworkstation.admx
leakdiagnostic.admx
linklayertopologydiscovery.admx
linklayertopologydiscovery.admx
locationprovideradm.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
logon.admx
mdm.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
microsoftedge.admx
mmc.admx
mmc.admx
mmc.admx
mmc.admx
mmc.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mmcsnapins2.admx
mobilepcmobilitycenter.admx
mobilepcmobilitycenter.admx
mobilepcpresentationsettings.admx
mobilepcpresentationsettings.admx
msched.admx
msched.admx
msched.admx
msdt.admx
msdt.admx
msdt.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi.admx
msi-filerecovery.admx
nca.admx
nca.admx
nca.admx
nca.admx
nca.admx
nca.admx
nca.admx
nca.admx
ncsi.admx
ncsi.admx
ncsi.admx
ncsi.admx
ncsi.admx
ncsi.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
netlogon.admx
networkconnections.admx
networkisolation.admx
networkprovider.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
offlinefiles.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
p2p-pnrp.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
passport.admx
pca.admx
pca.admx
pca.admx
pca.admx
pca.admx
pca.admx
pca.admx
peertopeercaching.admx
pentraining.admx
pentraining.admx
performancediagnostics.admx
performanceperftrack.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
power.admx
powershellexecutionpolicy.admx
previousversions.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
printing2.admx
programs.admx
programs.admx
programs.admx
programs.admx
programs.admx
programs.admx
programs.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
qos.admx
racwmiprov.admx
radar.admx
reagent.admx
reliability.admx
reliability.admx
reliability.admx
reliability.admx
remoteassistance.admx
removablestorage.admx
rpc.admx
rpc.admx
rpc.admx
rpc.admx
rpc.admx
rpc.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
scripts.admx
sdiageng.admx
sdiageng.admx
sdiageng.admx
sdiagschd.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
search.admx
securitycenter.admx
sensors.admx
sensors.admx
sensors.admx
sensors.admx
sensors.admx
sensors.admx
servermanager.admx
servermanager.admx
servermanager.admx
servermanager.admx
servicing.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
settingsync.admx
setup.admx
setup.admx
shapecollector.admx
shapecollector.admx
sharedfolders.admx
sharedfolders.admx
sharing.admx
sharing.admx
shell-commandprompt-regedittools.a
shellwelcomecenter.admx
sidebar.admx
sidebar.admx
sidebar.admx
sidebar.admx
sidebar.admx
sidebar.admx
skydrive.admx
skydrive.admx
skydrive.admx
skydrive.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
smartcard.admx
snmp.admx
snmp.admx
snmp.admx
soundrec.admx
soundrec.admx
srm-fci.admx
srm-fci.admx
srm-fci.admx
srm-fci.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
startmenu.admx
systemrestore.admx
systemrestore.admx
tabletpcinputpanel.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
tabletshell.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskbar.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
taskscheduler.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
tcpip.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver.admx
terminalserver-server.admx
thumbnails.admx
thumbnails.admx
thumbnails.admx
touchinput.admx
touchinput.admx
touchinput.admx
touchinput.admx
tpm.admx
tpm.admx
tpm.admx
tpm.admx
tpm.admx
tpm.admx
tpm.admx
userexperiencevirtualization.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
userprofiles.admx
volumeencryption.admx
w32time.admx
w32time.admx
w32time.admx
w32time.admx
wcm.admx
wcm.admx
wcm.admx
wcm.admx
wdi.admx
wdi.admx
wincal.admx
wincal.admx
windowsanytimeupgrade.admx
windowsanytimeupgrade.admx
windowsbackup.admx
windowsbackup.admx
windowsbackup.admx
windowsbackup.admx
windowsbackup.admx
windowscolorsystem.admx
windowscolorsystem.admx
windowsconnectnow.admx
windowsdefender.admx
windowsexplorer.admx
windowsfileprotection.admx
windowsfirewall.admx
windowsinkworkspace.admx
windowsinkworkspace.admx
windowsmail.admx
windowsmail.admx
windowsmail.admx
windowsmail.admx
windowsmediadrm.admx
windowsmediaplayer.admx
windowsmessenger.admx
windowsremotemanagement.admx
windowsremoteshell.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsstore.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
windowsupdate.admx
wininit.admx
wininit.admx
wininit.admx
winlogon.admx
winlogon.admx
winlogon.admx
winlogon.admx
winlogon.admx
winlogon.admx
winlogon.admx
winlogon.admx
winmaps.admx
winmaps.admx
winsrv.admx
wirelessdisplay.admx
wirelessdisplay.admx
wlansvc.admx
wlansvc.admx
wlansvc.admx
wlansvc.admx
wordwheel.admx
workfolders-client.admx
workfolders-client.admx
workplacejoin.admx
wpn.admx
wpn.admx
wpn.admx
wpn.admx
wpn.admx
wpn.admx
wpn.admx
wpn.admx
wpn.admx
wwansvc.admx
wwansvc.admx
Policy Setting Name Scope
Approved Installation Sites for ActiveX Controls Machine
Establish ActiveX installation policy for sites in Trusted zones Machine
Go directly to Components Wizard User
Hide Add New Programs page User
Hide Add/Remove Windows Components page User
Hide Change or Remove Programs page User
Hide the "Add a program from CD-ROM or floppy disk" option User
Hide the "Add programs from Microsoft" option User
Hide the "Add programs from your network" option User
Hide the Set Program Access and Defaults page User
Remove Add or Remove Programs User
Remove Support Information User
Specify default category for Add New Programs User
Toggle user control over Insider builds Machine
Prevent access to 16-bit applications Machine
Remove Program Compatibility Property Page Machine
Turn off Application Compatibility Engine Machine
Turn off Application Telemetry Machine
Turn off Inventory Collector Machine
Turn off Program Compatibility Assistant User
Turn off Program Compatibility Assistant Machine
Turn off Steps Recorder Machine
Turn off SwitchBack Compatibility Engine Machine
Let Windows apps access account information Machine
Let Windows apps access account information Machine
Let Windows apps access call history Machine
Let Windows apps access contacts Machine
Let Windows apps access email Machine
Let Windows apps access location Machine
Let Windows apps access messaging Machine
Let Windows apps access motion Machine
Let Windows apps access notifications Machine
Let Windows apps access the calendar Machine
Let Windows apps access the camera Machine
Let Windows apps access the microphone Machine
Let Windows apps access trusted devices Machine
Let Windows apps control radios Machine
Let Windows apps sync with devices Machine
Allow First Time Application Launches if on a High Cost Windows 8 Metered Machine
Certificate Filter For Client SSL Machine
Enable App-V Client Machine
Enable Dynamic Virtualization Machine
Enable Migration Mode Machine
Enable Package Scripts Machine
Enable Publishing Refresh UX Machine
Enable Support for BranchCache Machine
Integration Root Global Machine
Integration Root User Machine
Location Provider Machine
Microsoft Customer Experience Improvement Program (CEIP) Machine
Package Installation Root Machine
Package Source Root Machine
Publishing Server 1 Settings Machine
Reestablishment Interval Machine
Reestablishment Retries Machine
Reporting Server Machine
Require Publish As Admin Machine
Roaming File Exclusions Machine
Roaming Registry Exclusions Machine
Shared Content Store (SCS) mode Machine
Specify what to load in background (aka AutoLoad) Machine
Verify certificate revocation list Machine
Virtual Component Process Allow List Machine
Allow a Windows app to share application data between users Machine
Allow all trusted apps to install Machine
Allow deployment operations in special profiles Machine
Allows development of Windows Store apps and installing them from an int Machine
Disable installing Windows apps on non-system volumes Machine
Prevent users' app data from being stored on non-system volumes Machine
Allow Microsoft accounts to be optional Machine
Block launching desktop apps associated with a file. Machine
Block launching desktop apps associated with a file. User
Block launching desktop apps associated with a URI scheme Machine
Block launching desktop apps associated with a URI scheme User
Block launching Windows Store apps with Windows Runtime API access fromMachine
Turn on dynamic Content URI Rules for Windows store apps Machine
Default risk level for file attachments User
Do not preserve zone information in file attachments User
Hide mechanisms to remove zone information User
Inclusion list for high risk file types User
Inclusion list for low file types User
Inclusion list for moderate risk file types User
Notify antivirus programs when opening attachments User
Trust logic for file attachments User
Include command line in process creation events Machine
Disallow Autoplay for non-volume devices Machine
Disallow Autoplay for non-volume devices User
Prevent AutoPlay from remembering user choices. Machine
Prevent AutoPlay from remembering user choices. User
Set the default behavior for AutoRun Machine
Set the default behavior for AutoRun User
Turn off Autoplay Machine
Turn off Autoplay User
Control Device Reactivation for Retail devices Machine
Turn off KMS Client Online AVS Validation Machine
Allow domain users to log on using biometrics Machine
Allow the use of biometrics Machine
Allow users to log on using biometrics Machine
Specify timeout for fast user switching events Machine
Use enhanced anti-spoofing when available Machine
Allow BITS Peercaching Machine
Do not allow the BITS client to use Windows Branch Cache Machine
Do not allow the computer to act as a BITS Peercaching client Machine
Do not allow the computer to act as a BITS Peercaching server Machine
Limit the age of files in the BITS Peercache Machine
Limit the BITS Peercache size Machine
Limit the maximum BITS job download time Machine
Limit the maximum network bandwidth for BITS background transfers Machine
Limit the maximum network bandwidth used for Peercaching Machine
Limit the maximum number of BITS jobs for each user Machine
Limit the maximum number of BITS jobs for this computer Machine
Limit the maximum number of files allowed in a BITS job Machine
Limit the maximum number of ranges that can be added to the file in a BITSMachine
Set default download behavior for BITS jobs on costed networks Machine
Set up a maintenance schedule to limit the maximum network bandwidth use Machine
Set up a work schedule to limit the maximum network bandwidth used for BMachine
Timeout for inactive BITS jobs Machine
Allow Use of Camera Machine
Allow Corporate redirection of Customer Experience Improvement uploads Machine
Tag Windows Customer Experience Improvement data with Study Identifier Machine
ECC Curve Order Machine
SSL Cipher Suite Order Machine
Configure Windows spotlight on lock screen User
Do not show Windows Tips Machine
Turn off all Windows spotlight features User
Turn off Microsoft consumer experiences Machine
Download missing COM components User
Download missing COM components Machine
Allow persisting automatic acceptance of Calls User
Disable application Sharing User
Disable Audio User
Disable Chat User
Disable Directory services User
Disable full duplex Audio User
Disable NetMeeting 2.x Whiteboard User
Disable remote Desktop Sharing Machine
Disable the Advanced Calling button User
Disable Whiteboard User
Enable Automatic Configuration User
Hide the Audio page User
Hide the General page User
Hide the Security page User
Hide the Video page User
Limit the bandwidth of Audio and Video User
Limit the size of sent files User
Prevent adding Directory servers User
Prevent Application Sharing in true color User
Prevent automatic acceptance of Calls User
Prevent changing Call placement method User
Prevent changing DirectSound Audio setting User
Prevent Control User
Prevent Desktop Sharing User
Prevent receiving files User
Prevent receiving Video User
Prevent sending files User
Prevent sending Video User
Prevent Sharing User
Prevent Sharing Command Prompts User
Prevent Sharing Explorer windows User
Prevent viewing Web directory User
Set Call Security options User
Set the intranet support Web page User
Always open All Control Panel Items when opening Control Panel User
Hide specified Control Panel items User
Prohibit access to Control Panel and PC settings User
Show only specified Control Panel items User
Disable the Display Control Panel User
Do not display the lock screen Machine
Enable screen saver User
Force a specific background and accent color Machine
Force a specific default lock screen and logon image Machine
Force a specific Start background Machine
Force a specific visual style file or force Windows Classic User
Force specific screen saver User
Hide Settings tab User
Load a specific theme User
Password protect the screen saver User
Prevent changing color and appearance User
Prevent changing color scheme User
Prevent changing desktop background User
Prevent changing desktop icons User
Prevent changing lock screen and logon image Machine
Prevent changing mouse pointers User
Prevent changing screen saver User
Prevent changing sounds User
Prevent changing start menu background Machine
Prevent changing theme User
Prevent changing visual style for windows and buttons User
Prevent enabling lock screen camera Machine
Prevent enabling lock screen slide show Machine
Prohibit selection of visual style font size User
Screen saver timeout User
Apply the default account picture to all users Machine
Allow users to select when a password is required when resuming from con Machine
Assign a default credential provider Machine
Assign a default domain for logon Machine
Exclude credential providers Machine
Turn off picture password sign-in Machine
Turn on convenience PIN sign-in Machine
Allow delegating default credentials Machine
Allow delegating default credentials with NTLM-only server authentication Machine
Allow delegating fresh credentials Machine
Allow delegating fresh credentials with NTLM-only server authentication Machine
Allow delegating saved credentials Machine
Allow delegating saved credentials with NTLM-only server authentication Machine
Deny delegating default credentials Machine
Deny delegating fresh credentials Machine
Deny delegating saved credentials Machine
Restrict delegation of credentials to remote servers Machine
Do not display the password reveal button Machine
Do not display the password reveal button User
Enumerate administrator accounts on elevation Machine
Require trusted path for credential entry Machine
Remove Change Password User
Remove Lock Computer User
Remove Logoff User
Remove Task Manager User
Allow Telemetry Machine
Allow Telemetry User
Configure Connected User Experiences and Telemetry Machine
Configure the Commercial ID Machine
Disable pre-release features or settings Machine
Allow local activation security check exemptions Machine
Define Activation Security Check exemptions Machine
Absolute Max Cache Size (in GB) Machine
Download Mode Machine
Group ID Machine
Max Cache Age (in seconds) Machine
Max Cache Size (Percentage) Machine
Max Upload Bandwidth (in KB/s) Machine
Maximum Download Bandwidth (in KB/s) Machine
Maximum Download Bandwidth (Percentage) Machine
Minimum Background QoS (in KB/s) Machine
Modify Cache Drive Machine
Monthly Upload Data Cap (in GB) Machine
Add/Delete items User
Allow only bitmapped wallpaper User
Desktop Wallpaper User
Disable Active Desktop User
Disable all items User
Do not add shares of recently opened documents to Network Locations User
Don't save settings at exit User
Enable Active Desktop User
Enable filter in Find dialog box User
Hide Active Directory folder User
Hide and disable all items on the desktop User
Hide Internet Explorer icon on desktop User
Hide Network Locations icon on desktop User
Maximum size of Active Directory searches User
Prevent adding, dragging, dropping and closing the Taskbar's toolbars User
Prohibit adding items User
Prohibit adjusting desktop toolbars User
Prohibit changes User
Prohibit closing items User
Prohibit deleting items User
Prohibit editing items User
Prohibit User from manually redirecting Profile Folders User
Remove Computer icon on the desktop User
Remove My Documents icon on the desktop User
Remove Properties from the Computer icon context menu User
Remove Properties from the Documents icon context menu User
Remove Properties from the Recycle Bin context menu User
Remove Recycle Bin icon from desktop User
Remove the Desktop Cleanup Wizard User
Turn off Aero Shake window minimizing mouse gesture User
Device compatibility settings Machine
Driver compatibility settings Machine
Allow companion device for secondary authentication Machine
Deploy Code Integrity Policy Machine
Turn On Virtualization Based Security Machine
Allow administrators to override Device Installation Restriction policies Machine
Allow installation of devices that match any of these device IDs Machine
Allow installation of devices using drivers that match these device setup cla Machine
Allow non-administrators to install drivers for these device setup classes Machine
Allow remote access to the Plug and Play interface Machine
Code signing for device drivers User
Configure device installation time-out Machine
Display a custom message title when device installation is prevented by a po Machine
Display a custom message when installation is prevented by a policy settingMachine
Prevent creation of a system restore point during device activity that would Machine
Prevent installation of devices not described by other policy settings Machine
Prevent installation of devices that match any of these device IDs Machine
Prevent installation of devices using drivers that match these device setup cMachine
Prevent installation of removable devices Machine
Prioritize all digitally signed drivers equally during the driver ranking and se Machine
Time (in seconds) to force reboot when required for policy changes to take eMachine
Prevent redirection of devices that match any of these device Ids Machine
Prevent redirection of USB devices Machine
Configure driver search locations User
Do not send a Windows error report when a generic driver is installed on a dMachine
Prevent device metadata retrieval from the Internet Machine
Prevent Windows from sending an error report when a device driver requestsMachine
Specify search order for device driver source locations Machine
Specify the search server for device driver updates Machine
Turn off "Found New Hardware" balloons during device installation Machine
Turn off Windows Update device driver search prompt User
Turn off Windows Update device driver search prompt Machine
Configure how often a DFS client discovers domain controllers Machine
Do not allow Digital Locker to run User
Do not allow Digital Locker to run Machine
Disk Diagnostic: Configure custom alert text Machine
Disk Diagnostic: Configure execution level Machine
Turn off boot and resume optimizations Machine
Turn off cache power mode Machine
Turn off non-volatile cache feature Machine
Turn off solid state mode Machine
Apply policy to removable media Machine
Enable disk quotas Machine
Enforce disk quota limit Machine
Log event when quota limit is exceeded Machine
Log event when quota warning level is exceeded Machine
Specify default quota limit and warning level Machine
Allow Distributed Link Tracking clients to use domain resources Machine
Allow DNS suffix appending to unqualified multi-label name queries Machine
Allow NetBT queries for fully qualified domain names Machine
Connection-specific DNS suffix Machine
DNS servers Machine
DNS suffix search list Machine
Dynamic update Machine
IDN mapping Machine
Prefer link local responses over DNS when received over a network with hig Machine
Primary DNS suffix Machine
Primary DNS suffix devolution Machine
Primary DNS suffix devolution level Machine
Register DNS records with connection-specific DNS suffix Machine
Register PTR records Machine
Registration refresh interval Machine
Replace addresses in conflicts Machine
TTL value for A and PTR records Machine
Turn off IDN encoding Machine
Turn off multicast name resolution Machine
Turn off smart multi-homed name resolution Machine
Turn off smart protocol reordering Machine
Update security level Machine
Update top level domain zones Machine
Do not allow color changes User
Do not allow color changes Machine
Do not allow Flip3D invocation User
Do not allow Flip3D invocation Machine
Do not allow window animations User
Do not allow window animations Machine
Specify a default color User
Specify a default color Machine
Use solid color for Start background Machine
Do not include Non-Publishing Standard Glyph in the candidate list User
Restrict character code range of conversion User
Turn off custom dictionary User
Turn off history-based predictive input User
Turn off Internet search integration User
Turn off Open Extended Dictionary User
Turn off saving auto-tuning data to file User
Turn on cloud candidate User
Turn on cloud candidate for CHS User
Turn on misconversion logging for misconversion report User
Boot-Start Driver Initialization Policy Machine
Allow edge swipe Machine
Allow edge swipe User
Disable help tips Machine
Disable help tips User
Do not show recent apps when the mouse is pointing to the upper-left cornerUser
Prevent users from replacing the Command Prompt with Windows PowerShell User
i
Search, Share, Start, Devices, and Settings don't appear when the mouse is U
pser
Turn off switching between recent apps User
Turn off tracking of app usage User
Do not automatically encrypt files moved to encrypted folders Machine
Allow only USB root hub connected Enhanced Storage devices Machine
Configure list of Enhanced Storage devices usable on your computer Machine
Configure list of IEEE 1667 silos usable on your computer Machine
Do not allow non-Enhanced Storage removable devices Machine
Do not allow password authentication of Enhanced Storage devices Machine
Do not allow Windows to activate Enhanced Storage devices Machine
Lock Enhanced Storage when the computer is locked Machine
Automatically send memory dumps for OS-generated error reports User
Automatically send memory dumps for OS-generated error reports Machine
Configure Corporate Windows Error Reporting Machine
Configure Default consent User
Configure Default consent Machine
Configure Error Reporting Machine
Configure Report Archive User
Configure Report Archive Machine
Configure Report Queue User
Configure Report Queue Machine
Customize consent settings User
Customize consent settings Machine
Default application reporting settings Machine
Disable logging User
Disable logging Machine
Disable Windows Error Reporting User
Disable Windows Error Reporting Machine
Display Error Notification Machine
Do not send additional data User
Do not send additional data Machine
Do not throttle additional data User
Do not throttle additional data Machine
Ignore custom consent settings User
Ignore custom consent settings Machine
List of applications to always report errors for Machine
List of applications to be excluded User
List of applications to be excluded Machine
List of applications to never report errors for Machine
Prevent display of the user interface for critical errors Machine
Report operating system errors Machine
Send additional data when on battery power User
Send additional data when on battery power Machine
Send data when on connected to a restricted/costed network User
Send data when on connected to a restricted/costed network Machine
Configure forwarder resource usage Machine
Configure target Subscription Manager Machine
Back up log automatically when full Machine
Configure log access Machine
Configure log access (legacy) Machine
Control Event Log behavior when the log file reaches its maximum size Machine
Control the location of the log file Machine
Specify the maximum log file size (KB) Machine
Turn on logging Machine
Enable Protected Event Logging Machine
Events.asp program Machine
Events.asp program command line parameters Machine
Events.asp URL Machine
Display the menu bar in File Explorer User
Do not reinitialize a pre-existing roamed user profile when it is loaded on a m
Machine
Prevent users from adding files to the root of their Users Files folder. User
Set a support web page link Machine
Turn off common control and window animations User
Turn off Data Execution Prevention for Explorer Machine
Turn off heap termination on corruption Machine
Allow hibernate (S4) when starting from a Windows To Go workspace Machine
Disallow standby sleep states (S1-S3) when starting from a Windows to Go Machine
Windows To Go Default Startup Options Machine
Do not show feedback notifications Machine
Turn off File History Machine
Configure Corrupted File Recovery behavior Machine
Allow Windows Runtime apps to revoke enterprise data User
Allow or Disallow use of encryption to protect the RPC protocol messages b Machine
Disable delete notifications on all volumes Machine
Do not allow compression on all NTFS volumes Machine
Do not allow encryption on all NTFS volumes Machine
Enable / disable TXF deprecated features Machine
Enable NTFS pagefile encryption Machine
Enable Win32 long paths Machine
Selectively allow the evaluation of a symbolic link Machine
Short name creation options Machine
Do not automatically make all redirected folders available offline User
Do not automatically make specific redirected folders available offline User
Enable optimized move of contents in Offline Files cache on Folder Redirect User
Redirect folders on primary computers only User
Redirect folders on primary computers only Machine
Use localized subfolder names when redirecting Start Menu and My DocumeUser
Use localized subfolder names when redirecting Start Menu and My DocumeMachine
Turn off Preview Pane User
Turn on or off details pane User
Configure Scenario Execution Level Machine
Turn off downloading of game information Machine
Turn off game updates Machine
Turn off tracking of last play time of games in the Games folder Machine
Allow input personalization Machine
Block clean-up of unused language packs Machine
Century interpretation for Year 2000 User
Disallow changing of geographic location User
Disallow changing of geographic location Machine
Disallow copying of user input methods to the system account for sign-in Machine
Disallow selection of Custom Locales User
Disallow selection of Custom Locales Machine
Disallow user override of locale settings User
Disallow user override of locale settings Machine
Force selected system UI language to overwrite the user UI language Machine
Hide Regional and Language Options administrative options User
Hide the geographic location option User
Hide the select language group options User
Hide user locale selection and customization options User
Restrict selection of Windows menus and dialogs language User
Restrict system locales Machine
Restrict user locales User
Restrict user locales Machine
Restricts the UI language Windows uses for all logged users Machine
Restricts the UI languages Windows should use for the selected user User
Turn off autocorrect misspelled words User
Turn off automatic learning User
Turn off automatic learning Machine
Turn off highlight misspelled words User
Turn off insert a space after selecting a text prediction User
Turn off offer text predictions as I type User
Allow cross-forest user policy and roaming user profiles Machine
Always use local ADM files for Group Policy Object Editor Machine
Change Group Policy processing to run asynchronously when a slow networkMachine
Configure Direct Access connections as a fast network connection Machine
Configure disk quota policy processing Machine
Configure EFS recovery policy processing Machine
Configure folder redirection policy processing Machine
Configure Group Policy Caching Machine
Configure Group Policy domain controller selection User
Configure Group Policy slow link detection User
Configure Group Policy slow link detection Machine
Configure Internet Explorer Maintenance policy processing Machine
Configure IP security policy processing Machine
Configure Logon Script Delay Machine
Configure registry policy processing Machine
Configure scripts policy processing Machine
Configure security policy processing Machine
Configure software Installation policy processing Machine
Configure user Group Policy loopback processing mode Machine
Configure wired policy processing Machine
Configure wireless policy processing Machine
Continue experiences on this device Machine
Create new Group Policy Object links disabled by default User
Determine if interactive users can generate Resultant Set of Policy data User
Determine if interactive users can generate Resultant Set of Policy data Machine
Enable AD/DFS domain controller synchronization during policy refresh Machine
Enable Font Providers Machine
Enable Group Policy Caching for Servers Machine
Enforce Show Policies Only User
Process Mitigation Options Machine
Process Mitigation Options User
Remove users' ability to invoke machine policy refresh Machine
Set default name for new Group Policy objects User
Set Group Policy refresh interval for computers Machine
Set Group Policy refresh interval for domain controllers Machine
Set Group Policy refresh interval for users User
Specify startup policy processing wait time Machine
Specify workplace connectivity wait time for policy processing Machine
Turn off automatic update of ADM files User
Turn off background refresh of Group Policy Machine
Turn off Group Policy Client Service AOAC optimization Machine
Turn off Local Group Policy Objects processing Machine
Turn off Resultant Set of Policy logging Machine
Untrusted Font Blocking Machine
Configure Applications preference extension policy processing Machine
Configure Applications preference logging and tracing Machine
Configure Data Sources preference extension policy processing Machine
Configure Data Sources preference logging and tracing Machine
Configure Devices preference extension policy processing Machine
Configure Devices preference logging and tracing Machine
Configure Drive Maps preference extension policy processing Machine
Configure Drive Maps preference logging and tracing Machine
Configure Environment preference extension policy processing Machine
Configure Environment preference logging and tracing Machine
Configure Files preference extension policy processing Machine
Configure Files preference logging and tracing Machine
Configure Folder Options preference extension policy processing Machine
Configure Folder Options preference logging and tracing Machine
Configure Folders preference extension policy processing Machine
Configure Folders preference logging and tracing Machine
Configure Ini Files preference extension policy processing Machine
Configure Ini Files preference logging and tracing Machine
Configure Internet Settings preference extension policy processing Machine
Configure Internet Settings preference logging and tracing Machine
Configure Local Users and Groups preference extension policy processing Machine
Configure Local Users and Groups preference logging and tracing Machine
Configure Network Options preference extension policy processing Machine
Configure Network Options preference logging and tracing Machine
Configure Network Shares preference extension policy processing Machine
Configure Network Shares preference logging and tracing Machine
Configure Power Options preference extension policy processing Machine
Configure Power Options preference logging and tracing Machine
Configure Printers preference extension policy processing Machine
Configure Printers preference logging and tracing Machine
Configure Regional Options preference extension policy processing Machine
Configure Regional Options preference logging and tracing Machine
Configure Registry preference extension policy processing Machine
Configure Registry preference logging and tracing Machine
Configure Scheduled Tasks preference extension policy processing Machine
Configure Scheduled Tasks preference logging and tracing Machine
Configure Services preference extension policy processing Machine
Configure Services preference logging and tracing Machine
Configure Shortcuts preference extension policy processing Machine
Configure Shortcuts preference logging and tracing Machine
Configure Start Menu preference extension policy processing Machine
Configure Start Menu preference logging and tracing Machine
Permit use of Application snap-ins User
Permit use of Applications preference extension User
Permit use of Control Panel Settings (Computers) User
Permit use of Control Panel Settings (Users) User
Permit use of Data Sources preference extension User
Permit use of Devices preference extension User
Permit use of Drive Maps preference extension User
Permit use of Environment preference extension User
Permit use of Files preference extension User
Permit use of Folder Options preference extension User
Permit use of Folders preference extension User
Permit use of Ini Files preference extension User
Permit use of Internet Settings preference extension User
Permit use of Local Users and Groups preference extension User
Permit use of Network Options preference extension User
Permit use of Network Shares preference extension User
Permit use of Power Options preference extension User
Permit use of Preferences tab User
Permit use of Printers preference extension User
Permit use of Regional Options preference extension User
Permit use of Registry preference extension User
Permit use of Scheduled Tasks preference extension User
Permit use of Services preference extension User
Permit use of Shortcuts preference extension User
Permit use of Start Menu preference extension User
Allow asynchronous user Group Policy processing when logging on through Machine
Restrict potentially unsafe HTML Help functions to specified folders Machine
Restrict these programs from being launched from Help User
Restrict these programs from being launched from Help Machine
Turn off Data Execution Prevention for HTML Help Executible Machine
Turn off Active Help Machine
Turn off Help Experience Improvement Program User
Turn off Help Ratings User
Turn off Windows Online User
Enable Hotspot Authentication Machine
Restrict Internet communication User
Restrict Internet communication Machine
Turn off access to all Windows Update features Machine
Turn off access to the Store User
Turn off access to the Store Machine
Turn off Automatic Root Certificates Update Machine
Turn off downloading of print drivers over HTTP User
Turn off downloading of print drivers over HTTP Machine
Turn off Event Viewer "Events.asp" links Machine
Turn off Help and Support Center "Did you know?" content Machine
Turn off Help and Support Center Microsoft Knowledge Base search Machine
Turn off Internet Connection Wizard if URL connection is referring to Microso Machine
Turn off Internet download for Web publishing and online ordering wizards User
Turn off Internet download for Web publishing and online ordering wizards Machine
Turn off Internet File Association service User
Turn off Internet File Association service Machine
Turn off printing over HTTP User
Turn off printing over HTTP Machine
Turn off Registration if URL connection is referring to Microsoft.com Machine
Turn off Search Companion content file updates Machine
Turn off the "Order Prints" picture task User
Turn off the "Order Prints" picture task Machine
Turn off the "Publish to Web" task for files and folders User
Turn off the "Publish to Web" task for files and folders Machine
Turn off the Windows Messenger Customer Experience Improvement Progra User
Turn off the Windows Messenger Customer Experience Improvement Progra Machine
Turn off Windows Customer Experience Improvement Program Machine
Turn off Windows Error Reporting Machine
Turn off Windows Network Connectivity Status Indicator active tests Machine
Turn off Windows Update device driver searching Machine
Prevent IIS installation Machine
Access data sources across domains Machine
Access data sources across domains User
Add a specific list of search providers to the user's list of search providers Machine
Add a specific list of search providers to the user's list of search providers User
Add default Accelerators User
Add default Accelerators Machine
Add non-default Accelerators User
Add non-default Accelerators Machine
Add-on List Machine
Add-on List User
Admin-approved behaviors Machine
Admin-approved behaviors User
All Processes Machine
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
All Processes User
Allow active content from CDs to run on user machines Machine
Allow active content from CDs to run on user machines User
Allow active content over restricted protocols to access my computer Machine
Allow active content over restricted protocols to access my computer User
Allow active scripting Machine
Allow active scripting User
Allow binary and script behaviors Machine
Allow binary and script behaviors User
Allow cut, copy or paste operations from the clipboard via script Machine
Allow cut, copy or paste operations from the clipboard via script User
Allow deleting browsing history on exit Machine
Allow deleting browsing history on exit User
Allow drag and drop or copy and paste files Machine
Allow drag and drop or copy and paste files User
Allow fallback to SSL 3.0 (Internet Explorer) Machine
Allow file downloads Machine
Allow file downloads User
Allow font downloads Machine
Allow font downloads User
Allow Install On Demand (except Internet Explorer) Machine
Allow Install On Demand (except Internet Explorer) User
Allow Install On Demand (Internet Explorer) Machine
Allow Install On Demand (Internet Explorer) User
Allow installation of desktop items Machine
Allow installation of desktop items User
Allow Internet Explorer 8 shutdown behavior Machine
Allow Internet Explorer 8 shutdown behavior User
Allow Internet Explorer to play media files that use alternative codecs Machine
Allow Internet Explorer to play media files that use alternative codecs User
Allow Internet Explorer to use the HTTP2 network protocol Machine
Allow Internet Explorer to use the HTTP2 network protocol User
Allow Internet Explorer to use the SPDY/3 network protocol Machine
Allow Internet Explorer to use the SPDY/3 network protocol User
Allow loading of XAML Browser Applications Machine
Allow loading of XAML Browser Applications User
Allow loading of XAML files Machine
Allow loading of XAML files User
Allow loading of XPS files Machine
Allow loading of XPS files User
Allow META REFRESH Machine
Allow META REFRESH User
Allow Microsoft services to provide enhanced suggestions as the user types Machine
Allow Microsoft services to provide enhanced suggestions as the user types User
Allow native XMLHTTP support Machine
Allow native XMLHTTP support User
Allow only approved domains to use ActiveX controls without prompt Machine
Allow only approved domains to use ActiveX controls without prompt User
Allow only approved domains to use the TDC ActiveX control Machine
Allow only approved domains to use the TDC ActiveX control User
Allow scripting of Internet Explorer WebBrowser controls Machine
Allow scripting of Internet Explorer WebBrowser controls User
Allow script-initiated windows without size or position constraints Machine
Allow script-initiated windows without size or position constraints User
Allow scriptlets Machine
Allow scriptlets User
Allow software to run or install even if the signature is invalid Machine
Allow software to run or install even if the signature is invalid User
Allow the display of image download placeholders User
Allow third-party browser extensions Machine
Allow third-party browser extensions User
Allow updates to status bar via script Machine
Allow updates to status bar via script User
Allow video and animation on a webpage that uses an older media player Machine
Allow video and animation on a webpage that uses an older media player User
Allow websites to open windows without status bar or Address bar Machine
Allow websites to open windows without status bar or Address bar User
Allow websites to prompt for information by using scripted windows Machine
Allow websites to prompt for information by using scripted windows User
Allow websites to store application caches on client computers Machine
Allow websites to store application caches on client computers User
Allow websites to store indexed databases on client computers Machine
Allow websites to store indexed databases on client computers User
Always send Do Not Track header Machine
Always send Do Not Track header User
Audio/Video Player User
Automatic prompting for ActiveX controls Machine
Automatic prompting for ActiveX controls User
Automatic prompting for file downloads Machine
Automatic prompting for file downloads User
Automatically activate newly installed add-ons Machine
Automatically activate newly installed add-ons User
Automatically check for Internet Explorer updates Machine
Automatically check for Internet Explorer updates User
Bypass prompting for Clipboard access for scripts running in any process Machine
Bypass prompting for Clipboard access for scripts running in any process User
Bypass prompting for Clipboard access for scripts running in the Internet Ex Machine
Bypass prompting for Clipboard access for scripts running in the Internet Ex User
Carpoint User
Change the maximum number of connections per host (HTTP 1.1) Machine
Change the maximum number of connections per host (HTTP 1.1) User
Check for server certificate revocation Machine
Check for server certificate revocation User
Check for signatures on downloaded programs Machine
Check for signatures on downloaded programs User
Configure Media Explorer Bar User
Configure Outlook Express User
Configure Toolbar Buttons User
Customize command labels Machine
Customize command labels User
Customize user agent string Machine
Customize user agent string User
Define applications and processes that can access the Clipboard without pr Machine
Define applications and processes that can access the Clipboard without pr User
Deny all add-ons unless specifically allowed in the Add-on List Machine
Deny all add-ons unless specifically allowed in the Add-on List User
DHTML Edit Control User
Disable "Configuring History" Machine
Disable "Configuring History" User
Disable adding channels User
Disable adding schedules for offline pages User
Disable all scheduled offline pages User
Disable AutoComplete for forms User
Disable Automatic Install of Internet Explorer components Machine
Disable caching of Auto-Proxy scripts User
Disable changing accessibility settings User
Disable changing Advanced page settings User
Disable changing Automatic Configuration settings Machine
Disable changing Automatic Configuration settings User
Disable changing Calendar and Contact settings User
Disable changing certificate settings User
Disable changing color settings User
Disable changing connection settings User
Disable changing connection settings Machine
Disable changing default browser check User
Disable changing font settings User
Disable changing home page settings User
Disable changing language settings User
Disable changing link color settings User
Disable changing Messaging settings User
Disable changing Profile Assistant settings User
Disable changing ratings settings User
Disable changing secondary home page settings Machine
Disable changing secondary home page settings User
Disable changing Temporary Internet files settings User
Disable channel user interface completely User
Disable customizing browser toolbar buttons User
Disable customizing browser toolbars User
Disable downloading of site subscription content User
Disable editing and creating of schedule groups User
Disable editing schedules for offline pages User
Disable external branding of Internet Explorer User
Disable Import/Export Settings wizard Machine
Disable Import/Export Settings wizard User
Disable Internet Connection wizard User
Disable offline page hit logging User
Disable Open in New Window menu option User
Disable Periodic Check for Internet Explorer software updates Machine
Disable removing channels User
Disable removing schedules for offline pages User
Disable Save this program to disk option User
Disable showing the splash screen Machine
Disable software update shell notifications on program launch Machine
Disable the Advanced page Machine
Disable the Advanced page User
Disable the Connections page Machine
Disable the Connections page User
Disable the Content page Machine
Disable the Content page User
Disable the General page Machine
Disable the General page User
Disable the Privacy page Machine
Disable the Privacy page User
Disable the Programs page Machine
Disable the Programs page User
Disable the Reset Web Settings feature User
Disable the Security page Machine
Disable the Security page User
Display error message on proxy script download failure User
Display mixed content Machine
Display mixed content User
Display tabs on a separate row Machine
Display tabs on a separate row User
Do not allow ActiveX controls to run in Protected Mode when Enhanced Prot Machine
Do not allow ActiveX controls to run in Protected Mode when Enhanced Prot User
Do not allow resetting Internet Explorer settings Machine
Do not allow resetting Internet Explorer settings User
Do not allow users to enable or disable add-ons Machine
Do not allow users to enable or disable add-ons User
Do not display the reveal password button Machine
Do not display the reveal password button User
Do not prompt for client certificate selection when no certificates or only oneMachine
Do not prompt for client certificate selection when no certificates or only oneUser
Do not save encrypted pages to disk Machine
Do not save encrypted pages to disk User
Don't run antimalware programs against ActiveX controls Machine
Don't run antimalware programs against ActiveX controls User
Download signed ActiveX controls Machine
Download signed ActiveX controls User
Download unsigned ActiveX controls Machine
Download unsigned ActiveX controls User
Empty Temporary Internet Files folder when browser is closed Machine
Empty Temporary Internet Files folder when browser is closed User
Enable dragging of content from different domains across windows Machine
Enable dragging of content from different domains across windows User
Enable dragging of content from different domains within a window Machine
Enable dragging of content from different domains within a window User
Enable MIME Sniffing Machine
Enable MIME Sniffing User
Enforce full-screen mode Machine
Enforce full-screen mode User
Establish InPrivate Filtering threshold Machine
Establish InPrivate Filtering threshold User
Establish Tracking Protection threshold Machine
Establish Tracking Protection threshold User
File menu: Disable closing the browser and Explorer windows User
File menu: Disable New menu option User
File menu: Disable Open menu option User
File menu: Disable Save As Web Page Complete User
File menu: Disable Save As... menu option User
File size limits for Internet zone User
File size limits for Intranet zone User
File size limits for Local Machine zone User
File size limits for Restricted Sites zone User
File size limits for Trusted Sites zone User
Go to an intranet site for a one-word entry in the Address bar Machine
Go to an intranet site for a one-word entry in the Address bar User
Help menu: Remove 'For Netscape Users' menu option User
Help menu: Remove 'Send Feedback' menu option User
Help menu: Remove 'Tip of the Day' menu option User
Help menu: Remove 'Tour' menu option User
Hide Favorites menu User
Hide the Command bar Machine
Hide the Command bar User
Hide the status bar Machine
Hide the status bar User
Identity Manager: Prevent users from using Identities User
Include local path when user is uploading files to a server Machine
Include local path when user is uploading files to a server User
Include updated website lists from Microsoft Machine
Include updated website lists from Microsoft User
Initialize and script ActiveX controls not marked as safe Machine
Initialize and script ActiveX controls not marked as safe User
Install binaries signed by MD2 and MD4 signing technologies Machine
Install binaries signed by MD2 and MD4 signing technologies User
Install new versions of Internet Explorer automatically Machine
Internet Explorer Processes Machine
Internet Explorer Processes User
Internet Zone Restricted Protocols Machine
Internet Zone Restricted Protocols User
Internet Zone Template Machine
Internet Zone Template User
Intranet Sites: Include all local (intranet) sites not listed in other zones Machine
Intranet Sites: Include all local (intranet) sites not listed in other zones User
Intranet Sites: Include all network paths (UNCs) Machine
Intranet Sites: Include all network paths (UNCs) User
Intranet Sites: Include all sites that bypass the proxy server Machine
Intranet Sites: Include all sites that bypass the proxy server User
Intranet Zone Restricted Protocols Machine
Intranet Zone Restricted Protocols User
Intranet Zone Template Machine
Intranet Zone Template User
Investor User
Java permissions Machine
Java permissions User
Launching applications and files in an IFRAME Machine
Launching applications and files in an IFRAME User
Let users turn on and use Enterprise Mode from the Tools menu Machine
Let users turn on and use Enterprise Mode from the Tools menu User
Limit Site Discovery output by Domain Machine
Limit Site Discovery output by Domain User
Limit Site Discovery output by Zone Machine
Limit Site Discovery output by Zone User
Local Machine Zone Restricted Protocols Machine
Local Machine Zone Restricted Protocols User
Local Machine Zone Template Machine
Local Machine Zone Template User
Lock all toolbars Machine
Lock all toolbars User
Lock location of Stop and Refresh buttons Machine
Lock location of Stop and Refresh buttons User
Locked-Down Internet Zone Template Machine
Locked-Down Internet Zone Template User
Locked-Down Intranet Zone Template Machine
Locked-Down Intranet Zone Template User
Locked-Down Local Machine Zone Template Machine
Locked-Down Local Machine Zone Template User
Locked-Down Restricted Sites Zone Template Machine
Locked-Down Restricted Sites Zone Template User
Locked-Down Trusted Sites Zone Template Machine
Locked-Down Trusted Sites Zone Template User
Logon options Machine
Logon options User
Logon options User
Logon options User
Logon options User
Logon options User
Logon options User
Logon options User
Logon options User
Logon options User
Logon options User
Make proxy settings per-machine (rather than per-user) Machine
Maximum number of connections per server (HTTP 1.0) Machine
Maximum number of connections per server (HTTP 1.0) User
Menu Controls User
Microsoft Agent User
Microsoft Chat User
Microsoft Scriptlet Component User
Microsoft Survey Control User
MSNBC User
Navigate windows and frames across different domains Machine
Navigate windows and frames across different domains User
NetShow File Transfer Control User
Notify users if Internet Explorer is not the default web browser User
Open Internet Explorer tiles on the desktop Machine
Open Internet Explorer tiles on the desktop User
Play animations in web pages Machine
Play animations in web pages User
Play sounds in web pages Machine
Play sounds in web pages User
Play videos in web pages Machine
Play videos in web pages User
Pop-up allow list Machine
Pop-up allow list User
Position the menu bar above the navigation bar User
Prevent "Fix settings" functionality Machine
Prevent "Fix settings" functionality User
Prevent access to Delete Browsing History Machine
Prevent access to Delete Browsing History User
Prevent access to feed list Machine
Prevent access to feed list User
Prevent access to Internet Explorer Help Machine
Prevent access to Internet Explorer Help User
Prevent automatic discovery of feeds and Web Slices Machine
Prevent automatic discovery of feeds and Web Slices User
Prevent bypassing SmartScreen Filter warnings Machine
Prevent bypassing SmartScreen Filter warnings User
Prevent bypassing SmartScreen Filter warnings about files that are not co Machine
Prevent bypassing SmartScreen Filter warnings about files that are not co User
Prevent changing pop-up filter level Machine
Prevent changing pop-up filter level User
Prevent changing proxy settings Machine
Prevent changing proxy settings User
Prevent changing the default search provider Machine
Prevent changing the default search provider User
Prevent changing the URL for checking updates to Internet Explorer and InteMachine
Prevent choosing default text size User
Prevent configuration of how windows open Machine
Prevent configuration of how windows open User
Prevent configuration of new tab creation Machine
Prevent configuration of new tab creation User
Prevent configuration of search on Address bar Machine
Prevent configuration of search on Address bar User
Prevent configuration of top-result search on Address bar Machine
Prevent configuration of top-result search on Address bar User
Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track dat Machine
Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track dat User
Prevent deleting cookies Machine
Prevent deleting cookies User
Prevent deleting download history Machine
Prevent deleting download history User
Prevent deleting favorites site data Machine
Prevent deleting favorites site data User
Prevent deleting form data Machine
Prevent deleting form data User
Prevent deleting InPrivate Filtering data Machine
Prevent deleting InPrivate Filtering data User
Prevent deleting passwords Machine
Prevent deleting passwords User
Prevent deleting temporary Internet files Machine
Prevent deleting temporary Internet files User
Prevent deleting websites that the user has visited Machine
Prevent deleting websites that the user has visited User
Prevent downloading of enclosures Machine
Prevent downloading of enclosures User
Prevent ignoring certificate errors Machine
Prevent ignoring certificate errors User
Prevent Internet Explorer Search box from appearing Machine
Prevent Internet Explorer Search box from appearing User
Prevent managing pop-up exception list Machine
Prevent managing pop-up exception list User
Prevent managing SmartScreen Filter Machine
Prevent managing SmartScreen Filter User
Prevent managing the phishing filter Machine
Prevent managing the phishing filter User
Prevent participation in the Customer Experience Improvement Program Machine
Prevent participation in the Customer Experience Improvement Program User
Prevent per-user installation of ActiveX controls Machine
Prevent per-user installation of ActiveX controls User
Prevent running First Run wizard Machine
Prevent running First Run wizard User
Prevent specifying background color User
Prevent specifying cipher strength update information URLs Machine
Prevent specifying text color User
Prevent specifying the code download path for each computer Machine
Prevent specifying the color of links that have already been clicked User
Prevent specifying the color of links that have not yet been clicked User
Prevent specifying the hover color User
Prevent specifying the update check interval (in days) Machine
Prevent subscribing to or deleting a feed or a Web Slice Machine
Prevent subscribing to or deleting a feed or a Web Slice User
Prevent the computer from loading toolbars and Browser Helper Objects when
Machine
Prevent the computer from loading toolbars and Browser Helper Objects when
User
Prevent the deletion of temporary Internet files and cookies Machine
Prevent the deletion of temporary Internet files and cookies User
Prevent the use of Windows colors User
Process List Machine
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Process List User
Remove "Run this time" button for outdated ActiveX controls in Internet ExplMachine
Remove "Run this time" button for outdated ActiveX controls in Internet ExplUser
Render legacy filters Machine
Render legacy filters User
Restrict Accelerators to those deployed through Group Policy Machine
Restrict Accelerators to those deployed through Group Policy User
Restrict search providers to a specific list Machine
Restrict search providers to a specific list User
Restricted Sites Zone Restricted Protocols Machine
Restricted Sites Zone Restricted Protocols User
Restricted Sites Zone Template Machine
Restricted Sites Zone Template User
Run .NET Framework-reliant components not signed with Authenticode Machine
Run .NET Framework-reliant components not signed with Authenticode User
Run .NET Framework-reliant components signed with Authenticode Machine
Run .NET Framework-reliant components signed with Authenticode User
Run ActiveX controls and plugins Machine
Run ActiveX controls and plugins User
Script ActiveX controls marked safe for scripting Machine
Script ActiveX controls marked safe for scripting User
Scripting of Java applets Machine
Scripting of Java applets User
Search: Disable Find Files via F3 within the browser User
Search: Disable Search Customization User
Security Zones: Do not allow users to add/delete sites Machine
Security Zones: Do not allow users to change policies Machine
Security Zones: Use only machine settings Machine
Send all sites not included in the Enterprise Mode Site List to Microsoft EdgeMachine
Send all sites not included in the Enterprise Mode Site List to Microsoft EdgeUser
Send internationalized domain names Machine
Send internationalized domain names User
Set application cache storage limits for individual domains Machine
Set application cache storage limits for individual domains User
Set application caches expiration time limit for individual domains Machine
Set application caches expiration time limit for individual domains User
Set default storage limits for websites Machine
Set default storage limits for websites User
Set how links are opened in Internet Explorer Machine
Set how links are opened in Internet Explorer User
Set indexed database storage limits for individual domains Machine
Set indexed database storage limits for individual domains User
Set maximum application cache individual resource size Machine
Set maximum application cache individual resource size User
Set maximum application cache resource list size Machine
Set maximum application cache resource list size User
Set maximum application caches storage limit for all domains Machine
Set maximum application caches storage limit for all domains User
Set maximum indexed database storage limit for all domains Machine
Set maximum indexed database storage limit for all domains User
Set tab process growth Machine
Set tab process growth User
Set the maximum number of WebSocket connections per server Machine
Set the maximum number of WebSocket connections per server User
Shockwave Flash User
Show Content Advisor on Internet Options Machine
Show Content Advisor on Internet Options User
Show security warning for potentially unsafe files Machine
Show security warning for potentially unsafe files User
Site to Zone Assignment List Machine
Site to Zone Assignment List User
Software channel permissions Machine
Software channel permissions User
Specify default behavior for a new tab Machine
Specify default behavior for a new tab User
Specify use of ActiveX Installer Service for installation of ActiveX controls Machine
Specify use of ActiveX Installer Service for installation of ActiveX controls User
Start Internet Explorer with tabs from last browsing session Machine
Start Internet Explorer with tabs from last browsing session User
Start the Internet Connection Wizard automatically User
Submit non-encrypted form data Machine
Submit non-encrypted form data User
Subscription Limits User
Tools menu: Disable Internet Options... menu option User
Trusted Sites Zone Restricted Protocols Machine
Trusted Sites Zone Restricted Protocols User
Trusted Sites Zone Template Machine
Trusted Sites Zone Template User
Turn off .NET Framework Setup Machine
Turn off .NET Framework Setup User
Turn off ability to pin sites in Internet Explorer on the desktop Machine
Turn off ability to pin sites in Internet Explorer on the desktop User
Turn off Accelerators Machine
Turn off Accelerators User
Turn off ActiveX Opt-In prompt Machine
Turn off ActiveX Opt-In prompt User
Turn off add-on performance notifications Machine
Turn off add-on performance notifications User
Turn off Adobe Flash in Internet Explorer and prevent applications from usingMachine
Turn off Adobe Flash in Internet Explorer and prevent applications from usingUser
Turn off Automatic Crash Recovery Machine
Turn off Automatic Crash Recovery User
Turn off automatic download of the ActiveX VersionList User
Turn off automatic image resizing User
Turn off background synchronization for feeds and Web Slices Machine
Turn off background synchronization for feeds and Web Slices User
Turn off blocking of outdated ActiveX controls for Internet Explorer Machine
Turn off blocking of outdated ActiveX controls for Internet Explorer User
Turn off blocking of outdated ActiveX controls for Internet Explorer on speci Machine
Turn off blocking of outdated ActiveX controls for Internet Explorer on speci User
Turn off browser geolocation Machine
Turn off browser geolocation User
Turn off ClearType Machine
Turn off ClearType User
Turn off collection of InPrivate Filtering data Machine
Turn off collection of InPrivate Filtering data User
Turn off Compatibility View Machine
Turn off Compatibility View User
Turn off Compatibility View button Machine
Turn off Compatibility View button User
Turn off configuration of pop-up windows in tabbed browsing Machine
Turn off configuration of pop-up windows in tabbed browsing User
Turn off configuring underline links User
Turn off Crash Detection Machine
Turn off Crash Detection User
Turn off cross-document messaging Machine
Turn off cross-document messaging User
Turn off Data Execution Prevention Machine
Turn off Data URI support Machine
Turn off Data URI support User
Turn off details in messages about Internet connection problems User
Turn off Developer Tools Machine
Turn off Developer Tools User
Turn off encryption support Machine
Turn off encryption support User
Turn off Favorites bar Machine
Turn off Favorites bar User
Turn off first-run prompt Machine
Turn off first-run prompt User
Turn off image display User
Turn off inline AutoComplete in File Explorer User
Turn off InPrivate Browsing Machine
Turn off InPrivate Browsing User
Turn off InPrivate Filtering Machine
Turn off InPrivate Filtering User
Turn off loading websites and content in the background to optimize perfor Machine
Turn off loading websites and content in the background to optimize perfor User
Turn off Managing SmartScreen Filter for Internet Explorer 8 Machine
Turn off Managing SmartScreen Filter for Internet Explorer 8 User
Turn off page transitions User
Turn off page-zooming functionality Machine
Turn off page-zooming functionality User
Turn off phone number detection Machine
Turn off phone number detection User
Turn off pop-up management Machine
Turn off pop-up management User
Turn off Print Menu Machine
Turn off Print Menu User
Turn off Profile Assistant Machine
Turn off Profile Assistant User
Turn off Quick Tabs functionality Machine
Turn off Quick Tabs functionality User
Turn off Reopen Last Browsing Session Machine
Turn off Reopen Last Browsing Session User
Turn off sending URL path as UTF-8 User
Turn off sending UTF-8 query strings for URLs Machine
Turn off sending UTF-8 query strings for URLs User
Turn off Shortcut Menu User
Turn off smart image dithering User
Turn off smooth scrolling User
Turn off suggestions for all user-installed providers Machine
Turn off suggestions for all user-installed providers User
Turn off Tab Grouping User
Turn off tabbed browsing Machine
Turn off tabbed browsing User
Turn off the ability to launch report site problems using a menu option Machine
Turn off the ability to launch report site problems using a menu option User
Turn off the auto-complete feature for web addresses Machine
Turn off the auto-complete feature for web addresses User
Turn off the flip ahead with page prediction feature Machine
Turn off the flip ahead with page prediction feature User
Turn off the quick pick menu Machine
Turn off the quick pick menu User
Turn off the Security Settings Check feature Machine
Turn off the Security Settings Check feature User
Turn off the WebSocket Object Machine
Turn off the WebSocket Object User
Turn off the XDomainRequest object Machine
Turn off the XDomainRequest object User
Turn off toolbar upgrade tool Machine
Turn off toolbar upgrade tool User
Turn off Tracking Protection Machine
Turn off Tracking Protection User
Turn off URL Suggestions Machine
Turn off URL Suggestions User
Turn off Windows Search AutoComplete Machine
Turn off Windows Search AutoComplete User
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 6Machine
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 6User
Turn on ActiveX control logging in Internet Explorer Machine
Turn on ActiveX control logging in Internet Explorer User
Turn on ActiveX Filtering Machine
Turn on ActiveX Filtering User
Turn on automatic detection of intranet Machine
Turn on automatic detection of intranet User
Turn on automatic signup User
Turn on Basic feed authentication over HTTP Machine
Turn on Basic feed authentication over HTTP User
Turn on Caret Browsing support Machine
Turn on Caret Browsing support User
Turn on certificate address mismatch warning Machine
Turn on certificate address mismatch warning User
Turn on compatibility logging Machine
Turn on compatibility logging User
Turn on Cross-Site Scripting Filter Machine
Turn on Cross-Site Scripting Filter User
Turn on Enhanced Protected Mode Machine
Turn on Enhanced Protected Mode User
Turn on inline AutoComplete User
Turn on Internet Explorer 7 Standards Mode Machine
Turn on Internet Explorer 7 Standards Mode User
Turn on Internet Explorer Standards Mode for local intranet Machine
Turn on Internet Explorer Standards Mode for local intranet User
Turn on menu bar by default Machine
Turn on menu bar by default User
Turn on Notification bar notification for intranet content Machine
Turn on Notification bar notification for intranet content User
Turn on printing of background colors and images User
Turn on Protected Mode Machine
Turn on Protected Mode User
Turn on script debugging User
Turn on Site Discovery WMI output Machine
Turn on Site Discovery WMI output User
Turn on Site Discovery XML output Machine
Turn on Site Discovery XML output User
Turn on SmartScreen Filter scan Machine
Turn on SmartScreen Filter scan User
Turn on Suggested Sites Machine
Turn on Suggested Sites User
Turn on the auto-complete feature for user names and passwords on forms User
Turn on the display of script errors User
Turn on the hover color option User
Use Automatic Detection for dial-up connections User
Use HTTP 1.1 Machine
Use HTTP 1.1 User
Use HTTP 1.1 through proxy connections Machine
Use HTTP 1.1 through proxy connections User
Use large icons for command buttons Machine
Use large icons for command buttons User
Use Policy List of Internet Explorer 7 sites Machine
Use Policy List of Internet Explorer 7 sites User
Use Policy List of Quirks Mode sites Machine
Use Policy List of Quirks Mode sites User
Use Pop-up Blocker Machine
Use Pop-up Blocker User
Use the Enterprise Mode IE website list Machine
Use the Enterprise Mode IE website list User
Use UTF-8 for mailto links Machine
Use UTF-8 for mailto links User
Userdata persistence Machine
Userdata persistence User
View menu: Disable Full Screen menu option User
View menu: Disable Source menu option User
Web sites in less privileged Web content zones can navigate into this zone Machine
Web sites in less privileged Web content zones can navigate into this zone User
Turn off handwriting recognition error reporting User
Turn off handwriting recognition error reporting Machine
Do not allow adding new targets via manual configuration Machine
Do not allow additional session logins Machine
Do not allow changes to initiator CHAP secret Machine
Do not allow changes to initiator iqn name Machine
Do not allow connections without IPSec Machine
Do not allow manual configuration of discovered targets Machine
Do not allow manual configuration of iSNS servers Machine
Do not allow manual configuration of target portals Machine
Do not allow sessions without mutual CHAP Machine
Do not allow sessions without one way CHAP Machine
KDC support for claims, compound authentication and Kerberos armoring Machine
KDC support for PKInit Freshness Extension Machine
Provide information about previous logons to client computers Machine
Request compound authentication Machine
Use forest search order Machine
Warning for large Kerberos tickets Machine
Always send compound authentication first Machine
Define host name-to-Kerberos realm mappings Machine
Define interoperable Kerberos V5 realm settings Machine
Disable revocation checking for the SSL certificate of KDC proxy servers Machine
Fail authentication requests when Kerberos armoring is not available Machine
Kerberos client support for claims, compound authentication and Kerberos aMachine
Require strict KDC validation Machine
Require strict target SPN match on remote procedure calls Machine
Set maximum Kerberos SSPI context token buffer size Machine
Specify KDC proxy servers for Kerberos clients Machine
Support compound authentication Machine
Support device authentication using certificate Machine
Use forest search order Machine
Cipher suite order Machine
Hash Publication for BranchCache Machine
Hash Version support for BranchCache Machine
Honor cipher suite order Machine
Cipher suite order Machine
Enable insecure guest logons Machine
Handle Caching on Continuous Availability Shares Machine
Offline Files Availability on Continuous Availability Shares Machine
Turn on Mapper I/O (LLTDIO) driver Machine
Turn on Responder (RSPNDR) driver Machine
Turn off Windows Location Provider Machine
Always use classic logon Machine
Always use custom logon background Machine
Always wait for the network at computer startup and logon Machine
Block user from showing account details on sign-in Machine
Display highly detailed status messages Machine
Do not display network selection UI Machine
Do not display the Getting Started welcome screen at logon User
Do not display the Getting Started welcome screen at logon Machine
Do not enumerate connected users on domain-joined computers Machine
Do not process the legacy run list User
Do not process the legacy run list Machine
Do not process the run once list User
Do not process the run once list Machine
Enumerate local users on domain-joined computers Machine
Hide entry points for Fast User Switching Machine
Remove Boot / Shutdown / Logon / Logoff status messages Machine
Run these programs at user logon User
Run these programs at user logon Machine
Show first sign-in animation Machine
Turn off app notifications on the lock screen Machine
Turn off Windows Startup sound Machine
Disable MDM Enrollment Machine
Allow Developer Tools Machine
Allow Developer Tools User
Allow Extensions Machine
Allow Extensions User
Allow InPrivate browsing Machine
Allow InPrivate browsing User
Allow web content on New Tab page Machine
Allow web content on New Tab page User
Configure Autofill Machine
Configure Autofill User
Configure cookies Machine
Configure cookies User
Configure Do Not Track Machine
Configure Do Not Track User
Configure Favorites Machine
Configure Favorites User
Configure Home pages Machine
Configure Home pages User
Configure Password Manager Machine
Configure Password Manager User
Configure Pop-up Blocker Machine
Configure Pop-up Blocker User
Configure search suggestions in Address bar Machine
Configure search suggestions in Address bar User
Configure SmartScreen Filter Machine
Configure SmartScreen Filter User
Configure the Enterprise Mode Site List Machine
Configure the Enterprise Mode Site List User
Prevent access to the about:flags page in Microsoft Edge Machine
Prevent access to the about:flags page in Microsoft Edge User
Prevent bypassing SmartScreen prompts for files Machine
Prevent bypassing SmartScreen prompts for files User
Prevent bypassing SmartScreen prompts for sites Machine
Prevent bypassing SmartScreen prompts for sites User
Prevent using Localhost IP address for WebRTC Machine
Prevent using Localhost IP address for WebRTC User
Send all intranet sites to Internet Explorer 11 Machine
Send all intranet sites to Internet Explorer 11 User
Show message when opening sites in Internet Explorer Machine
Show message when opening sites in Internet Explorer User
ActiveX Control User
Extended View (Web View) User
Link to Web Address User
Restrict the user from entering author mode User
Restrict users to the explicitly permitted list of snap-ins User
.Net Framework Configuration User
Active Directory Domains and Trusts User
Active Directory Sites and Services User
Active Directory Users and Computers User
Administrative Templates (Computers) User
Administrative Templates (Computers) User
Administrative Templates (Users) User
Administrative Templates (Users) User
ADSI Edit User
AppleTalk Routing User
Authorization Manager User
Certificate Templates User
Certificates User
Certification Authority User
Certification Authority Policy Settings User
Component Services User
Computer Management User
Connection Sharing (NAT) User
DCOM Configuration Extension User
Device Manager User
Device Manager User
DHCP Relay Management User
Disk Defragmenter User
Disk Management User
Distributed File System User
Enterprise PKI User
Event Viewer User
Event Viewer User
Event Viewer (Windows Vista) User
Event Viewer (Windows Vista) User
Failover Clusters Manager User
FAX Service User
Folder Redirection User
Folder Redirection User
FrontPage Server Extensions User
Group Policy Management User
Group Policy Object Editor User
Group Policy tab for Active Directory Tools User
Health Registration Authority (HRA) User
IAS Logging User
IGMP Routing User
Indexing Service User
Internet Authentication Service (IAS) User
Internet Explorer Maintenance User
Internet Explorer Maintenance User
Internet Information Services User
IP Routing User
IP Security Monitor User
IP Security Policy Management User
IP Security Policy Management User
IPX RIP Routing User
IPX Routing User
IPX SAP Routing User
Local Users and Groups User
Logical and Mapped Drives User
NAP Client Configuration User
NAP Client Configuration User
Network Policy Server (NPS) User
Online Responder User
OSPF Routing User
Performance Logs and Alerts User
Public Key Policies User
QoS Admission Control User
RAS Dialin - User Node User
Remote Access User
Remote Desktop Services Configuration User
Remote Desktops User
Remote Installation Services User
Removable Storage User
Removable Storage Management User
Resultant Set of Policy snap-in User
RIP Routing User
Routing User
Routing and Remote Access User
Scripts (Logon/Logoff) User
Scripts (Logon/Logoff) User
Scripts (Startup/Shutdown) User
Scripts (Startup/Shutdown) User
Security Configuration and Analysis User
Security Settings User
Security Settings User
Security Templates User
Send Console Message User
Server Manager User
Service Dependencies User
Services User
Shared Folders User
Shared Folders Ext User
SMTP Protocol User
SNMP User
Software Installation (Computers) User
Software Installation (Computers) User
Software Installation (Users) User
Software Installation (Users) User
System Information User
System Properties User
Telephony User
TPM Management User
Windows Firewall with Advanced Security User
Windows Firewall with Advanced Security User
Wired Network (IEEE 802.3) Policies User
Wireless Monitor User
Wireless Network (IEEE 802.11) Policies User
WMI Control User
DFS Management User
DFS Management Extension User
Disk Management Extension User
File Server Resource Manager User
File Server Resource Manager Extension User
Group Policy Management Editor User
Group Policy Starter GPO Editor User
Share and Storage Management User
Share and Storage Management Extension User
Storage Manager for SANs User
Storage Manager for SANS Extension User
Turn off Windows Mobility Center User
Turn off Windows Mobility Center Machine
Turn off Windows presentation settings User
Turn off Windows presentation settings Machine
Automatic Maintenance Activation Boundary Machine
Automatic Maintenance Random Delay Machine
Automatic Maintenance WakeUp Policy Machine
Microsoft Support Diagnostic Tool: Configure execution level Machine
Microsoft Support Diagnostic Tool: Restrict tool download Machine
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication Machine
Allow user control over installs Machine
Allow users to browse for source while elevated Machine
Allow users to patch elevated products Machine
Allow users to use media source while elevated Machine
Always install with elevated privileges User
Always install with elevated privileges Machine
Control maximum size of baseline file cache Machine
Enforce upgrade component rules Machine
Prevent embedded UI Machine
Prevent Internet Explorer security prompt for Windows Installer scripts Machine
Prevent removable media source for any installation User
Prevent users from using Windows Installer to install updates and upgrades Machine
Prohibit flyweight patching Machine
Prohibit non-administrators from applying vendor signed updates Machine
Prohibit removal of updates Machine
Prohibit rollback User
Prohibit rollback Machine
Prohibit use of Restart Manager Machine
Prohibit User Installs Machine
Remove browse dialog box for new source Machine
Save copies of transform files in a secure location on workstation Machine
Specify the order in which Windows Installer searches for installation files User
Specify the types of events Windows Installer records in its transaction log Machine
Turn off creation of System Restore checkpoints Machine
Turn off logging via package settings Machine
Turn off shared components Machine
Turn off Windows Installer Machine
Configure MSI Corrupted File Recovery behavior Machine
Corporate Resources Machine
Custom Commands Machine
DirectAccess Passive Mode Machine
Friendly Name Machine
IPsec Tunnel Endpoints Machine
Prefer Local Names Allowed Machine
Support Email Address Machine
User Interface Machine
Specify corporate DNS probe host address Machine
Specify corporate DNS probe host name Machine
Specify corporate site prefix list Machine
Specify corporate Website probe URL Machine
Specify domain location determination URL Machine
Specify passive polling Machine
Allow cryptography algorithms compatible with Windows NT 4.0 Machine
Contact PDC on logon failure Machine
Do not process incoming mailslot messages used for domain controller loc Machine
Do not use NetBIOS-based discovery for domain controller location when DNS Machine
Force Rediscovery Interval Machine
Return domain controller address type Machine
Set Netlogon share compatibility Machine
Set Priority in the DC Locator DNS SRV records Machine
Set scavenge interval Machine
Set SYSVOL share compatibility Machine
Set TTL in the DC Locator DNS Records Machine
Set Weight in the DC Locator DNS SRV records Machine
Specify address lookup behavior for DC locator ping Machine
Specify DC Locator DNS records not registered by the DCs Machine
Specify dynamic registration of the DC Locator DNS Records Machine
Specify expected dial-up delay on logon Machine
Specify log file debug output level Machine
Specify maximum log file size Machine
Specify negative DC Discovery cache setting Machine
Specify positive periodic DC Cache refresh for non-background callers Machine
Specify Refresh Interval of the DC Locator DNS records Machine
Specify site name Machine
Specify sites covered by the application directory partition DC Locator DNS Machine
Specify sites covered by the DC Locator DNS SRV records Machine
Specify sites covered by the GC Locator DNS SRV Records Machine
Try Next Closest Site Machine
Use automated site coverage by the DC Locator DNS SRV Records Machine
Use DNS name resolution when a single-label domain name is used, by append Machine
Use DNS name resolution with a single-label domain name instead of NetBIOMachine
Use final DC discovery retry setting for background callers Machine
Use initial DC discovery retry setting for background callers Machine
Use maximum DC discovery retry interval setting for background callers Machine
Use positive periodic DC cache refresh for background callers Machine
Use urgent mode when pinging domain controllers Machine
Ability to change properties of an all user remote access connection User
Ability to delete all user remote access connections User
Ability to Enable/Disable a LAN connection User
Ability to rename all user remote access connections User
Ability to rename LAN connections User
Ability to rename LAN connections or remote access connections available toUser
Do not show the "local access only" network icon Machine
Enable Windows 2000 Network Connections settings for Administrators User
Prohibit access to properties of a LAN connection User
Prohibit access to properties of components of a LAN connection User
Prohibit access to properties of components of a remote access connection User
Prohibit access to the Advanced Settings item on the Advanced menu User
Prohibit access to the New Connection Wizard User
Prohibit access to the Remote Access Preferences item on the Advanced me User
Prohibit adding and removing components for a LAN or remote access conneUser
Prohibit changing properties of a private remote access connection User
Prohibit connecting and disconnecting a remote access connection User
Prohibit deletion of remote access connections User
Prohibit Enabling/Disabling components of a LAN connection User
Prohibit installation and configuration of Network Bridge on your DNS doma Machine
Prohibit renaming private remote access connections User
Prohibit TCP/IP advanced configuration User
Prohibit use of Internet Connection Firewall on your DNS domain network Machine
Prohibit use of Internet Connection Sharing on your DNS domain network Machine
Prohibit viewing of status for an active connection User
Require domain users to elevate when setting a network's location Machine
Route all traffic through the internal network Machine
Turn off notifications when a connection has only limited or no connectivity User
Internet proxy servers for apps Machine
Intranet proxy servers for apps Machine
Private network ranges for apps Machine
Proxy definitions are authoritative Machine
Subnet definitions are authoritative Machine
Hardened UNC Paths Machine
Action on server disconnect User
Action on server disconnect Machine
Allow or Disallow use of the Offline Files feature Machine
At logoff, delete local copy of users offline files Machine
Configure Background Sync Machine
Configure Slow link speed Machine
Configure slow-link mode Machine
Default cache size Machine
Enable file screens Machine
Enable file synchronization on costed networks Machine
Enable Transparent Caching Machine
Encrypt the Offline Files cache Machine
Event logging level User
Event logging level Machine
Files not cached Machine
Initial reminder balloon lifetime User
Initial reminder balloon lifetime Machine
Limit disk space used by Offline Files Machine
Non-default server disconnect actions User
Non-default server disconnect actions Machine
Prevent use of Offline Files folder User
Prevent use of Offline Files folder Machine
Prohibit user configuration of Offline Files User
Prohibit user configuration of Offline Files Machine
Reminder balloon frequency User
Reminder balloon frequency Machine
Reminder balloon lifetime User
Reminder balloon lifetime Machine
Remove "Make Available Offline" command User
Remove "Make Available Offline" command Machine
Remove "Make Available Offline" for these files and folders User
Remove "Make Available Offline" for these files and folders Machine
Remove "Work offline" command User
Remove "Work offline" command Machine
Specify administratively assigned Offline Files User
Specify administratively assigned Offline Files Machine
Subfolders always available offline Machine
Synchronize all offline files before logging off User
Synchronize all offline files before logging off Machine
Synchronize all offline files when logging on User
Synchronize all offline files when logging on Machine
Synchronize offline files before suspend User
Synchronize offline files before suspend Machine
Turn off reminder balloons User
Turn off reminder balloons Machine
Turn on economical application of administratively assigned Offline Files Machine
Disable password strength validation for Peer Grouping Machine
Set PNRP cloud to resolve only Machine
Set the Seed Server Machine
Turn off Microsoft Peer-to-Peer Networking Services Machine
Turn off Multicast Bootstrap Machine
Turn off PNRP cloud creation Machine
Expiration Machine
Expiration User
History Machine
History User
Maximum PIN length Machine
Maximum PIN length User
Minimum PIN length Machine
Minimum PIN length User
Require digits Machine
Require digits User
Require lowercase letters Machine
Require lowercase letters User
Require special characters Machine
Require special characters User
Require uppercase letters Machine
Require uppercase letters User
Use a hardware security device Machine
Use biometrics Machine
Use Microsoft Passport for Work Machine
Use Remote Passport Machine
Detect application failures caused by deprecated COM objects Machine
Detect application failures caused by deprecated Windows DLLs Machine
Detect application install failures Machine
Detect application installers that need to be run as administrator Machine
Detect applications unable to launch installers under UAC Machine
Detect compatibility issues for applications and drivers Machine
Notify blocked drivers Machine
Configure BranchCache for network files Machine
Configure Client BranchCache Version Support Machine
Configure Hosted Cache Servers Machine
Enable Automatic Hosted Cache Discovery by Service Connection Point Machine
Set age for segments in the data cache Machine
Set BranchCache Distributed Cache mode Machine
Set BranchCache Hosted Cache mode Machine
Set percentage of disk space used for client computer cache Machine
Turn on BranchCache Machine
Turn off Tablet PC Pen Training User
Turn off Tablet PC Pen Training Machine
Enable/Disable PerfTrack Machine
Allow applications to prevent automatic sleep (on battery) Machine
Allow applications to prevent automatic sleep (plugged in) Machine
Allow automatic sleep with Open Network Files (on battery) Machine
Allow automatic sleep with Open Network Files (plugged in) Machine
Allow network connectivity during connected-standby (on battery) Machine
Allow network connectivity during connected-standby (plugged in) Machine
Allow standby states (S1-S3) when sleeping (on battery) Machine
Allow standby states (S1-S3) when sleeping (plugged in) Machine
Critical battery notification action Machine
Critical battery notification level Machine
Do not turn off system power after a Windows system shutdown has occurreMachine
Energy Saver Battery Threshold (on battery) Machine
Energy Saver Battery Threshold (plugged in) Machine
Low battery notification action Machine
Low battery notification level Machine
Prompt for password on resume from hibernate/suspend User
Reduce display brightness (on battery) Machine
Reduce display brightness (plugged in) Machine
Require a password when a computer wakes (on battery) Machine
Require a password when a computer wakes (plugged in) Machine
Reserve battery notification level Machine
Select an active power plan Machine
Select the lid switch action (on battery) Machine
Select the lid switch action (plugged in) Machine
Select the Power button action (on battery) Machine
Select the Power button action (plugged in) Machine
Select the Sleep button action (on battery) Machine
Select the Sleep button action (plugged in) Machine
Select the Start menu Power button action (on battery) Machine
Select the Start menu Power button action (plugged in) Machine
Specify a custom active power plan Machine
Specify the display dim brightness (on battery) Machine
Specify the display dim brightness (plugged in) Machine
Specify the system hibernate timeout (on battery) Machine
Specify the system hibernate timeout (plugged in) Machine
Specify the system sleep timeout (on battery) Machine
Specify the system sleep timeout (plugged in) Machine
Specify the unattended sleep timeout (on battery) Machine
Specify the unattended sleep timeout (plugged in) Machine
Turn off adaptive display timeout (on battery) Machine
Turn off adaptive display timeout (plugged in) Machine
Turn off hybrid sleep (on battery) Machine
Turn off hybrid sleep (plugged in) Machine
Turn off low battery user notification Machine
Turn off the display (on battery) Machine
Turn off the display (plugged in) Machine
Turn Off the hard disk (on battery) Machine
Turn Off the hard disk (plugged in) Machine
Turn on desktop background slideshow (on battery) Machine
Turn on desktop background slideshow (plugged in) Machine
Turn on the ability for applications to prevent sleep transitions (on battery) Machine
Turn on the ability for applications to prevent sleep transitions (plugged in) Machine
Set the default source path for Update-Help Machine
Set the default source path for Update-Help User
Turn on Module Logging Machine
Turn on Module Logging User
Turn on PowerShell Script Block Logging Machine
Turn on PowerShell Script Block Logging User
Turn on PowerShell Transcription Machine
Turn on PowerShell Transcription User
Turn on Script Execution Machine
Turn on Script Execution User
Hide previous versions list for local files User
Hide previous versions list for local files Machine
Hide previous versions list for remote files User
Hide previous versions list for remote files Machine
Hide previous versions of files on backup location User
Hide previous versions of files on backup location Machine
Prevent restoring local previous versions User
Prevent restoring local previous versions Machine
Prevent restoring previous versions from backups User
Prevent restoring previous versions from backups Machine
Prevent restoring remote previous versions User
Prevent restoring remote previous versions Machine
Activate Internet printing Machine
Add Printer wizard - Network scan page (Managed network) Machine
Add Printer wizard - Network scan page (Unmanaged network) Machine
Allow job name in event logs Machine
Always rasterize content to be printed using a software rasterizer Machine
Always render print jobs on the server Machine
Browse a common web site to find printers User
Browse the network to find printers User
Change Microsoft XPS Document Writer (MXDW) default output format to theMachine
Computer location Machine
Custom support URL in the Printers folder's left pane Machine
Default Active Directory path when searching for printers User
Disallow installation of printers using kernel-mode drivers Machine
Do not allow v4 printer drivers to show printer extensions Machine
Execute print drivers in isolated processes Machine
Extend Point and Print connection to search Windows Update Machine
Isolate print drivers from applications Machine
Only use Package Point and print User
Only use Package Point and print Machine
Override print driver execution compatibility setting reported by print driverMachine
Package Point and print - Approved servers User
Package Point and print - Approved servers Machine
Point and Print Restrictions User
Point and Print Restrictions Machine
Pre-populate printer search location text Machine
Prevent addition of printers User
Prevent deletion of printers User
Printer browsing Machine
Turn off Windows default printer management User
Allow Print Spooler to accept client connections Machine
Allow printers to be published Machine
Allow pruning of published printers Machine
Automatically publish new printers in Active Directory Machine
Check published state Machine
Directory pruning interval Machine
Directory pruning priority Machine
Directory pruning retry Machine
Log directory pruning retry events Machine
Prune printers that are not automatically republished Machine
Hide "Get Programs" page User
Hide "Installed Updates" page User
Hide "Programs and Features" page User
Hide "Set Program Access and Computer Defaults" page User
Hide "Windows Features" User
Hide "Windows Marketplace" User
Hide the Programs Control Panel User
Best effort service type Machine
Controlled load service type Machine
Guaranteed service type Machine
Limit outstanding packets Machine
Limit reservable bandwidth Machine
Network control service type Machine
Non-conforming packets Machine
Qualitative service type Machine
Set timer resolution Machine
Configure Reliability WMI Providers Machine
Allow restore of system to default state Machine
Activate Shutdown Event Tracker System State Data feature Machine
Display Shutdown Event Tracker Machine
Enable Persistent Time Stamp Machine
Report unplanned shutdown events Machine
Allow only Windows Vista or later connections Machine
Configure Offer Remote Assistance Machine
Configure Solicited Remote Assistance Machine
Customize warning messages Machine
Turn on bandwidth optimization Machine
Turn on session logging Machine
All Removable Storage classes: Deny all access User
All Removable Storage classes: Deny all access Machine
All Removable Storage: Allow direct access in remote sessions Machine
CD and DVD: Deny execute access Machine
CD and DVD: Deny read access User
CD and DVD: Deny read access Machine
CD and DVD: Deny write access User
CD and DVD: Deny write access Machine
Custom Classes: Deny read access User
Custom Classes: Deny read access Machine
Custom Classes: Deny write access User
Custom Classes: Deny write access Machine
Floppy Drives: Deny execute access Machine
Floppy Drives: Deny read access User
Floppy Drives: Deny read access Machine
Floppy Drives: Deny write access User
Floppy Drives: Deny write access Machine
Removable Disks: Deny execute access Machine
Removable Disks: Deny read access User
Removable Disks: Deny read access Machine
Removable Disks: Deny write access User
Removable Disks: Deny write access Machine
Set time (in seconds) to force reboot User
Set time (in seconds) to force reboot Machine
Tape Drives: Deny execute access Machine
Tape Drives: Deny read access User
Tape Drives: Deny read access Machine
Tape Drives: Deny write access User
Tape Drives: Deny write access Machine
WPD Devices: Deny read access User
WPD Devices: Deny read access Machine
WPD Devices: Deny write access User
WPD Devices: Deny write access Machine
Enable RPC Endpoint Mapper Client Authentication Machine
Ignore Delegation Failure Machine
Maintain RPC Troubleshooting State Information Machine
Propagate extended error information Machine
Restrict Unauthenticated RPC clients Machine
Set Minimum Idle Connection Timeout for RPC/HTTP connections Machine
Allow logon scripts when NetBIOS or WINS is disabled Machine
Display instructions in logoff scripts as they run User
Display instructions in logon scripts as they run User
Display instructions in shutdown scripts as they run Machine
Display instructions in startup scripts as they run Machine
Run legacy logon scripts hidden User
Run logon scripts synchronously User
Run logon scripts synchronously Machine
Run startup scripts asynchronously Machine
Run Windows PowerShell scripts first at computer startup, shutdown Machine
Run Windows PowerShell scripts first at user logon, logoff Machine
Run Windows PowerShell scripts first at user logon, logoff User
Specify maximum wait time for Group Policy scripts Machine
Configure Security Policy for Scripted Diagnostics Machine
Troubleshooting: Allow users to access and run Troubleshooting Wizards Machine
Troubleshooting: Allow users to access online troubleshooting content on Mi Machine
Configure Scheduled Maintenance Behavior Machine
Add primary intranet search location Machine
Add secondary intranet search locations Machine
Allow Cortana Machine
Allow Cortana above lock screen Machine
Allow indexing of encrypted files Machine
Allow search and Cortana to use location Machine
Allow use of diacritics Machine
Always use automatic language detection when indexing content and properMachine
Control rich previews for attachments Machine
Default excluded paths Machine
Default excluded paths User
Default indexed paths Machine
Default indexed paths User
Disable indexer backoff Machine
Do not allow locations on removable drives to be added to libraries Machine
Do not allow web search Machine
Don't search the web or display web results in Search Machine
Don't search the web or display web results in Search over metered connectMachine
Enable indexing of online delegate mailboxes Machine
Enable indexing uncached Exchange folders Machine
Enable throttling for online mail indexing Machine
Indexer data location Machine
Prevent adding UNC locations to index from Control Panel Machine
Prevent adding UNC locations to index from Control Panel User
Prevent adding user-specified locations to the All Locations menu Machine
Prevent automatically adding shared folders to the Windows Search index Machine
Prevent clients from querying the index remotely Machine
Prevent customization of indexed locations in Control Panel Machine
Prevent customization of indexed locations in Control Panel User
Prevent indexing certain paths Machine
Prevent indexing certain paths User
Prevent indexing e-mail attachments Machine
Prevent indexing files in offline files cache Machine
Prevent indexing Microsoft Office Outlook Machine
Prevent indexing of certain file types Machine
Prevent indexing public folders Machine
Prevent indexing when running on battery power to conserve energy Machine
Prevent the display of advanced indexing options for Windows Search in the Machine
Prevent unwanted iFilters and protocol handlers Machine
Preview pane location Machine
Set large or small icon view in desktop search results Machine
Set the SafeSearch setting for Search Machine
Set what information is shared in Search Machine
Stop indexing in the event of limited hard drive space Machine
Turn off storage and display of search history User
Turn on Security Center (Domain PCs only) Machine
Turn off location User
Turn off location Machine
Turn off location scripting User
Turn off location scripting Machine
Turn off sensors User
Turn off sensors Machine
Configure the refresh interval for Server Manager Machine
Do not display Initial Configuration Tasks window automatically at logon Machine
Do not display Manage Your Server page at logon Machine
Do not display Server Manager automatically at logon Machine
Specify settings for optional component installation and component repair Machine
Do not sync Machine
Do not sync app settings Machine
Do not sync Apps Machine
Do not sync browser settings Machine
Do not sync desktop personalization Machine
Do not sync on metered connections Machine
Do not sync other Windows settings Machine
Do not sync passwords Machine
Do not sync personalize Machine
Do not sync start settings Machine
Specify Windows installation file location Machine
Specify Windows Service Pack installation file location Machine
Turn off handwriting personalization data sharing Machine
Turn off handwriting personalization data sharing User
Allow DFS roots to be published User
Allow shared folders to be published User
Prevent the computer from joining a homegroup Machine
Prevent users from sharing files within their profile. User
Don't run specified Windows applications User
Prevent access to registry editing tools User
Prevent access to the command prompt User
Run only specified Windows applications User
Do not display the Welcome Center at user logon User
Restrict unpacking and installation of gadgets that are not digitally signed. User
Restrict unpacking and installation of gadgets that are not digitally signed. Machine
Turn off desktop gadgets User
Turn off desktop gadgets Machine
Turn Off user-installed desktop gadgets User
Turn Off user-installed desktop gadgets Machine
Prevent OneDrive files from syncing over metered connections Machine
Prevent the usage of OneDrive for file storage Machine
Prevent the usage of OneDrive for file storage on Windows 8.1 Machine
Save documents to OneDrive by default Machine
Allow certificates with no extended key usage certificate attribute Machine
Allow ECC certificates to be used for logon and authentication Machine
Allow Integrated Unblock screen to be displayed at the time of logon Machine
Allow signature keys valid for Logon Machine
Allow time invalid certificates Machine
Allow user name hint Machine
Configure root certificate clean up Machine
Display string when smart card is blocked Machine
Filter duplicate logon certificates Machine
Force the reading of all certificates from the smart card Machine
Notify user of successful smart card driver installation Machine
Prevent plaintext PINs from being returned by Credential Manager Machine
Reverse the subject name stored in a certificate when displaying Machine
Turn on certificate propagation from smart card Machine
Turn on root certificate propagation from smart card Machine
Turn on Smart Card Plug and Play service Machine
Specify communities Machine
Specify permitted managers Machine
Specify traps for public community Machine
Do not allow Sound Recorder to run User
Do not allow Sound Recorder to run Machine
Customize message for Access Denied errors Machine
Enable access-denied assistance on client for all file types Machine
File Classification Infrastructure: Display Classification tab in File Explorer Machine
File Classification Infrastructure: Specify classification properties list Machine
Add "Run in Separate Memory Space" check box to Run dialog box User
Add Logoff to the Start Menu User
Add Search Internet link to Start Menu User
Add the Run command to the Start Menu User
Change Start Menu power button User
Clear history of recently opened documents on exit User
Clear the recent programs list for new users User
Clear tile notifications during log on User
Do not display any custom toolbars in the taskbar User
Do not keep history of recently opened documents User
Do not search communications User
Do not search for files User
Do not search Internet User
Do not search programs and Control Panel items User
Do not use the search-based method when resolving shell shortcuts User
Do not use the tracking-based method when resolving shell shortcuts User
Force classic Start Menu User
Force Start to be either full screen size or menu size User
Go to the desktop instead of Start when signing in User
Gray unavailable Windows Installer programs Start Menu shortcuts User
Hide the notification area User
List desktop apps first in the Apps view User
Lock the Taskbar User
Pin Apps to Start when installed Machine
Pin Apps to Start when installed User
Prevent changes to Taskbar and Start Menu Settings User
Prevent grouping of taskbar items User
Prevent users from customizing their Start Screen User
Prevent users from uninstalling applications from Start User
Remove access to the context menus for the taskbar User
Remove All Programs list from the Start menu User
Remove and prevent access to the Shut Down, Restart, Sleep, and Hiberna User
Remove Balloon Tips on Start Menu items User
Remove Clock from the system notification area User
Remove common program groups from Start Menu User
Remove Default Programs link from the Start menu. User
Remove Documents icon from Start Menu User
Remove Downloads link from Start Menu User
Remove Favorites menu from Start Menu User
Remove frequent programs list from the Start Menu User
Remove Games link from Start Menu User
Remove Help menu from Start Menu User
Remove Homegroup link from Start Menu User
Remove links and access to Windows Update User
Remove Logoff on the Start Menu User
Remove Music icon from Start Menu User
Remove Network Connections from Start Menu User
Remove Network icon from Start Menu User
Remove Pictures icon from Start Menu User
Remove pinned programs list from the Start Menu User
Remove programs on Settings menu User
Remove Recent Items menu from Start Menu User
Remove Recorded TV link from Start Menu User
Remove Run menu from Start Menu User
Remove Search Computer link User
Remove Search link from Start Menu User
Remove See More Results / Search Everywhere link User
Remove the "Undock PC" button from the Start Menu User
Remove user folder link from Start Menu User
Remove user name from Start Menu User
Remove user's folders from the Start Menu User
Remove Videos link from Start Menu User
Search just apps from the Apps view User
Show "Run as different user" command on Start User
Show QuickLaunch on Taskbar User
Show Start on the display the user is using when they press the Windows lo User
Show the Apps view automatically when the user goes to Start User
Start Layout Machine
Start Layout User
Turn off notification area cleanup User
Turn off personalized menus User
Turn off user tracking User
Turn off Configuration Machine
Turn off System Restore Machine
Disable text prediction User
Disable text prediction Machine
For tablet pen input, dont show the Input Panel icon User
For tablet pen input, dont show the Input Panel icon Machine
For touch input, dont show the Input Panel icon User
For touch input, dont show the Input Panel icon Machine
Include rarely used Chinese, Kanji, or Hanja characters User
Include rarely used Chinese, Kanji, or Hanja characters Machine
Prevent Input Panel tab from appearing User
Prevent Input Panel tab from appearing Machine
Turn off AutoComplete integration with Input Panel User
Turn off AutoComplete integration with Input Panel Machine
Turn off password security in Input Panel User
Turn off password security in Input Panel Machine
Turn off tolerant and Z-shaped scratch-out gestures User
Turn off tolerant and Z-shaped scratch-out gestures Machine
Do not allow Inkball to run User
Do not allow Inkball to run Machine
Do not allow printing to Journal Note Writer User
Do not allow printing to Journal Note Writer Machine
Do not allow Snipping Tool to run User
Do not allow Snipping Tool to run Machine
Do not allow Windows Journal to be run User
Do not allow Windows Journal to be run Machine
Prevent Back-ESC mapping User
Prevent Back-ESC mapping Machine
Prevent flicks User
Prevent flicks Machine
Prevent Flicks Learning Mode User
Prevent Flicks Learning Mode Machine
Prevent launch an application User
Prevent launch an application Machine
Prevent press and hold User
Prevent press and hold Machine
Turn off hardware buttons User
Turn off hardware buttons Machine
Turn off pen feedback User
Turn off pen feedback Machine
Disable showing balloon notifications as toasts. User
Do not allow pinning items in Jump Lists User
Do not allow pinning programs to the Taskbar User
Do not allow pinning Store app to the Taskbar User
Do not allow taskbars on more than one display User
Do not display or track items in Jump Lists from remote locations User
Lock all taskbar settings User
Prevent users from adding or removing toolbars User
Prevent users from moving taskbar to another screen dock location User
Prevent users from rearranging toolbars User
Prevent users from resizing the taskbar User
Remove Notifications and Action Center User
Remove pinned programs from the Taskbar User
Remove the battery meter User
Remove the networking icon User
Remove the Security and Maintenance icon User
Remove the volume control icon User
Show Windows Store apps on the taskbar User
Turn off all balloon notifications User
Turn off automatic promotion of notification icons to the taskbar User
Turn off feature advertisement balloon notifications User
Turn off taskbar thumbnails User
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard User
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard Machine
Hide Property Pages User
Hide Property Pages Machine
Prevent Task Run or End User
Prevent Task Run or End Machine
Prohibit Browse User
Prohibit Browse Machine
Prohibit Drag-and-Drop User
Prohibit Drag-and-Drop Machine
Prohibit New Task Creation User
Prohibit New Task Creation Machine
Prohibit Task Deletion User
Prohibit Task Deletion Machine
Set 6to4 Relay Name Machine
Set 6to4 Relay Name Resolution Interval Machine
Set 6to4 State Machine
Set IP Stateless Autoconfiguration Limits State Machine
Set IP-HTTPS State Machine
Set ISATAP Router Name Machine
Set ISATAP State Machine
Set Teredo Client Port Machine
Set Teredo Default Qualified Machine
Set Teredo Refresh Rate Machine
Set Teredo Server Name Machine
Set Teredo State Machine
Set Window Scaling Heuristics State Machine
Allow .rdp files from unknown publishers User
Allow .rdp files from unknown publishers Machine
Allow .rdp files from valid publishers and user's default .rdp settings User
Allow .rdp files from valid publishers and user's default .rdp settings Machine
Allow audio and video playback redirection Machine
Allow audio recording redirection Machine
Allow RDP redirection of other supported RemoteFX USB devices from this Machine
Allow time zone redirection Machine
Allow users to connect remotely by using Remote Desktop Services Machine
Always prompt for password upon connection Machine
Always show desktop on connection Machine
Automatic reconnection Machine
Configure compression for RemoteFX data Machine
Configure H.264/AVC hardware encoding for Remote Desktop Connections Machine
Configure image quality for RemoteFX Adaptive Graphics Machine
Configure keep-alive connection interval Machine
Configure RD Connection Broker farm name Machine
Configure RD Connection Broker server name Machine
Configure RemoteFX Machine
Configure RemoteFX Adaptive Graphics Machine
Configure server authentication for client Machine
Deny logoff of an administrator logged in to the console session Machine
Do not allow client printer redirection Machine
Do not allow Clipboard redirection Machine
Do not allow COM port redirection Machine
Do not allow drive redirection Machine
Do not allow hardware accelerated decoding Machine
Do not allow local administrators to customize permissions Machine
Do not allow LPT port redirection Machine
Do not allow passwords to be saved User
Do not allow passwords to be saved Machine
Do not allow smart card device redirection Machine
Do not allow supported Plug and Play device redirection Machine
Do not delete temp folders upon exit Machine
Do not set default client printer to be default printer in a session Machine
Do not use temporary folders per session Machine
Enable connection through RD Gateway User
Enable RemoteFX encoding for RemoteFX clients designed for Windows ServMachine
End session when time limits are reached User
End session when time limits are reached Machine
Enforce Removal of Remote Desktop Wallpaper Machine
Hide notifications about RD Licensing problems that affect the RD Session HMachine
Join RD Connection Broker Machine
License server security group Machine
Limit audio playback quality Machine
Limit maximum color depth Machine
Limit maximum display resolution Machine
Limit number of connections Machine
Limit number of monitors Machine
Limit the size of the entire roaming user profile cache Machine
Optimize visual experience for Remote Desktop Service Sessions Machine
Optimize visual experience when using RemoteFX Machine
Prevent license upgrade Machine
Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections Machine
Prompt for credentials on the client computer Machine
Remove "Disconnect" option from Shut Down dialog Machine
Remove Windows Security item from Start menu Machine
Require secure RPC communication Machine
Require use of specific security layer for remote (RDP) connections Machine
Require user authentication for remote connections by using Network Level Machine
Restrict Remote Desktop Services users to a single Remote Desktop ServicesMachine
Select network detection on the server Machine
Select RDP transport protocols Machine
Server authentication certificate template Machine
Set client connection encryption level Machine
Set path for Remote Desktop Services Roaming User Profile Machine
Set RD Gateway authentication method User
Set RD Gateway server address User
Set Remote Desktop Services User Home Directory Machine
Set rules for remote control of Remote Desktop Services user sessions User
Set rules for remote control of Remote Desktop Services user sessions Machine
Set the Remote Desktop licensing mode Machine
Set time limit for active but idle Remote Desktop Services sessions User
Set time limit for active but idle Remote Desktop Services sessions Machine
Set time limit for active Remote Desktop Services sessions User
Set time limit for active Remote Desktop Services sessions Machine
Set time limit for disconnected sessions User
Set time limit for disconnected sessions Machine
Specify default connection URL User
Specify RD Session Host server fallback printer driver behavior Machine
Specify SHA1 thumbprints of certificates representing trusted .rdp publisherMachine
Specify SHA1 thumbprints of certificates representing trusted .rdp publisherUser
Start a program on connection User
Start a program on connection Machine
Suspend user sign-in to complete app registration Machine
Turn Off UDP On Client Machine
Use advanced RemoteFX graphics for RemoteApp Machine
Use IP Address Redirection Machine
Use mandatory profiles on the RD Session Host server Machine
Use Remote Desktop Easy Print printer driver first Machine
Use Remote Desktop Easy Print printer driver first User
Use the hardware default graphics adapter for all Remote Desktop Services Machine
Use the specified Remote Desktop license servers Machine
Allow desktop composition for remote desktop sessions Machine
Allow remote start of unlisted programs Machine
Allow time zone redirection User
Always show desktop on connection User
Do not allow Clipboard redirection User
Do not allow font smoothing Machine
Do not use Remote Desktop Session Host server IP address when virtual IP ad Machine
Redirect only the default client printer Machine
Redirect only the default client printer User
Remove remote desktop wallpaper User
Select the network adapter to be used for Remote Desktop IP Virtualization Machine
Set time limit for logoff of RemoteApp sessions User
Set time limit for logoff of RemoteApp sessions Machine
Turn off Fair Share CPU Scheduling Machine
Turn off Windows Installer RDS Compatibility Machine
Turn on Remote Desktop IP Virtualization Machine
Use RD Connection Broker load balancing Machine
Turn off the caching of thumbnails in hidden thumbs.db files User
Turn off the display of thumbnails and only display icons on network folders User
Turn off the display of thumbnails and only display icons. User
Turn off Tablet PC touch input User
Turn off Tablet PC touch input Machine
Turn off Touch Panning User
Turn off Touch Panning Machine
Configure the level of TPM owner authorization information available to the Machine
Configure the list of blocked TPM commands Machine
Ignore the default list of blocked TPM commands Machine
Ignore the local list of blocked TPM commands Machine
Standard User Individual Lockout Threshold Machine
Standard User Lockout Duration Machine
Standard User Total Lockout Threshold Machine
Access 2013 backup only Machine
Access 2013 backup only User
Access 2016 backup only Machine
Access 2016 backup only User
Calculator Machine
Calculator User
Common 2013 backup only Machine
Common 2013 backup only User
Common 2016 backup only Machine
Common 2016 backup only User
Configure Sync Method Machine
Configure Sync Method User
Contact IT Link Text Machine
Contact IT URL Machine
Do not synchronize Windows Apps Machine
Do not synchronize Windows Apps User
Enable UEV Machine
Excel 2013 backup only Machine
Excel 2013 backup only User
Excel 2016 backup only Machine
Excel 2016 backup only User
Finance Machine
Finance User
First Use Notification Machine
Games Machine
Games User
InfoPath 2013 backup only Machine
InfoPath 2013 backup only User
Internet Explorer 10 Machine
Internet Explorer 10 User
Internet Explorer Common Settings Machine
Internet Explorer Common Settings User
Lync 2013 backup only Machine
Lync 2013 backup only User
Lync 2016 backup only Machine
Lync 2016 backup only User
Maps Machine
Maps User
Microsoft Access 2010 Machine
Microsoft Access 2010 User
Microsoft Excel 2010 Machine
Microsoft Excel 2010 User
Microsoft InfoPath 2010 Machine
Microsoft InfoPath 2010 User
Microsoft InfoPath 2013 Machine
Microsoft InfoPath 2013 User
Microsoft Lync 2010 Machine
Microsoft Lync 2010 User
Microsoft Office 2010 Common Settings Machine
Microsoft Office 2010 Common Settings User
Microsoft Office 2013 Upload Center Machine
Microsoft Office 2013 Upload Center User
Microsoft Office 2016 Upload Center Machine
Microsoft Office 2016 Upload Center User
Microsoft Office 365 Access 2013 Machine
Microsoft Office 365 Access 2013 User
Microsoft Office 365 Access 2016 Machine
Microsoft Office 365 Access 2016 User
Microsoft Office 365 Common 2013 Machine
Microsoft Office 365 Common 2013 User
Microsoft Office 365 Common 2016 Machine
Microsoft Office 365 Common 2016 User
Microsoft Office 365 Excel 2013 Machine
Microsoft Office 365 Excel 2013 User
Microsoft Office 365 Excel 2016 Machine
Microsoft Office 365 Excel 2016 User
Microsoft Office 365 InfoPath 2013 Machine
Microsoft Office 365 InfoPath 2013 User
Microsoft Office 365 Lync 2013 Machine
Microsoft Office 365 Lync 2013 User
Microsoft Office 365 Lync 2016 Machine
Microsoft Office 365 Lync 2016 User
Microsoft Office 365 OneNote 2013 Machine
Microsoft Office 365 OneNote 2013 User
Microsoft Office 365 OneNote 2016 Machine
Microsoft Office 365 OneNote 2016 User
Microsoft Office 365 Outlook 2013 Machine
Microsoft Office 365 Outlook 2013 User
Microsoft Office 365 Outlook 2016 Machine
Microsoft Office 365 Outlook 2016 User
Microsoft Office 365 PowerPoint 2013 Machine
Microsoft Office 365 PowerPoint 2013 User
Microsoft Office 365 PowerPoint 2016 Machine
Microsoft Office 365 PowerPoint 2016 User
Microsoft Office 365 Project 2013 Machine
Microsoft Office 365 Project 2013 User
Microsoft Office 365 Project 2016 Machine
Microsoft Office 365 Project 2016 User
Microsoft Office 365 Publisher 2013 Machine
Microsoft Office 365 Publisher 2013 User
Microsoft Office 365 Publisher 2016 Machine
Microsoft Office 365 Publisher 2016 User
Microsoft Office 365 SharePoint Designer 2013 Machine
Microsoft Office 365 SharePoint Designer 2013 User
Microsoft Office 365 Visio 2013 Machine
Microsoft Office 365 Visio 2013 User
Microsoft Office 365 Visio 2016 Machine
Microsoft Office 365 Visio 2016 User
Microsoft Office 365 Word 2013 Machine
Microsoft Office 365 Word 2013 User
Microsoft Office 365 Word 2016 Machine
Microsoft Office 365 Word 2016 User
Microsoft OneDrive for Business 2013 Machine
Microsoft OneDrive for Business 2013 User
Microsoft OneDrive for Business 2016 Machine
Microsoft OneDrive for Business 2016 User
Microsoft OneNote 2010 Machine
Microsoft OneNote 2010 User
Microsoft Outlook 2010 Machine
Microsoft Outlook 2010 User
Microsoft PowerPoint 2010 Machine
Microsoft PowerPoint 2010 User
Microsoft Project 2010 Machine
Microsoft Project 2010 User
Microsoft Publisher 2010 Machine
Microsoft Publisher 2010 User
Microsoft SharePoint Designer 2010 Machine
Microsoft SharePoint Designer 2010 User
Microsoft SharePoint Designer 2013 Machine
Microsoft SharePoint Designer 2013 User
Microsoft SharePoint Workspace 2010 Machine
Microsoft SharePoint Workspace 2010 User
Microsoft Visio 2010 Machine
Microsoft Visio 2010 User
Microsoft Word 2010 Machine
Microsoft Word 2010 User
Music Machine
Music User
News Machine
News User
Notepad Machine
Notepad User
OneNote 2013 backup only Machine
OneNote 2013 backup only User
OneNote 2016 backup only Machine
OneNote 2016 backup only User
Outlook 2013 backup only Machine
Outlook 2013 backup only User
Outlook 2016 backup only Machine
Outlook 2016 backup only User
Ping the settings storage location before sync Machine
Ping the settings storage location before sync User
PowerPoint 2013 backup only Machine
PowerPoint 2013 backup only User
PowerPoint 2016 backup only Machine
PowerPoint 2016 backup only User
Project 2013 backup only Machine
Project 2013 backup only User
Project 2016 backup only Machine
Project 2016 backup only User
Publisher 2013 backup only Machine
Publisher 2013 backup only User
Publisher 2016 backup only Machine
Publisher 2016 backup only User
Reader Machine
Reader User
Settings package size warning threshold Machine
Settings package size warning threshold User
Settings storage path Machine
Settings storage path User
Settings template catalog path Machine
SharePoint Designer 2013 backup only Machine
SharePoint Designer 2013 backup only User
Sports Machine
Sports User
Sync settings over metered connections Machine
Sync settings over metered connections User
Sync settings over metered connections even when roaming Machine
Sync settings over metered connections even when roaming User
Sync Unlisted Windows Apps Machine
Synchronization timeout Machine
Synchronization timeout User
Synchronize Windows settings Machine
Synchronize Windows settings User
Travel Machine
Travel User
Tray Icon Machine
Use User Experience Virtualization (UE-V) Machine
Use User Experience Virtualization (UE-V) User
VDI Configuration Machine
VDI Configuration User
Video Machine
Video User
Visio 2013 backup only Machine
Visio 2013 backup only User
Visio 2016 backup only Machine
Visio 2016 backup only User
Weather Machine
Weather User
Word 2013 backup only Machine
Word 2013 backup only User
Word 2016 backup only Machine
Word 2016 backup only User
WordPad Machine
WordPad User
Add the Administrators security group to roaming user profiles Machine
Connect home directory to root of the share User
Control slow network connection timeout for user profiles Machine
Delete cached copies of roaming profiles Machine
Delete user profiles older than a specified number of days on system restartMachine
Disable detection of slow network connections Machine
Do not check for user ownership of Roaming Profile Folders Machine
Do not forcefully unload the users registry at user logoff Machine
Do not log users on with temporary profiles Machine
Download roaming profiles on primary computers only Machine
Establish timeout value for dialog boxes Machine
Exclude directories in roaming profile User
Leave Windows Installer and Group Policy Software Installation Data Machine
Limit profile size User
Maximum retries to unload and update user profile Machine
Only allow local user profiles Machine
Prevent Roaming Profile changes from propagating to the server Machine
Prompt user when a slow network connection is detected Machine
Set maximum wait time for the network if a user has a roaming user profile Machine
Set roaming profile path for all users logging onto this computer Machine
Set the schedule for background upload of a roaming user profile's registry fMachine
Set user home folder Machine
Specify network directories to sync at logon/logoff time only User
Turn off the advertising ID Machine
User management of sharing user name, account picture, and domain inform Machine
Wait for remote user profile Machine
Allow access to BitLocker-protected fixed data drives from earlier versions Machine
Allow access to BitLocker-protected removable data drives from earlier vers Machine
Allow enhanced PINs for startup Machine
Allow network unlock at startup Machine
Allow Secure Boot for integrity validation Machine
Choose default folder for recovery password Machine
Choose drive encryption method and cipher strength (Windows 10 [Version 1Machine
Choose drive encryption method and cipher strength (Windows 8, Windows Machine
Choose drive encryption method and cipher strength (Windows Vista, Wind Machine
Choose how BitLocker-protected fixed drives can be recovered Machine
Choose how BitLocker-protected operating system drives can be recovered Machine
Choose how BitLocker-protected removable drives can be recovered Machine
Choose how users can recover BitLocker-protected drives (Windows Server Machine
Configure minimum PIN length for startup Machine
Configure pre-boot recovery message and URL Machine
Configure TPM platform validation profile (Windows Vista, Windows Server Machine
Configure TPM platform validation profile for BIOS-based firmware configuratMachine
Configure TPM platform validation profile for native UEFI firmware configuratMachine
Configure use of hardware-based encryption for fixed data drives Machine
Configure use of hardware-based encryption for operating system drives Machine
Configure use of hardware-based encryption for removable data drives Machine
Configure use of passwords for fixed data drives Machine
Configure use of passwords for operating system drives Machine
Configure use of passwords for removable data drives Machine
Configure use of smart cards on fixed data drives Machine
Configure use of smart cards on removable data drives Machine
Control use of BitLocker on removable drives Machine
Deny write access to fixed drives not protected by BitLocker Machine
Deny write access to removable drives not protected by BitLocker Machine
Disallow standard users from changing the PIN or password Machine
Enable use of BitLocker authentication requiring preboot keyboard input on sMachine
Enforce drive encryption type on fixed data drives Machine
Enforce drive encryption type on operating system drives Machine
Enforce drive encryption type on removable data drives Machine
Prevent memory overwrite on restart Machine
Provide the unique identifiers for your organization Machine
Require additional authentication at startup Machine
Require additional authentication at startup (Windows Server 2008 and WindMachine
Reset platform validation data after BitLocker recovery Machine
Store BitLocker recovery information in Active Directory Domain Services Machine
Use enhanced Boot Configuration Data validation profile Machine
Validate smart card certificate usage rule compliance Machine
Configure Windows NTP Client Machine
Enable Windows NTP Client Machine
Enable Windows NTP Server Machine
Global Configuration Settings Machine
Disable power management in connected standby mode Machine
Minimize the number of simultaneous connections to the Internet or a Win Machine
Prohibit connection to non-domain networks when connected to domain aut Machine
Prohibit connection to roaming Mobile Broadband networks Machine
Diagnostics: Configure scenario execution level Machine
Diagnostics: Configure scenario retention Machine
Turn off Windows Calendar User
Turn off Windows Calendar Machine
Prevent the wizard from running. Machine
Prevent the wizard from running. User
Allow only system backup Machine
Disallow locally attached storage as backup target Machine
Disallow network as backup target Machine
Disallow optical media as backup target Machine
Disallow run-once backups Machine
Prohibit installing or uninstalling color profiles User
Prohibit installing or uninstalling color profiles Machine
Configuration of wireless settings using Windows Connect Now Machine
Prohibit access of the Windows Connect Now wizards User
Prohibit access of the Windows Connect Now wizards Machine
Allow antimalware service to remain running always Machine
Allow antimalware service to startup with normal priority Machine
Allow definition updates from Microsoft Update Machine
Allow definition updates when running on battery power Machine
Allow notifications to disable definitions based reports to Microsoft MAPS Machine
Allow real-time definition updates based on reports to Microsoft MAPS Machine
Allow users to pause scan Machine
Check for the latest virus and spyware definitions before running a schedul Machine
Check for the latest virus and spyware definitions on startup Machine
Configure local administrator merge behavior for lists Machine
Configure local setting override for maximum percentage of CPU utilization Machine
Configure local setting override for monitoring file and program activity on Machine
Configure local setting override for monitoring for incoming and outgoing fileMachine
Configure local setting override for reporting to Microsoft MAPS Machine
Configure local setting override for scanning all downloaded files and attac Machine
Configure local setting override for schedule scan day Machine
Configure local setting override for scheduled quick scan time Machine
Configure local setting override for scheduled scan time Machine
Configure local setting override for the removal of items from Quarantine folMachine
Configure local setting override for the scan type to use for a scheduled sca Machine
Configure local setting override for the time of day to run a scheduled full Machine
Configure local setting override for turn on behavior monitoring Machine
Configure local setting override to turn on real-time protection Machine
Configure monitoring for incoming and outgoing file and program activity Machine
Configure removal of items from Quarantine folder Machine
Configure the 'Block at First Sight' feature Machine
Configure time out for detections in critically failed state Machine
Configure time out for detections in non-critical failed state Machine
Configure time out for detections in recently remediated state Machine
Configure time out for detections requiring additional action Machine
Configure Watson events Machine
Configure Windows software trace preprocessor components Machine
Configure WPP tracing level Machine
Create a system restore point Machine
Define addresses to bypass proxy server Machine
Define file shares for downloading definition updates Machine
Define proxy auto-config (.pac) for connecting to the network Machine
Define proxy server for connecting to the network Machine
Define the maximum size of downloaded files and attachments to be scann Machine
Define the number of days after which a catch-up definition update is requirMachine
Define the number of days after which a catch-up scan is forced Machine
Define the number of days before spyware definitions are considered out of Machine
Define the number of days before virus definitions are considered out of datMachine
Define the order of sources for downloading definition updates Machine
Display additional text to clients when they need to perform an action Machine
Enable headless UI mode Machine
Extension Exclusions Machine
Initiate definition update on startup Machine
Join Microsoft MAPS Machine
Monitor file and program activity on your computer Machine
Path Exclusions Machine
Process Exclusions Machine
Randomize scheduled task times Machine
Run full scan on mapped network drives Machine
Scan all downloaded files and attachments Machine
Scan archive files Machine
Scan network files Machine
Scan packed executables Machine
Scan removable drives Machine
Send file samples when further analysis is required Machine
Specify additional definition sets for network traffic inspection Machine
Specify the day of the week to check for definition updates Machine
Specify the day of the week to run a scheduled full scan to complete remediMachine
Specify the day of the week to run a scheduled scan Machine
Specify the interval to check for definition updates Machine
Specify the interval to run quick scans per day Machine
Specify the maximum depth to scan archive files Machine
Specify the maximum percentage of CPU utilization during a scan Machine
Specify the maximum size of archive files to be scanned Machine
Specify the scan type to use for a scheduled scan Machine
Specify the time for a daily quick scan Machine
Specify the time of day to run a scheduled full scan to complete remediationMachine
Specify the time of day to run a scheduled scan Machine
Specify the time to check for definition updates Machine
Specify threat alert levels at which default action should not be taken when Machine
Specify threats upon which default action should not be taken when detecteMachine
Start the scheduled scan only when computer is on but not in use Machine
Suppress all notifications Machine
Suppresses reboot notifications Machine
Turn off Auto Exclusions Machine
Turn off real-time protection Machine
Turn off routine remediation Machine
Turn off Windows Defender Machine
Turn on behavior monitoring Machine
Turn on catch-up full scan Machine
Turn on catch-up quick scan Machine
Turn on definition retirement Machine
Turn on e-mail scanning Machine
Turn on heuristics Machine
Turn on process scanning whenever real-time protection is enabled Machine
Turn on protocol recognition Machine
Turn on raw volume write notifications Machine
Turn on removal of items from scan history folder Machine
Turn on reparse point scanning Machine
Turn on scan after signature update Machine
Allow only per user or approved shell extensions User
Allow OpenSearch queries in File Explorer Machine
Allow OpenSearch queries in File Explorer User
Allow previewing and custom thumbnails of OpenSearch query results in FileMachine
Allow previewing and custom thumbnails of OpenSearch query results in FileUser
Allow the use of remote paths in file shortcut icons Machine
Configure Windows SmartScreen Machine
Disable binding directly to IPropertySetStorage without intermediate layers. Machine
Disable binding directly to IPropertySetStorage without intermediate layers. User
Disable Known Folders User
Display confirmation dialog when deleting files User
Do not allow Folder Options to be opened from the Options button on the VieUser
Do not move deleted files to the Recycle Bin User
Do not request alternate credentials User
Do not show the 'new application installed' notification Machine
Do not track Shell shortcuts during roaming User
Hide the common dialog back button User
Hide the common dialog places bar User
Hide the dropdown list of recent files User
Hide these specified drives in My Computer User
Hides the Manage item on the File Explorer context menu User
Items displayed in Places Bar User
Location where all default Library definition files for users/machines reside. Machine
Location where all default Library definition files for users/machines reside. User
Maximum allowed Recycle Bin size User
Maximum number of recent documents User
No Computers Near Me in Network Locations User
No Entire Network in Network Locations User
Pin Internet search sites to the "Search again" links and the Start menu User
Pin Libraries or Search Connectors to the "Search again" links and the Start User
Prevent access to drives from My Computer User
Remove "Map Network Drive" and "Disconnect Network Drive" User
Remove CD Burning features User
Remove DFS tab User
Remove File Explorer's default context menu User
Remove File menu from File Explorer User
Remove Hardware tab User
Remove Search button from File Explorer User
Remove Security tab User
Remove Shared Documents from My Computer User
Remove the Search the Internet "Search again" link User
Remove UI to change keyboard navigation indicator setting User
Remove UI to change menu animation setting User
Request credentials for network installations User
Set a default associations configuration file Machine
Show hibernate in the power options menu Machine
Show lock in the user tile menu Machine
Show sleep in the power options menu Machine
Start File Explorer with ribbon minimized Machine
Start File Explorer with ribbon minimized User
Turn off caching of thumbnail pictures User
Turn off display of recent search entries in the File Explorer search box User
Turn off numerical sorting in File Explorer Machine
Turn off numerical sorting in File Explorer User
Turn off shell protocol protected mode User
Turn off shell protocol protected mode Machine
Turn off the display of snippets in Content view mode User
Turn off Windows Libraries features that rely on indexed file data User
Turn off Windows+X hotkeys User
Turn on Classic Shell User
Verify old and new Folder Redirection targets point to the same share beforeMachine
Hide the file scan progress window Machine
Limit Windows File Protection cache size Machine
Set Windows File Protection scanning Machine
Specify Windows File Protection cache location Machine
Windows Firewall: Allow authenticated IPsec bypass Machine
Windows Firewall: Allow ICMP exceptions Machine
Windows Firewall: Allow ICMP exceptions Machine
Windows Firewall: Allow inbound file and printer sharing exception Machine
Windows Firewall: Allow inbound file and printer sharing exception Machine
Windows Firewall: Allow inbound remote administration exception Machine
Windows Firewall: Allow inbound remote administration exception Machine
Windows Firewall: Allow inbound Remote Desktop exceptions Machine
Windows Firewall: Allow inbound Remote Desktop exceptions Machine
Windows Firewall: Allow inbound UPnP framework exceptions Machine
Windows Firewall: Allow inbound UPnP framework exceptions Machine
Windows Firewall: Allow local port exceptions Machine
Windows Firewall: Allow local port exceptions Machine
Windows Firewall: Allow local program exceptions Machine
Windows Firewall: Allow local program exceptions Machine
Windows Firewall: Allow logging Machine
Windows Firewall: Allow logging Machine
Windows Firewall: Define inbound port exceptions Machine
Windows Firewall: Define inbound port exceptions Machine
Windows Firewall: Define inbound program exceptions Machine
Windows Firewall: Define inbound program exceptions Machine
Windows Firewall: Do not allow exceptions Machine
Windows Firewall: Do not allow exceptions Machine
Windows Firewall: Prohibit notifications Machine
Windows Firewall: Prohibit notifications Machine
Windows Firewall: Prohibit unicast response to multicast or broadcast requesMachine
Windows Firewall: Prohibit unicast response to multicast or broadcast requesMachine
Windows Firewall: Protect all network connections Machine
Windows Firewall: Protect all network connections Machine
Allow suggested apps in Windows Ink Workspace Machine
Allow Windows Ink Workspace Machine
Turn off the communities features User
Turn off the communities features Machine
Turn off Windows Mail application User
Turn off Windows Mail application Machine
Prevent Windows Media DRM Internet Access Machine
Allow Screen Saver User
Configure HTTP Proxy User
Configure MMS Proxy User
Configure Network Buffering User
Configure RTSP Proxy User
Do Not Show Anchor User
Do Not Show First Use Dialog Boxes Machine
Hide Network Tab User
Hide Privacy Tab User
Hide Security Tab User
Prevent Automatic Updates Machine
Prevent CD and DVD Media Information Retrieval User
Prevent Codec Download User
Prevent Desktop Shortcut Creation Machine
Prevent Media Sharing Machine
Prevent Music File Media Information Retrieval User
Prevent Quick Launch Toolbar Shortcut Creation Machine
Prevent Radio Station Preset Retrieval User
Prevent Video Smoothing Machine
Set and Lock Skin User
Streaming Media Protocols User
Do not allow Windows Messenger to be run Machine
Do not allow Windows Messenger to be run User
Do not automatically start Windows Messenger initially Machine
Do not automatically start Windows Messenger initially User
Allow Basic authentication Machine
Allow Basic authentication Machine
Allow CredSSP authentication Machine
Allow CredSSP authentication Machine
Allow remote server management through WinRM Machine
Allow unencrypted traffic Machine
Allow unencrypted traffic Machine
Disallow Digest authentication Machine
Disallow Kerberos authentication Machine
Disallow Kerberos authentication Machine
Disallow Negotiate authentication Machine
Disallow Negotiate authentication Machine
Disallow WinRM from storing RunAs credentials Machine
Specify channel binding token hardening level Machine
Trusted Hosts Machine
Turn On Compatibility HTTP Listener Machine
Turn On Compatibility HTTPS Listener Machine
Allow Remote Shell Access Machine
MaxConcurrentUsers Machine
Specify idle Timeout Machine
Specify maximum amount of memory in MB per Shell Machine
Specify maximum number of processes per Shell Machine
Specify maximum number of remote shells per user Machine
Specify Shell Timeout Machine
Disable all apps from Windows Store Machine
Only display the private store within the Windows Store app User
Only display the private store within the Windows Store app Machine
Turn off Automatic Download and Install of updates Machine
Turn off Automatic Download of updates on Win8 machines Machine
Turn off the offer to update to the latest version of Windows User
Turn off the offer to update to the latest version of Windows Machine
Turn off the Store application User
Turn off the Store application Machine
Allow Automatic Updates immediate installation Machine
Allow non-administrators to receive update notifications Machine
Allow signed updates from an intranet Microsoft update service location Machine
Always automatically restart at the scheduled time Machine
Automatic Updates detection frequency Machine
Configure Automatic Updates Machine
Delay Restart for scheduled installations Machine
Do not adjust default option to 'Install Updates and Shut Down' in Shut Do User
Do not adjust default option to 'Install Updates and Shut Down' in Shut Do Machine
Do not connect to any Windows Update Internet locations Machine
Do not display 'Install Updates and Shut Down' option in Shut Down WindowMachine
Do not display 'Install Updates and Shut Down' option in Shut Down WindowUser
Do not include drivers with Windows Updates Machine
Enable client-side targeting Machine
Enabling Windows Update Power Management to automatically wake up theMachine s
No auto-restart with logged on users for scheduled automatic updates instalMachine
Remove access to use all Windows Update features User
Re-prompt for restart with scheduled installations Machine
Reschedule Automatic Updates scheduled installations Machine
Select when Feature Updates are received Machine
Select when Quality Updates are received Machine
Specify intranet Microsoft update service location Machine
Turn off auto-restart for updates during active hours Machine
Turn on recommended updates via Automatic Updates Machine
Turn on Software Notifications Machine
Windows Automatic Updates User
Remove access to use all Windows Update features Machine
Specify deadline before auto-restart for update installation Machine
Require use of fast startup Machine
Timeout for hung logon sessions during shutdown Machine
Turn off legacy remote shutdown interface Machine
Custom User Interface User
Disable or enable software Secure Attention Sequence Machine
Display information about previous logons during user logon Machine
Remove logon hours expiration warnings User
Report when logon server was not available during user logon Machine
Report when logon server was not available during user logon User
Set action to take when logon hours expire User
Sign-in last interactive user automatically after a system-initiated restart Machine
Turn off Automatic Download and Update of Map Data Machine
Turn off unsolicited network traffic on the Offline Maps settings page Machine
Turn off automatic termination of applications that block or cancel shutdownMachine
Don't allow this PC to be projected to Machine
Require pin for pairing Machine
Allow Windows to automatically connect to suggested open hotspots, to netw Machine
Prefer PIN pairing Machine
Require PIN pairing Machine
Set Cost Machine
Custom Instant Search Internet search provider User
Force automatic setup for all users Machine
Specify Work Folders settings User
Register domain joined computers as devices Machine
Set the time Quiet Hours begins each day User
Set the time Quiet Hours ends each day User
Turn off calls during Quiet Hours User
Turn off notification mirroring User
Turn off notifications network usage User
Turn off Quiet Hours User
Turn off tile notifications User
Turn off toast notifications User
Turn off toast notifications on the lock screen User
Set 3G Cost Machine
Set 4G Cost Machine
Policy Path Registry In
Windows Components\ActiveX Installer Service HKLM\SOFTW
Windows Components\ActiveX Installer Service HKLM\SOFTW
Control Panel\Add or Remove Programs HKCU\Softwa
Control Panel\Add or Remove Programs HKCU\Softw
Windows Components\Data Collection and Preview Builds HKLM\Softw
Windows Components\Application Compatibility HKLM\Softw
Windows Components\Application Compatibility HKCU\Softw
Windows Components\App Privacy HKLM\Softw
System\App-V\Streaming HKLM\SOFTW
System\App-V\Streaming HKLM\SOFTWA
System\App-V HKLM\Softwa
System\App-V\Virtualization HKLM\SOFTWA
System\App-V\Client Coexistence HKLM\SOFTW
System\App-V\Scripting HKLM\SOFTW
System\App-V\Publishing HKLM\SOFTW
System\App-V\Integration HKLM\SOFTWA
System\App-V\Integration HKLM\SOFTW
System\App-V\CEIP HKLM\SOFTW
System\App-V\Publishing HKLM\SOFTWA
System\App-V\Reporting HKLM\SOFTW
System\App-V\Streaming HKLM\SOFTWA
System\App-V\Virtualization HKLM\SOFTW
Windows Components\App Package Deployment HKLM\Softw
Windows Components\App runtime HKLM\Softw
Windows Components\App runtime HKLM\Softwa
Windows Components\App runtime HKCU\Softwa
Windows Components\App runtime HKLM\Softwa
Windows Components\App runtime HKCU\Softwa
Windows Components\Attachment Manager HKCU\Softwa
Windows Components\Attachment Manager HKCU\Softw
System\Audit Process Creation HKLM\Softw
Windows Components\AutoPlay Policies HKLM\Softw
Windows Components\AutoPlay Policies HKCU\Softw
Windows Components\Software Protection Platform HKLM\Softw
Windows Components\Software Protection Platform HKLM\Softwa
Windows Components\Biometrics HKLM\SOFTW
Windows Components\Biometrics\Facial Features HKLM\SOFTW
Network\Background Intelligent Transfer Service (BITS) HKLM\Softw
Network\Background Intelligent Transfer Service (BITS) HKLM\Softwa
Windows Components\Camera HKLM\softw
Windows Components\Windows Customer Experience ImprovHKLM\Softw
Windows Components\Windows Customer Experience ImprovHKLM\Softw
Network\SSL Configuration Settings HKLM\SOFTW
Network\SSL Configuration Settings HKLM\SOFTW
Windows Components\Cloud Content HKCU\Softw
Windows Components\Cloud Content HKLM\Softw
Windows Components\Cloud Content HKCU\Softw
Windows Components\Cloud Content HKLM\Softw
System HKCU\Softw
System HKLM\Softw
Windows Components\NetMeeting HKCU\Softwa
Windows Components\NetMeeting\Application Sharing HKCU\Softw
Windows Components\NetMeeting\Audio & Video HKCU\Softw
Windows Components\NetMeeting HKCU\Softw
Windows Components\NetMeeting\Audio & Video HKCU\Softwa
Windows Components\NetMeeting HKLM\Softw
Windows Components\NetMeeting\Options Page HKCU\Softw
Windows Components\NetMeeting\Application Sharing HKCU\Softwa
Control Panel HKCU\Softwa
Control Panel\Display HKCU\Softw
Control Panel\Personalization HKLM\Softw
Control Panel\Personalization HKCU\Softw
Control Panel\Personalization HKLM\Softwa
Control Panel\Personalization HKCU\Softwa
Control Panel\Display HKCU\Softw
Control Panel\Personalization HKCU\Softwa
Control Panel\User Accounts HKLM\Softwa
System\Logon HKLM\Softw
System\Credentials Delegation HKLM\Softwa
System\Credentials Delegation HKLM\Softw
System\Credentials Delegation HKLM\Softwa
Windows Components\Credential User Interface HKLM\Softw
Windows Components\Credential User Interface HKCU\Softw
System\Ctrl+Alt+Del Options HKCU\Softw
System\Ctrl+Alt+Del Options HKCU\Softwa
Windows Components\Data Collection and Preview Builds HKCU\Softwa
System\Distributed COM\Application Compatibility Settings HKLM\Softw
System\Distributed COM\Application Compatibility Settings HKLM\Softw
Windows Components\Delivery Optimization HKLM\SOFTW
Desktop\Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop\Active Directory HKCU\Softwa
Desktop HKCU\Softw
Desktop HKCU\Softwa
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softwa
Desktop HKCU\Softw
Desktop HKCU\Softw
Desktop HKCU\Softw
Windows Components\Device and Driver Compatibility HKLM\System
Windows Components\Device and Driver Compatibility HKLM\System
Windows Components\Microsoft Secondary Authentication Fac HKLM\SOFTW
System\Device Guard HKLM\SOFTW
System\Device Guard HKLM\SOFTW
System\Device Installation\Device Installation Restrictions HKLM\Softwa
System\Driver Installation HKLM\Softwa
System\Device Installation HKLM\Softw
System\Driver Installation HKCU\Softwa
System\Device Installation HKLM\Softwa
System\Device Installation\Device Installation Restrictions HKLM\Softw
System\Device Redirection\Device Redirection Restrictions HKLM\Softwa
System\Device Redirection\Device Redirection Restrictions HKLM\Softwa
System\Driver Installation HKCU\Softw
System\Device Installation HKLM\SOFTW
System\Driver Installation HKCU\Softw
System\Driver Installation HKLM\Softw
Network HKLM\Softw
Windows Components\Digital Locker HKCU\SOFTW
Windows Components\Digital Locker HKLM\SOFTW
System\Troubleshooting and Diagnostics\Disk Diagnostic HKLM\SOFTW
System\Troubleshooting and Diagnostics\Disk Diagnostic HKLM\SOFTW
System\Disk NV Cache HKLM\Softw
System\Disk Quotas HKLM\Softw
System HKLM\Softw
Network\DNS Client HKLM\Softw
Network\DNS Client HKLM\Softwa
Windows Components\Desktop Window Manager\Window Fram
HKCU\SOFTW
HKLM\SOFTW
Windows Components\Desktop Window Manager HKCU\SOFTW
Windows Components\Desktop Window Manager HKLM\SOFTW
Windows Components\Desktop Window Manager HKCU\SOFTW
HKCU\SOFTW
HKLM\SOFTW
Windows Components\IME HKCU\softw
Windows Components\IME HKCU\softwa
Windows Components\IME HKCU\Softw
Windows Components\IME HKCU\Softw
System\Early Launch Antimalware HKLM\Syste
Windows Components\Edge UI HKLM\Softw
Windows Components\Edge UI HKCU\Softw
Windows Components\Edge UI HKLM\Softw
System HKLM\Softw
System\Enhanced Storage Access HKLM\Softw
Windows Components\Windows Error Reporting HKCU\SOFTW
Windows Components\Windows Error Reporting HKLM\SOFTW
Windows Components\Windows Error Reporting\Advanced Erro
HKLM\SOFTW
Windows Components\Windows Error Reporting\Consent HKCU\SOFTW
Windows Components\Windows Error Reporting\Consent HKLM\SOFTW
Windows Components\Windows Error Reporting HKLM\Softw
HKCU\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKLM\Softwa
Windows Components\Windows Error Reporting HKLM\Softw
HKLM\Softwa
HKCU\Softw
HKLM\Softw
HKLM\Softwa
HKLM\Softwa
Windows Components\Event Forwarding HKLM\Softw
Windows Components\Event Forwarding HKLM\Softw
Windows Components\Event Log Service\Application HKLM\Softw
Windows Components\Event Log Service\Security HKLM\Softw
Windows Components\Event Log Service\Setup HKLM\Softw
Windows Components\Event Log Service\System HKLM\Softw
Windows Components\Event Log Service\Application HKLM\Syste
Windows Components\Event Log Service\Security HKLM\Syste
Windows Components\Event Log Service\Setup HKLM\Syste
Windows Components\Event Log Service\System HKLM\Syste
Windows Components\Event Log Service\Application HKLM\Softwa
Windows Components\Event Log Service\Application HKLM\Softwa
Windows Components\Event Log Service\Security HKLM\Softwa
Windows Components\Event Log Service\Setup HKLM\Softwa
Windows Components\Event Logging HKLM\Softw
Windows Components\Event Viewer HKLM\Softwa
Windows Components\Event Viewer HKLM\Softw
Windows Components\Event Viewer HKLM\Softwa
Windows Components\File Explorer HKCU\Softw
Windows Components\File Explorer HKLM\Softwa
Windows Components\File Explorer HKCU\Softwa
Windows Components\File Explorer HKLM\Softw
Windows Components\Portable Operating System HKLM\Syste
Windows Components\Portable Operating System HKLM\Syste
Windows Components\Portable Operating System HKLM\Softw
Windows Components\File History HKLM\Softwa
System\Troubleshooting and Diagnostics\Corrupted File Reco HKLM\SOFTW
Windows Components\File Revocation HKCU\Softw
System\File Share Shadow Copy Provider HKLM\Softwa
System\Filesystem HKLM\System
System\Filesystem\NTFS HKLM\Syste
System\Filesystem\NTFS HKLM\System
System\Filesystem HKLM\Syste
System\Filesystem HKLM\Softw
System\Folder Redirection HKCU\Softw
System\Folder Redirection HKLM\Softw
System\Folder Redirection HKLM\Softw
Windows Components\File Explorer\Explorer Frame Pane HKCU\Softw
Windows Components\File Explorer\Explorer Frame Pane HKCU\Softw
System\Troubleshooting and Diagnostics\Fault Tolerant Heap HKLM\SOFTW
Windows Components\Game Explorer HKLM\Softw
Control Panel\Regional and Language Options HKLM\Softwa
System HKCU\Softwa
System\Locale Services HKCU\Softwa
System\Locale Services HKLM\Softwa
Control Panel\Regional and Language Options HKCU\Softwa
Control Panel\Regional and Language Options\Handwriting peHKCU\SOFTWA
Control Panel\Regional and Language Options\Handwriting peHKLM\SOFTWA
System\Group Policy HKLM\Softw
System\Group Policy HKCU\Softwa
System\Group Policy HKCU\Softw
Network\Fonts HKLM\Softw
System\Group Policy HKCU\Softwa
System\Mitigation Options HKLM\SOFTW
System\Mitigation Options HKCU\SOFTW
System\Mitigation Options HKLM\SOFTW
System\Group Policy\Logging and tracing HKLM\Softw
Windows Components\Microsoft Management Console\Restricted
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
System HKLM\Softw
System HKCU\Softw
System HKLM\Softw
System HKLM\Softw
Windows Components\Online Assistance HKLM\Softwa
System\Internet Communication Management\Internet CommuHKCU\Softwa
Network\Hotspot Authentication HKLM\Softw
System\Internet Communication Management HKCU\Softw
System\Internet Communication Management HKLM\Softw
System\Internet Communication Management\Internet CommuHKLM\Softw
System\Internet Communication Management\Internet CommuHKCU\Softw
System\Internet Communication Management\Internet Commu HKLM\Softw
System\Internet Communication Management\Internet Commu HKCU\Softw
System\Internet Communication Management\Internet Commu HKCU\Softwa
System\Internet Communication Management\Internet Commu HKLM\Softwa
Windows Components\Internet Information Services HKLM\Softwa
Windows Components\Internet Explorer\Internet Control PanelHKLM\Softwa
Windows Components\Internet Explorer\Internet Control PanelHKCU\Softwa
Windows Components\Internet Explorer\Internet Control PaneHKLM\Softwa
Windows Components\Internet Explorer\Internet Control PaneHKCU\Softwa
Windows Components\Internet Explorer\Internet Control PaneHKLM\Softw
Windows Components\Internet Explorer\Internet Control PaneHKCU\Softw
Windows Components\Internet Explorer\Internet Control Pan HKLM\Softw
Windows Components\Internet Explorer\Internet Control Pan HKCU\Softw
Windows Components\Internet Explorer HKLM\Softwa
Windows Components\Internet Explorer HKCU\Softwa
Windows Components\Internet Explorer\Accelerators HKCU\Softwa
Windows Components\Internet Explorer\Accelerators HKLM\Softwa
Windows Components\Internet Explorer\Security Features\A HKLM\Softwa
Windows Components\Internet Explorer\Security Features\A HKCU\Softwa
Windows Components\Internet Explorer\Security Features\Bina
HKLM\Softwa
HKCU\Softwa
Windows Components\Internet Explorer\Security Features\A HKLM\Softw
Windows Components\Internet Explorer\Security Features\A HKCU\Softw
HKLM\Softw
HKCU\Softw
Windows Components\Internet Explorer\Security Features\CoHKLM\Softw
Windows Components\Internet Explorer\Security Features\CoHKCU\Softw
Windows Components\Internet Explorer\Security Features\Lo HKLM\Softw
Windows Components\Internet Explorer\Security Features\Lo HKCU\Softw
Windows Components\Internet Explorer\Security Features\MimHKLM\Softw
Windows Components\Internet Explorer\Security Features\MimHKCU\Softw
Windows Components\Internet Explorer\Security Features\MKHKLM\Softw
P
Windows Components\Internet Explorer\Security Features\MKHKCU\Softw
P
Windows Components\Internet Explorer\Security Features\NeHKLM\Softw
Windows Components\Internet Explorer\Security Features\NeHKCU\Softw
Windows Components\Internet Explorer\Security Features\Noti
HKLM\Softw
HKCU\Softw
Windows Components\Internet Explorer\Security Features\ObjHKLM\Softw
Windows Components\Internet Explorer\Security Features\ObjHKCU\Softw
Windows Components\Internet Explorer\Security Features\ProHKLM\Softw
Windows Components\Internet Explorer\Security Features\ProHKCU\Softw
Windows Components\Internet Explorer\Security Features\Restr
HKLM\Softw
HKCU\Softw
Windows Components\Internet Explorer\Security Features\Rest
HKLM\Softw
Windows Components\Internet Explorer\Security Features\Rest
HKCU\Softw
Windows Components\Internet Explorer\Security Features\ScriHKLM\Softw
Windows Components\Internet Explorer\Security Features\ScriHKCU\Softw
Windows Components\Internet Explorer\Delete Browsing HistHKLM\Softwa
Windows Components\Internet Explorer\Delete Browsing HistHKCU\Softwa
Windows Components\Internet Explorer\Security Features HKLM\Softwa
Windows Components\Internet Explorer HKLM\Softw
Windows Components\Internet Explorer HKCU\Softw
Windows Components\Internet Explorer\Internet Settings\AdvHKLM\Softwa
Windows Components\Internet Explorer\Internet Settings\AdvHKCU\Softwa
Windows Components\Internet Explorer\Internet Control PaneHKLM\SOFTW
Windows Components\Internet Explorer\Internet Control PaneHKCU\SOFTW
Internet Control Panel\Advanced Page HKLM\SOFTW
Internet Control Panel\Advanced Page HKCU\SOFTW
Windows Components\Internet Explorer\Security Features\AJ HKLM\Softwa
Windows Components\Internet Explorer\Security Features\AJ HKCU\Softwa
Windows Components\Internet Explorer\Administrator ApprovHKCU\Softw
Windows Components\Internet Explorer\Internet Explorer\Appl
HKLM\Softwa
HKCU\Softwa
HKLM\Softwa
HKCU\Softwa
Windows Components\Internet Explorer\Security Features\AJ HKLM\Softw
Windows Components\Internet Explorer\Security Features\AJ HKCU\Softw
Windows Components\Internet Explorer\Toolbars HKCU\Softwa
Windows Components\Internet Explorer\Toolbars HKLM\Softw
Windows Components\Internet Explorer\Toolbars HKCU\Softw
HKLM\Softwa
HKCU\Softwa
Windows Components\Internet Explorer\Offline Pages HKCU\Softwa
Windows Components\Internet Explorer\Browser menus HKCU\Softw
Windows Components\Internet Explorer\Browser menus HKCU\Softwa
Windows Components\Internet Explorer\Security Features HKCU\Softwa
Windows Components\Internet Explorer\Privacy HKLM\Softwa
Windows Components\Internet Explorer\Privacy HKCU\Softwa
Windows Components\Internet Explorer\Persistence BehaviorHKCU\Softwa
Windows Components\Internet Settings\Advanced settings\B HKLM\Softwa
Windows Components\Internet Settings\Advanced settings\B HKCU\Softwa
Windows Components\Internet Explorer\Toolbars HKLM\Softwa
Windows Components\Internet Explorer\Compatibility View HKLM\Softw
Windows Components\Internet Explorer\Compatibility View HKCU\Softw
HKLM\Softw
Windows Components\Internet Explorer\Security Features\BinaHKCU\Softw
Windows Components\Internet Explorer\Security Features\BinaHKLM\Softw
Windows Components\Internet Explorer\Security Features\BinaHKCU\Softwa
Windows Components\Internet Explorer\Security Features\Mim HKLM\Softwa
Windows Components\Internet Explorer\Security Features\Mim HKCU\Softwa
P
P
Windows Components\Internet Explorer\Security Features\NotiHKLM\Softw
Windows Components\Internet Explorer\Security Features\NotiHKCU\Softw
HKLM\Softw
HKCU\Softw
Windows Components\Internet Explorer\Security Features\RestHKLM\Softw
Windows Components\Internet Explorer\Security Features\RestHKCU\Softw
Windows Components\Internet Explorer\Security Features\NetHKLM\SOFTWA
Windows Components\Internet Explorer\Security Features\NetHKCU\SOFTWA
Windows Components\Internet Explorer\Internet Explorer\InteHKLM\Softwa
Windows Components\Internet Explorer\Internet Explorer\InteHKCU\Softwa
Windows Components\Internet Explorer\Internet Explorer\InteHKLM\Softw
Windows Components\Internet Explorer\Internet Explorer\InteHKCU\Softw
Windows Components\Internet Explorer\Internet Settings HKLM\Softwa
Windows Components\Internet Explorer\Internet Settings HKCU\Softwa
Windows Components\RSS Feeds HKLM\Softwa
Windows Components\RSS Feeds HKCU\Softwa
Windows Components\Internet Explorer\Internet Settings\Comp
HKLM\Softw
Windows Components\Internet Explorer\Internet Settings\Disp
HKCU\Softwa
Windows Components\Internet Settings\Display settings\GeneHKCU\Softwa
Windows Components\Internet Settings\Component Updates\H HKLM\Softw
Windows Components\Internet Explorer\Corporate Settings\ HKLM\Softw
Windows Components\Internet Explorer\Internet Settings\Displ
HKCU\Softwa
HKCU\Softwa
HKCU\Softwa
Windows Components\Internet Explorer\Internet Settings\Comp
HKLM\Softwa
Windows Components\RSS Feeds HKLM\Softw
Windows Components\RSS Feeds HKCU\Softw
HKLM\Softw
HKCU\Softw
Windows Components\Internet Explorer\Security Features\MimHKLM\Softw
Windows Components\Internet Explorer\Security Features\MimHKCU\Softw
P
P
HKLM\Softw
HKCU\Softw
HKLM\Softw
HKCU\Softw
Windows Components\Internet Explorer\Security Features\RestHKLM\Softw
Windows Components\Internet Explorer\Security Features\RestHKCU\Softw
Windows Components\Internet Explorer\Internet Settings HKLM\Softwa
Windows Components\Internet Explorer\Internet Settings HKCU\Softwa
Windows Components\Internet Settings\Advanced settings\IntHKCU\Softwa
Windows Components\Internet Explorer\Compatibility View HKLM\Softwa
Windows Components\Internet Explorer\Compatibility View HKCU\Softwa
Windows Components\Internet Explorer\Compatibility View HKLM\Softw
Windows Components\Internet Explorer\Compatibility View HKCU\Softw
Windows Components\Internet Explorer\Security Features HKCU\Softwa
Windows Components\Internet Explorer\Internet Settings\Au HKCU\SOFTW
Windows Components\Internet Settings\Advanced settings\B HKLM\Softw
Windows Components\Internet Settings\Advanced settings\B HKCU\Softw
Windows Components\Internet Explorer\Browser menus HKLM\Softwa
Windows Components\Internet Explorer\Internet Settings\UR HKCU\Softwa
Windows Components\Internet Explorer\Internet Control Pan HKLM\Softwa
Windows Components\Internet Explorer\Internet Control Pan HKCU\Softwa
Windows Components\Internet Explorer\Internet Settings\AdvHKCU\SOFTW
Windows Components\Internet Explorer\Browser menus HKLM\Softwa
Windows Components\Internet Explorer\Internet Settings\Au HKLM\Softwa
Windows Components\Internet Explorer\Internet Settings\Au HKCU\Softwa
Windows Components\Internet Explorer\Internet Settings\Au HKLM\Softw
Windows Components\Internet Explorer\Internet Settings\Au HKCU\Softw
Windows Components\Internet Explorer\Internet Settings\AdvHKCU\Softw
Windows Components\Internet Explorer\Internet Settings\Au HKCU\SOFTW
Windows Components\Internet Explorer\Internet Settings\AdvaHKCU\Softwa
HKCU\Softwa
System\iSCSI\iSCSI Target Discovery HKLM\Softwa
System\iSCSI\General iSCSI HKLM\Softwa
System\iSCSI\iSCSI Security HKLM\Softw
System\iSCSI\General iSCSI HKLM\Softw
System\iSCSI\iSCSI Security HKLM\Softwa
System\iSCSI\iSCSI Target Discovery HKLM\Softw
System\KDC HKLM\Softw
System\Kerberos HKLM\Softw
System\Kerberos HKLM\Syste
Network\Lanman Server HKLM\Softw
Network\Lanman Workstation HKLM\Softw
System\Troubleshooting and Diagnostics\Windows Memory LeHKLM\SOFTW
Network\Link-Layer Topology Discovery HKLM\Softw
Network\Link-Layer Topology Discovery HKLM\Softw
Windows Components\Location and Sensors\Windows LocationHKLM\Softw
System HKLM\Softw
System HKCU\Softw
System\Logon HKCU\Softw
System\Logon HKCU\Softw
System HKLM\Softw
System\Logon HKCU\Softwa
System\Logon HKLM\Softwa
Windows Components\MDM HKLM\Softw
Windows Components\Microsoft Edge HKLM\Softwa
Windows Components\Microsoft Edge HKCU\Softwa
Windows Components\Microsoft Edge HKLM\Softw
Windows Components\Microsoft Edge HKCU\Softw
Windows Components\Microsoft Management Console\Restrict
HKCU\Softw
Windows Components\Microsoft Management Console\Restricte
HKCU\Softw
HKCU\Softw
Windows Components\Microsoft Management Console HKCU\Softw
Windows Components\Microsoft Management Console HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
HKCU\Softw
Windows Components\Microsoft Management Console\Restricted HKCU\Softw
Windows Components\Microsoft Management Console\Restrict HKCU\Softw
Windows Components\Microsoft Management Console\Restricte HKCU\Softw
Windows Components\Windows Mobility Center HKCU\Softwa
Windows Components\Windows Mobility Center HKLM\Softwa
Windows Components\Presentation Settings HKCU\Softwa
Windows Components\Presentation Settings HKLM\Softwa
Windows Components\Maintenance Scheduler HKLM\Softw
System\Troubleshooting and Diagnostics\Microsoft Support DiHKLM\SOFTW
Windows Components\Windows Installer HKLM\Softwa
Windows Components\Windows Installer HKLM\Softw
Windows Components\Windows Installer HKCU\Softwa
System\Troubleshooting and Diagnostics\MSI Corrupted File HKLM\SOFTW
Network\DirectAccess Client Experience Settings HKLM\SOFTW
Network\Network Connectivity Status Indicator HKLM\Softw
Network\Network Connectivity Status Indicator HKLM\Softwa
Network\Network Connectivity Status Indicator HKLM\Softwa
System\Net Logon HKLM\Softw
System\Net Logon\DC Locator DNS Records HKLM\Softw
System\Net Logon\DC Locator DNS Records HKLM\Softwa
System\Net Logon HKLM\Softwa
Network\Network Connections HKCU\Softw
Network\Network Connections HKLM\Softw
Network\Network Connections HKLM\Softwa
Network\Network Isolation HKLM\SOFTW
Network\Network Provider HKLM\Softw
Network\Offline Files HKCU\Softw
Network\Offline Files HKLM\Softw
Network\Microsoft Peer-to-Peer Networking Services HKLM\Softw
Network\Microsoft Peer-to-Peer Networking Services\Peer Nam
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
Network\Microsoft Peer-to-Peer Networking Services HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
HKLM\Softwa
Windows Components\Microsoft Passport for Work\PIN Comple HKLM\SOFTW
Windows Components\Microsoft Passport for Work\PIN Comple HKCU\SOFTW
Windows Components\Microsoft Passport for Work HKLM\SOFTW
Windows Components\Microsoft Passport for Work\Remote PaHKLM\SOFTW
System\Troubleshooting and Diagnostics\Application Compatib
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\Softw
HKLM\SOFTW
Network\BranchCache HKLM\Softw
Network\BranchCache HKLM\SOFTW
Windows Components\Tablet PC\Tablet PC Pen Training HKCU\SOFTW
Windows Components\Tablet PC\Tablet PC Pen Training HKLM\SOFTW
System\Troubleshooting and Diagnostics\Windows Boot PerfoHKLM\SOFTW
System\Troubleshooting and Diagnostics\Windows Shutdown HKLM\SOFTW
System\Troubleshooting and Diagnostics\Windows Standby/RHKLM\SOFTW
System\Troubleshooting and Diagnostics\Windows System ReHKLM\SOFTW
System\Troubleshooting and Diagnostics\Windows PerformancHKLM\SOFTW
System\Power Management\Sleep Settings HKLM\Softw
System\Power Management\Notification Settings HKLM\Softw
System HKLM\Softw
System\Power Management\Energy Saver Settings HKLM\Softw
System\Power Management\Energy Saver Settings HKLM\Softw
System\Power Management HKCU\Softw
System\Power Management\Video and Display Settings HKLM\Softw
System\Power Management HKLM\Softw
System\Power Management\Button Settings HKLM\Softw
System\Power Management HKLM\Softw
System\Power Management\Hard Disk Settings HKLM\Softw
System\Power Management\Hard Disk Settings HKLM\Softw
Windows Components\Windows PowerShell HKLM\Softw
Windows Components\Windows PowerShell HKCU\Softw
Windows Components\Windows PowerShell HKLM\Softwa
Windows Components\Windows PowerShell HKCU\Softwa
Windows Components\Windows PowerShell HKLM\Softwa
Windows Components\Windows PowerShell HKCU\Softwa
Windows Components\File Explorer\Previous Versions HKCU\Softwa
Windows Components\File Explorer\Previous Versions HKLM\Softwa
Windows Components\File Explorer\Previous Versions HKCU\Softw
Windows Components\File Explorer\Previous Versions HKLM\Softw
Windows Components\File Explorer\Previous Versions HKCU\Softw
Windows Components\File Explorer\Previous Versions HKLM\Softw
Printers HKLM\Softwa
Printers HKLM\Softw
Printers HKLM\Softw
Printers HKLM\Softw
Control Panel\Printers HKCU\Softwa
Control Panel\Printers HKCU\Softw
Printers HKLM\Softw
Printers HKLM\Softw
Printers HKLM\Softw
Printers HKLM\Softw
Printers HKLM\Softw
Printers HKLM\Softw
Control Panel\Programs HKCU\Softw
Network\QoS Packet Scheduler\DSCP value of conforming pacHKLM\Softw
Network\QoS Packet Scheduler\DSCP value of non-conformingHKLM\Softw
Network\QoS Packet Scheduler\Layer-2 priority value HKLM\Softw
Network\QoS Packet Scheduler HKLM\Softw
Windows Components\Windows Reliability Analysis HKLM\SOFTW
System\Troubleshooting and Diagnostics\Windows Resource EHKLM\SOFTW
System\Recovery HKLM\SOFTW
System HKLM\Softwa
System HKLM\Softw
System HKLM\Softwa
Windows Components\Windows Error Reporting\Advanced Erro HKLM\Softwa
System\Remote Assistance HKLM\Softw
System\Remote Assistance HKLM\Softwa
System\Remote Assistance HKLM\Softwa
System\Removable Storage Access HKCU\Softw
System\Removable Storage Access HKLM\Softw
System\Remote Procedure Call HKLM\Softw
System\Remote Procedure Call HKLM\Softwa
System\Scripts HKLM\Softw
System\Scripts HKCU\Softw
System\Troubleshooting and Diagnostics\Scripted DiagnosticsHKLM\SOFTW
System\Troubleshooting and Diagnostics\Scheduled Mainten HKLM\SOFTW
Windows Components\Search HKLM\SOFTW
Windows Components\Search HKCU\SOFTW
Windows Components\Security Center HKLM\Softw
Windows Components\Location and Sensors HKCU\Softw
Windows Components\Location and Sensors HKLM\Softw
System\Server Manager HKLM\Softw
System HKLM\Softw
System HKLM\Softw
Windows Components\Sync your settings HKLM\Softw
Windows Components\Sync your settings HKLM\Softwa
System HKLM\Softw
System HKLM\Softw
System\Internet Communication Management\Internet Commu
HKLM\Softw
System\Internet Communication Management\Internet Commu
HKCU\Softw
Shared Folders HKCU\Softw
Shared Folders HKCU\Softw
Windows Components\HomeGroup HKLM\Softw
Windows Components\Network Sharing HKCU\Softwa
System HKCU\Softwa
System HKCU\Softwa
System HKCU\Softw
System HKCU\Softwa
Windows Components\Desktop Gadgets HKCU\Softw
Windows Components\Desktop Gadgets HKLM\Softw
Windows Components\OneDrive HKLM\Softw
Windows Components\Smart Card HKLM\SOFTW
Network\SNMP HKLM\Softw
Windows Components\Sound Recorder HKCU\SOFTW
Windows Components\Sound Recorder HKLM\SOFTW
System\Access-Denied Assistance HKLM\SOFTW
System\Access-Denied Assistance HKLM\SOFTW
System\File Classification Infrastructure HKLM\SOFTW
System\File Classification Infrastructure HKLM\SOFTWA
Start Menu and Taskbar HKCU\Softw
Start Menu and Taskbar HKCU\Softwa
Start Menu and Taskbar HKLM\Softw
Start Menu and Taskbar HKLM\Softwa
System\System Restore HKLM\Softw
System\System Restore HKLM\Softw
Windows Components\Tablet PC\Input Panel HKCU\softwa
Windows Components\Tablet PC\Input Panel HKLM\softwa
Windows Components\Tablet PC\Accessories HKCU\SOFTW
Windows Components\Tablet PC\Accessories HKLM\SOFTW
Windows Components\Tablet PC\Hardware Buttons HKCU\SOFTW
Windows Components\Tablet PC\Hardware Buttons HKLM\SOFTW
Windows Components\Tablet PC\Pen UX Behaviors HKCU\SOFTW
Windows Components\Tablet PC\Pen UX Behaviors HKLM\SOFTW
Windows Components\Tablet PC\Pen Flicks Learning HKCU\SOFTW
Windows Components\Tablet PC\Pen Flicks Learning HKLM\SOFTW
Windows Components\Tablet PC\Cursors HKCU\SOFTW
Windows Components\Tablet PC\Cursors HKLM\SOFTW
Windows Components\Task Scheduler HKCU\Softw
Windows Components\Task Scheduler HKLM\Softw
Windows Components\Task Scheduler HKCU\Softwa
Windows Components\Task Scheduler HKLM\Softwa
Windows Components\Task Scheduler HKCU\Softwa
Windows Components\Task Scheduler HKLM\Softwa
Network\TCPIP Settings\IPv6 Transition Technologies HKLM\Softw
Network\TCPIP Settings\IPv6 Transition Technologies HKLM\Softwa
Network\TCPIP Settings\Parameters HKLM\Syste
Network\TCPIP Settings\Parameters HKLM\Syste
Windows Components\Remote Desktop Services\Remote Deskt
HKCU\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKLM\SOFTW
Windows Components\Remote Desktop Services\Remote Deskto
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
Windows Components\Remote Desktop Services\Remote Desk
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
Windows Components\Remote Desktop Services\Remote DesktHKLM\SOFTW
Windows Components\Remote Desktop Services\RD GatewayHKCU\SOFTW
Windows Components\Remote Desktop Services\Remote DesktHKCU\SOFTW
Windows Components\Remote Desktop Services\RD Licensin HKLM\Softwa
HKLM\SOFTW
HKLM\SOFTW
Windows Components\Remote Desktop Services\Remote DesktHKLM\Softw
Windows Components\Remote Desktop Services\RD Licensin HKLM\Softw
HKLM\SOFTW
HKLM\SOFTW
Windows Components\Remote Desktop Services\RemoteApp H a KCU\SOFTW
HKLM\SOFTWA
HKLM\SOFTW
HKCU\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKCU\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKCU\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
Windows Components\Tablet PC\Touch Input HKCU\SOFTW
Windows Components\Tablet PC\Touch Input HKLM\SOFTW
Windows Components\Tablet PC\Touch Input HKCU\SOFTW
Windows Components\Tablet PC\Touch Input HKLM\SOFTW
System\Trusted Platform Module Services HKLM\Softw
System\Trusted Platform Module Services HKLM\SOFTW
System\Trusted Platform Module Services HKLM\Softwa
Windows Components\Microsoft User Experience VirtualizatioHKLM\Softw
Windows Components\Microsoft User Experience VirtualizatioHKCU\Softw
Windows Components\Microsoft User Experience VirtualizatioHKLM\Softwa
Windows Components\Microsoft User Experience VirtualizatioHKCU\Softwa
Windows Components\Microsoft User Experience Virtualizati HKLM\Softw
Windows Components\Microsoft User Experience Virtualizati HKCU\Softw
System\User Profiles HKLM\Softw
System\User Profiles HKCU\Softw
System\User Profiles HKLM\Softwa
System\User Profiles HKCU\Softwa
Windows Components\BitLocker Drive Encryption\Fixed Data HKLM\Softw
Windows Components\BitLocker Drive Encryption\RemovableHKLM\Softw
Windows Components\BitLocker Drive Encryption\Operating HKLM\Softw
Windows Components\BitLocker Drive Encryption\Operating HKLM\SOFTW
Windows Components\BitLocker Drive Encryption\Operating HKLM\Softwa
Windows Components\BitLocker Drive Encryption HKLM\SOFTW
Windows Components\BitLocker Drive Encryption\Fixed Data HKLM\SOFTW
Windows Components\BitLocker Drive Encryption\RemovableHKLM\SOFTW
Windows Components\BitLocker Drive Encryption\Fixed Data HKLM\Syste
Windows Components\BitLocker Drive Encryption\RemovableHKLM\Syste
Windows Components\BitLocker Drive Encryption HKLM\Softw
Windows Components\BitLocker Drive Encryption HKLM\Softwa
Windows Components\BitLocker Drive Encryption\Operating HKLM\Softwa
System\Windows Time Service\Time Providers HKLM\Softw
System\Windows Time Service HKLM\Softw
Network\Windows Connection Manager HKLM\Softw
System\Troubleshooting and Diagnostics HKLM\SOFTW
System\Troubleshooting and Diagnostics HKLM\SOFTW
Windows Components\Windows Calendar HKCU\Softw
Windows Components\Windows Calendar HKLM\Softw
Windows Components\Add features to Windows 10 HKLM\Softw
Windows Components\Add features to Windows 10 HKCU\Softw
Server HKLM\Softw
Server HKLM\Softw
Server HKLM\Softw
Server HKLM\Softw
Server HKLM\Softw
Windows Components\Windows Color System HKCU\Softwa
Windows Components\Windows Color System HKLM\Softwa
Network\Windows Connect Now HKLM\Softw
Network\Windows Connect Now HKCU\Softw
Network\Windows Connect Now HKLM\Softw
Windows Components\Windows Defender HKLM\Softw
Windows Components\Windows Defender\Signature Updates HKLM\Softw
Windows Components\Windows Defender\Signature Updates HKLM\Softwa
Windows Components\Windows Defender\Scan HKLM\Softw
Windows Components\Windows Defender\Real-time ProtectioHKLM\Softw
Windows Components\Windows Defender\MAPS HKLM\Softw
Windows Components\Windows Defender\Real-time ProtectioHKLM\Softwa
Windows Components\Windows Defender\Quarantine HKLM\Softw
Windows Components\Windows Defender\Remediation HKLM\Softw
Windows Components\Windows Defender\Quarantine HKLM\Softw
Windows Components\Windows Defender\Reporting HKLM\Softwa
Windows Components\Windows Defender\Reporting HKLM\Softw
Windows Components\Windows Defender\Client Interface HKLM\Softw
Windows Components\Windows Defender\Exclusions HKLM\Softw
Windows Components\Windows Defender\Exclusions HKLM\Softwa
Windows Components\Windows Defender\Network InspectionHKLM\Softwa
Windows Components\Windows Defender\Threats HKLM\Softwa
Windows Components\Windows Defender\Threats HKLM\Softwa
Windows Components\Windows Defender\Client Interface HKLM\Softwa
Windows Components\Windows Defender\Network InspectionHKLM\Softw
Windows Components\Windows Defender\Network InspectionHKLM\Softw
Windows Components\File Explorer\Common Open File DialogHKCU\Softw
System\Windows File Protection HKLM\Softw
System\Windows File Protection HKLM\Softwa
System\Windows File Protection HKLM\Softwa
System\Windows File Protection HKLM\Softw
Network\Network Connections\Windows Firewall HKLM\SOFTW
Network\Network Connections\Windows Firewall\Domain ProfiHKLM\SOFTW
Network\Network Connections\Windows Firewall\Standard Prof
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTW
HKLM\SOFTWA
HKLM\SOFTW
HKLM\SOFTWA
HKLM\SOFTW
HKLM\SOFTW
Windows Components\Windows Ink Workspace HKLM\Softw
Windows Components\Windows Ink Workspace HKLM\Softw
Windows Components\Windows Mail HKCU\SOFTW
Windows Components\Windows Mail HKLM\SOFTW
Windows Components\Windows Mail HKCU\SOFTW
Windows Components\Windows Mail HKLM\SOFTW
Windows Components\Windows Media Digital Rights Manage HKLM\Softw
Windows Components\Windows Media Player\Playback HKCU\Softw
Windows Components\Windows Media Player\Networking HKCU\Softw
Windows Components\Windows Media Player\User Interface HKCU\Softw
Windows Components\Windows Media Player HKLM\Softw
Windows Components\Windows Media Player HKCU\Softw
Windows Components\Windows Media Player\Playback HKCU\Softw
Windows Components\Windows Messenger HKLM\Softwa
Windows Components\Windows Messenger HKCU\Softwa
Windows Components\Windows Messenger HKLM\Softw
Windows Components\Windows Messenger HKCU\Softw
Windows Components\Windows Remote Management (WinRM) HKLM\Softw
Windows Components\Windows Remote Management (WinRM) HKLM\Softwa
Windows Components\Windows Remote Shell HKLM\Softw
Windows Components\Store HKLM\Softw
Windows Components\Store HKCU\Softw
Windows Components\Windows Update HKLM\Softw
Windows Components\Windows Update HKCU\Softw
Windows Components\Windows Update\Defer Windows UpdatHKLM\Softw
Windows Components\Windows Update\Defer Windows UpdatHKLM\Softw
System HKCU\Softw
System\Shutdown HKLM\Softw
Windows Components\Shutdown Options HKLM\Softw
Windows Components\Shutdown Options HKLM\Softw
System HKCU\Softw
Windows Components\Windows Logon Options HKLM\Softw
Windows Components\Windows Logon Options HKCU\Softw
Windows Components\Maps HKLM\Softw
Windows Components\Maps HKLM\Softw
System\Shutdown Options HKLM\Softw
Windows Components\Connect HKLM\Softw
Windows Components\Connect HKLM\Softw
Network\WLAN Service\WLAN Settings HKLM\Softw
Network\Wireless Display HKLM\SOFTW
Network\Wireless Display HKLM\SOFTW
Network\WLAN Service\WLAN Media Cost HKLM\Softw
Windows Components\Instant Search HKCU\Softw
Windows Components\Work Folders HKLM\Softw
Windows Components\Work Folders HKCU\Softw
Windows Components\Device Registration HKLM\Softw
Start Menu and Taskbar\Notifications HKCU\SOFTW
Start Menu and Taskbar\Notifications HKCU\SOFTWA
Network\WWAN Service\WWAN Media Cost HKLM\Softw
Network\WWAN Service\WWAN Media Cost HKLM\Softw
Supported On
At least Windows Vista
Windows Server 2003, Windows XP, and Wind
At least Windows Server 2016, Windows 10
At least Windows Server 2003
At least Windows Server 2008 R2 or Windows
At least Windows Server 2016 or Windows 10
At least Windows Server 2012, Windows 8 or
At least Windows 8.1 Update 2
At least Windows 8.1 Update 2
At least Windows Server 2012 R2, Windows 8.
At least Windows XP Professional with SP2
At least Windows 2000
At least Windows 10 Server or Windows 10
Windows 7 or computers with BITS 3.5 install
Windows XP SP2 or Windows Server 2003 SP1,
Windows 8 or Windows Server 2012 or Windows
Windows XP or Windows Server 2003, or comput
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
at least Windows NetMeeting v3.0
At least Windows Server 2003 operating syst
At least Windows 2000 Service Pack 1
Windows Server 2012 R2, Windows 8.1 or Win
Windows Server 2008, Windows Server 2003,
Windows Server 2012, Windows 8, Windows RT
At least Windows Server 2012, Windows 8 or W
At least Windows Server 2012, Windows 8 or W
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
Windows 2000 only
Windows Server 2003 and Windows XP only
Windows Server 2008, Windows 7, and Windo
Windows Server 2008 with Desktop Experience
Windows Server 2008 with Desktop Experience
Windows XP Professional only
Windows Server 2012 R2, Windows 8.1, Windo
At least Internet Explorer 6 Service Pack 1
Windows Server 2003 only
At least Internet Explorer 6.0 in Windows XP
At least Internet Explorer 7.0
Only Internet Explorer 6.0 in Windows 2003 S
Only Internet Explorer 6.0 in Windows XP Ser
At least Internet Explorer 11.0 on Windows 8.
At least Internet Explorer 11.0 on Windows 8.
Only Internet Explorer 11.0 on Windows 8.1
Only Internet Explorer 11.0 on Windows 8.1
At least Internet Explorer 6.0 in Windows 200
Only Internet Explorer 6.0
Only Internet Explorer 5.0 and Internet Explor
At least Internet Explorer 5.0. Not supported
Only Internet Explorer 5.0 through Internet Ex
At least Internet Explorer 10.0 on Windows 8
Only Internet Explorer 9.0 through 11.0. Not
Only Internet Explorer 9.0 through 11.0. Not
Internet Explorer 8.0 to Internet Explorer 10.0
At least Internet Explorer 7.0 in Windows Vist
Windows Server 2012, Windows 8, Windows RT
Windows Server 2003 and versions of Window
Windows Server 2008 R2 and Windows 7
Windows 2000 only
Windows 2000 only
Windows operating systems from Windows Vi
At least Windows 10
Microsoft Edge on Windows 10, Version 1511 o
Microsoft Edge on Windows 10 or later
At least Windows Server 2003 R2
Windows Installer v3.0
Microsoft Windows XP or Windows 2000 with W
Microsoft Windows Server 2003, Windows XP,
Microsoft Windows XP Professional with SP2
At least Windows Server 2003 operating syste
At least Windows 7 or Windows Server 2008
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
At least Microsoft Windows 7 or Windows Serv
Supported Windows Vista through Windows 7
Windows 2000 only
Windows Server 2008 and Windows Vista
Supported Windows XP SP1 through Windows
Windows Vista only
Microsoft Windows XP, or Windows Server 200
Microsoft Windows Vista, or any version of W
Microsoft Windows 8 or later
Microsoft Windows XP, Windows Server 2003 w
Any version of Microsoft Windows with Window
Microsoft Windows 8.1 or later
Microsoft Windows 8.1 or later
Microsoft Windows 8.1. Not supported on Wind
Any version of Microsoft Windows with Windo
Microsoft Windows Vista or later
Microsoft Windows 8 or later
Windows Server 2008 and Windows Server 20
Windows Vista only
At least Windows Vista Service Pack 1
Windows Server 2008, Windows 7, Windows V
At least Windows 2000 through Windows 8.1
Windows Server 2012 R2, Windows 8.1, Wind
Windows Server 2012 R2, Windows 8.1, Wind
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
At least Windows Vista Service Pack 1
At least Windows Vista with Service Pack 1
At least Windows 7 with Service Pack 1 or Wi
At least Windows Server 2003 with Service Pa
At least Windows Server 2003, Enterprise Edi
Windows 7 or Windows Server 2008 R2 (and th
At least Windows XP and Windows Server 200
At least Windows 2000 Terminal Services
At least Windows 2000 Terminal Services
Windows Server 2008 R2, Windows Server 20
Windows Server 2008 R2, Windows Server 20
Windows Server 2003 with Service Pack 1 onl
At least Windows 8 Enterprise or Windows Se
At least Windows 8 or Windows RT
Windows Server 2008 R2 only
MicrosoftWindowsVista_SP1
Windows Vista only
Windows Vista only
At least Windows 10 Redstone
At least Windows 10 Redstone
Windows Media Player 9 Series and later.
Windows Media Player for Windows XP and lat
Windows Media Player 11 for Windows XP or W
At least Windows XP Professional Service Pac
Windows XP Professional Service Pack 1 or At
Windows 7, Windows Server 2008 R2, Window
Windows XP Professional Service Pack 1 or At
At least Windows Vista through Windows 8.1
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 8.1 or Windows RT 8.1
At least Windows 8.1 or Windows RT 8.1
Help Text
This policy setting determines which ActiveX installation sites standard users in your organization can
This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable t
Prevents users from using Add or Remove Programs to configure installed services. This setting remo
Removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cann
Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a r
Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result,
Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page.
Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting pr
Prevents users from viewing or installing published programs. This setting removes the "Add program
Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a res
Prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs f
Removes links to the Support Info dialog box from programs on the Change or Remove Programs page
Specifies the category of programs that appears when users open the "Add New Programs" page. If y
This policy setting determines whether users can access the Insider build controls in the Advanced Op
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This
This policy controls the visibility of the Program Compatibility property page shell extension. This she
This policy controls the state of the application compatibility engine in the system. The engine is part
The policy controls the state of the Application Telemetry engine in the system. Application Telemetry
This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories ap
This setting exists only for backward compatibility, and is not valid for this version of Windows. To con
This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors
This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken
The policy controls the state of the Switchback compatibility engine in the system. Switchback is a m
This policy setting specifies whether Windows apps can access account information. You can specify e
This policy setting specifies whether Windows apps can access account information. If you choose the
This policy setting specifies whether Windows apps can access call history. If you choose the "User is
This policy setting specifies whether Windows apps can access contacts. If you choose the "User is in
This policy setting specifies whether Windows apps can access email. If you choose the "User is in co
This policy setting specifies whether Windows apps can access location. If you choose the "User is in
This policy setting specifies whether Windows apps can read or send messages (text or MMS). If you c
This policy setting specifies whether Windows apps can access motion data. If you choose the "User i
This policy setting specifies whether Windows apps can access notifications. You can specify either a
This policy setting specifies whether Windows apps can access the calendar. If you choose the "User i
This policy setting specifies whether Windows apps can access the camera. If you choose the "User is
This policy setting specifies whether Windows apps can access the microphone. If you choose the "Us
This policy setting specifies whether Windows apps can access trusted devices. If you choose the "Us
This policy setting specifies whether Windows apps have access to control radios. If you choose the "U
This policy setting specifies whether Windows apps can sync with devices. If you choose the "User is
This setting controls whether virtualized applications are launched on Windows 8 machines connected
Specifies the path to a valid certificate in the certificate store.
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature.
Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX con
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a pre
Enables scripts defined in the package manifest of configuration files that should run.
Enables a UX to display to the user when a publishing refresh is performed on the client.
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache su
Specifies the location where symbolic links are created to the current version of a globally published p
Specifies the location where symbolic links are created to the current version of a per-user published p
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
The program collects information about computer hardware and how you use Microsoft Application Vir
Specifies directory where all new applications and updates will be installed.
Overrides source location for downloading package content.
Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Disp
Specifies the number of seconds between attempts to reestablish a dropped session.
Specifies the number of times to retry a dropped session.
Reporting Server URL: Displays the URL of reporting server. Reporting Time: When the client data sho
Requires admin privileges to publish and unpublish packages and connection groups.
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSION
Specifies that streamed package contents will be not be saved to the local hard disk.
Specifies how new packages should be loaded automatically by App-V on a specific computer.
Verifies Server certificate revocation status before streaming using HTTPS.
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual compon
Manages a Windows app's ability to share data between users who have installed the app. If you en
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer
This policy setting allows you to manage the deployment of Windows Store apps when the user is sign
Allows or denies development of Windows Store applications and installing them directly from an IDE.
This policy setting allows you to manage installing Windows apps on additional volumes such as secon
Prevent users' app data from moving to another location when an app is moved or installed on anothe
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps th
This policy setting lets you control whether Windows Store apps can open files using the default deskt
This policy setting lets you control whether Windows Store apps can open files using the default deskt
This policy setting lets you control whether Windows Store apps can open URIs using the default desk
This policy setting lets you control whether Windows Store apps can open URIs using the default desk
This policy setting controls whether Windows Store apps with Windows Runtime API access directly fro
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that
This policy setting allows you to manage the default risk level for file types. To fully customize the risk
This policy setting allows you to manage whether Windows marks file attachments with information ab
This policy setting allows you to manage whether users can manually remove the zone information fro
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list o
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in th
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If m
This policy setting allows you to configure the logic that Windows uses to determine the risk for file at
This policy setting determines what information is logged in security audit events when a new process
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this polic
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this polic
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive a
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive a
This policy setting controls whether OS Reactivation is blocked on a device. Policy Options: - Not Co
This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. En
This policy setting determines whether users with a domain account can log on or elevate User Accou
This policy setting allows or prevents the Windows Biometric Service to run on this computer. If you
This policy setting determines whether users can log on or elevate User Account Control (UAC) permis
This policy setting specifies the number of seconds a pending fast user switch event will remain active
This policy setting determines whether enhanced anti-spoofing is configured for devices which suppor
This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching featu
This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows B
This policy setting specifies whether the computer will act as a BITS peer caching client. By default, w
This policy setting specifies whether the computer will act as a BITS peer caching server. By default, w
This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS
This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache
This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will ta
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) us
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting d
This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits
This policy setting limits the number of BITS jobs that can be created for all users of the computer. By
This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limite
This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, file
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS)
This policy setting specifies the number of days a pending BITS job can remain inactive before the job
This policy setting allow the use of Camera devices on the machine. If you enable or do not configure
If you enable this setting all Customer Experience Improvement Program uploads are redirected to Mic
This policy setting will enable tagging of Windows Customer Experience Improvement data when a stu
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you e
This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable
This policy setting lets you configure Windows spotlight on the lock screen. If you enable this policy s
This policy setting prevents Windows Tips from being shown to users. If you enable this policy setting
This policy setting lets you turn off all Windows Spotlight features at once. If you enable this policy se
This policy setting turns off experiences that help consumers make the most of their devices and Micr
This policy setting directs the system to search Active Directory for missing Component Object Model
This policy setting directs the system to search Active Directory for missing Component Object Model
Make the automatic acceptance of incoming calls persistent.
Disables the application sharing feature of NetMeeting completely. Users will not be able to host or vi
Disables the audio feature of NetMeeting. Users will not be able to send or receive audio.
Disables the Chat feature of NetMeeting.
Disables the directory feature of NetMeeting. Users will not logon to a directory (ILS) server when Net
Disables full duplex mode audio. Users will not be able to listen to incoming audio while speaking into
Disables the 2.x whiteboard feature of NetMeeting. The 2.x whiteboard is available for compatibility w
Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use i
Disables the Advanced Calling button on the General Options page. Users will not then be able to cha
Disables the T.126 whiteboard feature of NetMeeting.
Configures NetMeeting to download settings for users each time it starts. The settings are downloade
Hides the Audio page of the Tools Options dialog. Users will not then be able to change audio settings
Hides the General page of the Tools Options dialog. Users will not then be able to change personal ide
Hides the Security page of the Tools Options dialog. Users will not then be able to change call security
Hides the Video page of the Tools Options dialog. Users will not then be able to change video settings
Limits the bandwidth audio and video will consume when in a conference. This setting will guide NetM
Limits the size of files users can send to others in a conference.
Prevents users from adding directory (ILS) servers to the list of those they can use for placing calls.
Prevents users from sharing applications in true color. True color sharing uses more bandwidth in a co
Prevents users from turning on automatic acceptance of incoming calls. This ensures that others cann
Prevents users from changing the way calls are placed, either directly or via a gatekeeper server.
Prevents user from changing the DirectSound audio setting. DirectSound provides much better audio
Prevents users from allowing others in a conference to control what they have shared. This enforces a
Prevents users from sharing the whole desktop. They will still be able to share individual applications.
Prevents users from receiving files from others in a conference.
Prevents users from receiving video. Users will still be able to send video provided they have the hard
Prevents users from sending files to others in a conference.
Prevents users from sending video if they have the hardware. Users will still be able to receive video
Prevents users from sharing anything themselves. They will still be able to view shared applications/d
Prevents users from sharing command prompts. This prevents users from inadvertently sharing out a
Prevents users from sharing Explorer windows. This prevents users from inadvertently sharing out ap
Prevents users from viewing directories as Web pages in a browser.
Sets the level of security for both outgoing and incoming NetMeeting calls.
Sets the URL NetMeeting will display when the user chooses the Help Online Support command.
This policy setting controls the default Control Panel view, whether by category or icons. If this policy
This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Per
Disables all Control Panel programs and the PC settings app. This setting prevents Control.exe and Sy
This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are d
Disables the Display Control Panel. If you enable this setting, the Display Control Panel does not run.
This policy setting controls whether the lock screen appears for users. If you enable this policy setting
Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting
Forces Windows to use the specified colors for the background and accent. The color values are specifi
This setting allows you to force a specific default lock screen and logon image by entering the path (lo
Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user
This setting allows you to force a specific visual style file by entering the path (location) of the visual s
Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the s
Removes the Settings tab from Display in Control Panel. This setting prevents users from using Contro
Specifies which theme file is applied to the computer the first time a user logs on. If you enable this s
Determines whether screen savers used on the computer are password protected. If you enable this s
Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme d
This setting forces the theme color scheme to be the default color scheme. If you enable this setting,
Prevents users from adding or changing the background design of the desktop. By default, users can
Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings
Prevents users from changing the background image shown when the machine is locked or when on th
Prevents users from changing the mouse pointers. By default, users can use the Pointers tab in the M
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This s
Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sou
Prevents users from changing the look of their start menu background, such as its color or accent. By
This setting disables the theme gallery in the Personalization Control Panel. If you enable this setting,
Prevents users or applications from changing the visual style of the windows and buttons displayed on
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invok
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on
Prevents users from changing the size of the font in the windows and buttons displayed on their scree
Specifies how much user idle time must elapse before the screen saver is launched. When configured
This policy setting allows an administrator to standardize the account pictures for all users on a system
This policy setting allows you to control whether or not the user may alter the time before a password
This policy setting allows the administrator to assign a specified credential provider as the default cre
This policy setting specifies a default logon domain, which might be a different domain than the doma
This policy setting allows the administrator to exclude the specified credential providers from use dur
This policy setting allows you to control whether a domain user can sign in using a picture password.
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In
This policy setting applies to applications using the Cred SSP component (for example: Remote Deskto
When running in restricted mode, participating apps do not expose credentials to remote computers (
This policy setting allows you to configure the display of the password reveal button in password entry
This policy setting allows you to configure the display of the password reveal button in password entry
This policy setting controls whether administrator accounts are displayed when a user attempts to ele
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to pr
This policy setting prevents users from changing their Windows password on demand. If you enable t
This policy setting prevents users from locking the system. While locked, the desktop is hidden and th
This policy setting disables or removes all menu items and buttons that log the user off the system. If
This policy setting prevents users from starting Task Manager. Task Manager (taskmgr.exe) lets users
This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value
This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value
With this policy setting, you can forward connected user experience and telemetry requests to a proxy
This policy setting defines the identifier used to uniquely associate this devices telemetry data as bel
This policy setting determines the level that Microsoft can experiment with the product to study user p
Allows you to specify that local computer administrators can supplement the "Define Activation Secur
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from
Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCac
Set this policy to configure the use of Windows Update Delivery Optimization in downloads of Window
Group ID must be set as a GUID. Set this policy to specify an arbitrary group ID that the device belong
Set this policy to define the max time that each file is held in the Delivery Optimization cache.
Set this policy to define the max cache size Delivery Optimization can utilize, as a percentage of avail
Set this policy to define a cap for the upload bandwidth a device will utilize across all concurrent uploa
Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all co
Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent dow
Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloB
Specifies the drive Delivery Optimization shall use for its cache. By default, %SystemDrive% is used to
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet pe
Adds and deletes specified Web content items. You can use the "Add" box in this setting to add partic
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to
Specifies the desktop background ("wallpaper") displayed on all users' desktops. This setting lets you
Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying
Removes Active Desktop content and prevents users from adding Active Desktop content. This settin
Remote shared folders are not added to Network Locations whenever you open a document in the sha
Prevents users from saving certain changes to the desktop. If you enable this setting, users can chan
Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying t
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons
Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Dir
Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefc
Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. T
Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It d
Specifies the maximum number of objects the system displays in response to a command to browse o
Prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or rem
Prevents users from adding Web content to their Active Desktop. This setting removes the "New" butt
Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or to
Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configura
Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add
Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete
Prevents users from changing the properties of Web content items on their Active Desktop. This settin
Prevents users from changing the path to their profile folders. By default, a user can change the locat
This setting hides Computer from the desktop and from the new Start menu. It also hides links to Com
Removes most occurrences of the My Documents icon. This setting removes the My Documents icon
This setting hides Properties on the context menu for Computer. If you enable this setting, the Proper
This policy setting hides the Properties menu command on the shortcut menu for the My Documents i
Removes the Properties option from the Recycle Bin context menu. If you enable this setting, the Prop
Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from th
Prevents users from using the Desktop Cleanup Wizard. If you enable this setting, the Desktop Cleanu
Prevents windows from being minimized or restored when the active window is shaken back and forth
Changes behavior of Microsoft bus drivers to work with specific devices.
Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS version
This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sig
Deploy Code Integrity Policy This policy setting lets you deploy a Code Integrity Policy to a machine to
Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Win
This policy setting allows you to determine whether members of the Administrators group can install a
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for de
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs)
This policy setting specifies a list of device setup class GUIDs describing device drivers that non-admin
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you e
Determines how the system responds when a user tries to install device driver files that are not digita
This policy setting allows you to configure the number of seconds Windows waits for a device installat
This policy setting allows you to display a custom message title in a notification when a device installa
This policy setting allows you to display a custom message to users in a notification when a device ins
This policy setting allows you to prevent Windows from creating a system restore point during device
This policy setting allows you to prevent the installation of devices that are not specifically described
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for de
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs)
This policy setting allows you to prevent Windows from installing removable devices. A device is consi
This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certifi
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in o
This policy setting prevents redirection of specific USB devices. If you enable this setting, an alternate
This policy setting prevents redirection of USB devices. If you enable this setting, an alternate driver f
This setting configures the location that Windows searches for drivers when a new piece of hardware i
Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Report
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
Windows has a feature that allows a device driver to request additional software through the Windows
This policy setting allows you to specify the order in which Windows searches source locations for dev
This policy setting allows you to specify the search server that Windows uses to find updates for devic
This policy setting allows you to turn off "Found New Hardware" balloons during device installation. If
Specifies whether the administrator will be prompted about going to Windows Update to search for de
Specifies whether the administrator will be prompted about going to Windows Update to search for de
This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to
Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated
Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a
This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. Self-Monitorin
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system
This policy setting turns off power save mode on the hybrid hard disks in the system. If you enable th
This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the sy
This policy setting turns off the solid state mode for the hybrid hard disks. If you enable this policy se
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on remov
This policy setting turns on and turns off disk quota management on all NTFS volumes of the compute
This policy setting determines whether disk quota limits are enforced and prevents users from changin
This policy setting determines whether the system records an event in the local Application log when
This policy setting determines whether the system records an event in the Application log when users
This policy setting specifies the default disk quota limit and warning level for new users of the volume
Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (D
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subse
Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you
Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DN
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This p
Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS qu
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatic
Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Namep
Specifies that responses from link local name resolution protocols received over a network interface th
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolutio
Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process
Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records
Specifies if DNS client computers will register PTR resource records. By default, DNS clients configure
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy set
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by c
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode w
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is
Specifies that a multi-homed DNS client should optimize name resolution across networks. The settin
Specifies that the DNS client should prefer responses from link local name resolution protocols on non
Specifies the security level for dynamic DNS updates. To use this policy setting, click Enabled and the
Specifies if computers may send dynamic updates to zones with a single label name. These zones are
This policy setting controls the ability to change the color of window frames. If you enable this policy
This policy setting controls the ability to change the color of window frames. If you enable this policy
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the us
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the us
This policy setting controls the appearance of window animations such as those found when restoring
This policy setting controls the appearance of window animations such as those found when restoring
This policy setting controls the default color for window frames when the user does not specify a color
This policy setting controls the default color for window frames when the user does not specify a color
This policy setting controls the Start background visuals. If you enable this policy setting, the Start ba
This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when
This policy setting allows you to restrict character code range of conversion by setting character filter.
This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this polic
This policy setting allows you to turn off history-based predictive input. If you enable this policy settin
This policy setting allows you to turn off Internet search integration. If you enable this policy setting,
This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, O
This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy
This policy setting controls the cloud candidates feature, which uses an online service to provide input
This policy setting controls the cloud candidates feature, which uses an online service to provide input
This policy setting allows you to turn on logging of misconversion for the misconversion report. If you
This policy setting allows you to specify which boot-start drivers are initialized based on a classificatio
If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any
If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any
Disables help tips that Windows shows to the user. By default, Windows will show the user help tips u
Disables help tips that Windows shows to the user. By default, Windows will show the user help tips u
This policy setting allows you to prevent the last app and the list of recent apps from appearing when
This policy setting allows you to prevent users from replacing the Command Prompt with Windows Pow
This policy setting allows you to prevent Search, Share, Start, Devices, and Settings from appearing w
If you enable this setting, users will not be allowed to switch between recent apps. The App Switching
This policy setting prevents Windows from keeping track of the apps that are used and searched most
This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
This policy setting configures whether or not only USB root hub connected Enhanced Storage devices
This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and pro
This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electric
This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on
This policy setting configures whether or not a password can be used to unlock an Enhanced Storage
This policy setting configures whether or not Windows will activate an Enhanced Storage device. If yo
This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting is
This policy setting controls whether memory dumps in support of OS-generated error reports can be s
This policy setting controls whether memory dumps in support of OS-generated error reports can be s
This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you
This policy setting determines the default consent behavior of Windows Error Reporting. If you enable
This policy setting determines the default consent behavior of Windows Error Reporting. If you enable
This policy setting configures how errors are reported to Microsoft, and what information is sent when
This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this po
This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this po
This policy setting determines the behavior of the Windows Error Reporting report queue. If you enab
This policy setting determines the behavior of the Windows Error Reporting report queue. If you enab
This policy setting determines the consent behavior of Windows Error Reporting for specific event type
This policy setting determines the consent behavior of Windows Error Reporting for specific event type
This policy setting controls whether errors in general applications are included in reports when Window
This policy setting controls whether Windows Error Reporting saves its own events and error message
This policy setting controls whether Windows Error Reporting saves its own events and error message
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to eithe
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to eithe
This policy setting controls whether users are shown an error dialog box that lets them report an error
This policy setting controls whether additional data in support of error reports can be sent to Microsoft
This policy setting controls whether additional data in support of error reports can be sent to Microsoft
This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level
This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level
This policy setting determines the behavior of the Configure Default Consent setting in relation to cus
This policy setting determines the behavior of the Configure Default Consent setting in relation to cus
This policy setting specifies applications for which Windows Error Reporting should always report error
This policy setting limits Windows Error Reporting behavior for errors in general applications when Win
This policy setting limits Windows Error Reporting behavior for errors in general applications when Win
This policy setting controls Windows Error Reporting behavior for errors in general applications when W
This policy setting prevents the display of the user interface for critical errors. If you enable this polic
This policy setting controls whether errors in the operating system are included Windows Error Reporti
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is runn
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is runn
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost polic
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost polic
This policy setting controls resource usage for the forwarder (source computer) by controlling the even
This policy setting allows you to configure the server address, refresh interval, and issuer certificate a
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes e
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Defi
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you ena
This policy setting controls the location of the log file. The location of the file must be writable by the
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy set
This policy setting turns on logging. If you enable or do not configure this policy setting, then events
This policy setting lets you configure Protected Event Logging. If you enable this policy setting, compo
This is the program that will be invoked when the user clicks the events.asp link.
This specifies the command line parameters that will be passed to the events.asp program
This is the URL that will be passed to the Description area in the Event Properties dialog box. Change
This policy setting configures File Explorer to always display the menu bar. Note: By default, the menu
This policy setting allows administrators who have configured roaming profile in conjunction with Dele
This policy setting allows administrators to prevent users from adding new items such as files or folde
Sets the target of the More Information link that will be displayed when the user attempts to run a pro
This policy is similar to settings directly available to computer users. Disabling animations can improv
Disabling data execution prevention can allow certain legacy plug-in applications to function without t
Disabling heap termination on corruption can allow certain legacy plug-in applications to function with
Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go
Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go w
This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Wi
This policy setting allows an organization to prevent its devices from showing feedback questions from
This policy setting allows you to turn off File History. If you enable this policy setting, File History cann
This policy setting allows you to configure the recovery behavior for corrupted files to one of three sta
Windows Runtime applications can protect content which has been associated with an enterprise iden
Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled
Delete notification is a feature that notifies the underlying storage device of clusters that are freed du
Compression can add to the processing overhead of filesystem operations. Enabling this setting will p
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will pre
TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Please ena
Encrypting the page file prevents malicious users from reading data that has been paged to disk, but
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to
Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can sele
These settings provide control over whether or not short names are generated during file creation. So
This policy setting allows you to control whether all redirected shell folders, such as Contacts, Docume
This policy setting allows you to control whether individual redirected shell folders are available offline
This policy setting controls whether the contents of redirected folders is copied from the old location t
This policy setting controls whether folders are redirected on a user's primary computers only. This po
This policy setting controls whether folders are redirected on a user's primary computers only. This po
This policy setting allows the administrator to define whether Folder Redirection should use localized n
This policy setting allows the administrator to define whether Folder Redirection should use localized n
Hides the Preview Pane in File Explorer. If you enable this policy setting, the Preview Pane in File Explo
This policy setting shows or hides the Details Pane in File Explorer. If you enable this policy setting an
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolvin
Manages download of game box art and ratings from the Windows Metadata Services. If you enable t
Manages download of game update information from Windows Metadata Services. If you enable this s
Tracks the last play time of games in the Games folder. If you enable this setting the last played time
This policy enables the automatic learning component of input personalization that includes speech, in
This policy setting controls whether the LPRemove task will run to clean up language packs installed o
This policy setting determines how programs interpret two-digit years. This policy setting affects only
This policy setting prevents users from changing their user geographical location (GeoID). If you enab
This policy setting prevents users from changing their user geographical location (GeoID). If you enab
This policy prevents automatic copying of user input methods to the system account for use on the sig
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. T
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. T
This policy setting prevents the user from customizing their locale by changing their user overrides. A
This policy setting prevents the user from customizing their locale by changing their user overrides. A
This policy setting controls which UI language is used for computers with more than one UI language i
This policy setting removes the Administrative options from the Region settings control panel. Admini
This policy setting removes the option to change the user's geographical location (GeoID) from the Re
This policy setting removes the option to change the user's menus and dialogs (UI) language from the
This policy setting removes the regional formats interface from the Region settings control panel. This
This policy setting restricts users to the specified language by disabling the menus and dialog box con
This policy setting restricts the permitted system locales to the specified list. If the list is empty, it lock
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty
This policy setting restricts the Windows UI language for all users. This is a policy setting for compute
This policy setting restricts the Windows UI language for specific users. This policy setting applies to c
This policy turns off the autocorrect misspelled words option. This does not, however, prevent the use
This policy setting turns off the automatic learning component of handwriting recognition personalizat
This policy setting turns off the automatic learning component of handwriting recognition personalizat
This policy turns off the highlight misspelled words option. This does not, however, prevent the user o
This policy turns off the insert a space after selecting a text prediction option. This does not, however,
This policy turns off the offer text predictions as I type option. This does not, however, prevent the use
This policy setting allows user-based policy processing, roaming user profiles, and user object logon sc
This policy setting lets you always use local ADM files for the Group Policy snap-in. By default, when y
This policy directs Group Policy processing to skip processing any client side extension that requires sy
This policy setting allows an administrator to define the Direct Access connection to be considered a f
This policy setting determines when disk quota policies are updated. This policy setting affects all pol
This policy setting determines when encryption policies are updated. This policy setting affects all po
This policy setting determines when folder redirection policies are updated. This policy setting affects
This policy setting allows you to configure Group Policy caching behavior. If you enable or do not con
This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. If
This policy setting defines a slow connection for purposes of applying and updating Group Policy. If th
This policy setting defines a slow connection for purposes of applying and updating Group Policy. If th
This policy setting determines when Internet Explorer Maintenance policies are updated. This policy s
This policy setting determines when IP security policies are updated. This policy setting affects all pol
Enter 0 to disable Logon Script Delay. This policy setting allows you to configure how long the Grou
This policy setting determines when registry policies are updated. This policy setting affects all policie
This policy setting determines when policies that assign shared scripts are updated. This policy settin
This policy setting determines when security policies are updated. This policy setting affects all polici
This policy setting determines when software installation policies are updated. This policy setting affe
This policy setting directs the system to apply the set of Group Policy objects for the computer to any
This policy setting determines when policies that assign wired network settings are updated. This pol
This policy setting determines when policies that assign wireless network settings are updated. This p
This policy setting determines whether the Windows device is allowed to participate in cross-device ex
This policy setting allows you to create new Group Policy object links in the disabled state. If you enab
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By de
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By de
Enabling this setting will cause the Group Policy Client to connect to the same domain controller for D
This policy setting determines whether Windows is allowed to download fonts and font catalog data fr
This policy setting allows you to configure Group Policy caching behavior on Windows Server machine
This policy setting prevents administrators from viewing or using Group Policy preferences. A Group P
This security feature provides a means to override individual process MitigationOptions settings. This
This security feature provides a means to override individual process MitigationOptions settings. This
This policy setting allows you to control a user's ability to invoke a computer policy refresh. If you ena
This policy setting allows you to set the default display name for new Group Policy objects. This settin
This policy setting specifies how often Group Policy for computers is updated while the computer is in
This policy setting specifies how often Group Policy is updated on domain controllers while they are ru
This policy setting specifies how often Group Policy for users is updated while the computer is in use (
This policy setting specifies how long Group Policy should wait for network availability notifications du
This policy setting specifies how long Group Policy should wait for workplace connectivity notifications
Prevents the system from updating the Administrative Templates source files automatically when you
This policy setting prevents Group Policy from being updated while the computer is in use. This policy
This policy setting prevents the Group Policy Client Service from stopping when idle.
This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. By default, th
This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client compute
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untr
This policy setting allows you to configure when preference items in the Applications preference exten
This policy setting allows you to configure the level of detail recorded by event logging for the Applica
This policy setting allows you to configure when preference items in the Data Sources preference exte
This policy setting allows you to configure the level of detail recorded by event logging for the Data So
This policy setting allows you to configure when preference items in the Devices preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Devices
This policy setting allows you to configure when preference items in the Drive Maps preference extens
This policy setting allows you to configure the level of detail recorded by event logging for the Drive M
This policy setting allows you to configure when preference items in the Environment preference exten
This policy setting allows you to configure the level of detail recorded by event logging for the Environ
This policy setting allows you to configure when preference items in the Files preference extension are
This policy setting allows you to configure the level of detail recorded by event logging for the Files pr
This policy setting allows you to configure when preference items in the Folder Options preference ext
This policy setting allows you to configure the level of detail recorded by event logging for the Folder O
This policy setting allows you to configure when preference items in the Folders preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Folders
This policy setting allows you to configure when preference items in the Ini Files preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Ini Files
This policy setting allows you to configure when preference items in the Internet Settings preference e
This policy setting allows you to configure the level of detail recorded by event logging for the Interne
This policy setting allows you to configure when preference items in the Local Users and Groups prefe
This policy setting allows you to configure the level of detail recorded by event logging for the Local U
This policy setting allows you to configure when preference items in the Network Options preference e
This policy setting allows you to configure the level of detail recorded by event logging for the Networ
This policy setting allows you to configure when preference items in the Network Shares preference ex
This policy setting allows you to configure the level of detail recorded by event logging for the Networ
This policy setting allows you to configure when preference items in the Power Options preference ext
This policy setting allows you to configure the level of detail recorded by event logging for the Power O
This policy setting allows you to configure when preference items in the Printers preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Printers
This policy setting allows you to configure when preference items in the Regional Options preference e
This policy setting allows you to configure the level of detail recorded by event logging for the Regiona
This policy setting allows you to configure when preference items in the Registry preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Registr
This policy setting allows you to configure when preference items in the Scheduled Tasks preference e
This policy setting allows you to configure the level of detail recorded by event logging for the Schedu
This policy setting allows you to configure when preference items in the Services preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Service
This policy setting allows you to configure when preference items in the Shortcuts preference extensio
This policy setting allows you to configure the level of detail recorded by event logging for the Shortcu
This policy setting allows you to configure when preference items in the Start Menu preference extens
This policy setting allows you to configure the level of detail recorded by event logging for the Start M
This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference
This policy setting allows you to permit or prohibit use of the Applications preference extension. When
This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all prefer
This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all prefer
This policy setting allows you to permit or prohibit use of the Data Sources preference extension. Whe
This policy setting allows you to permit or prohibit use of the Devices preference extension. When a p
This policy setting allows you to permit or prohibit use of the Drive Maps preference extension. When
This policy setting allows you to permit or prohibit use of the Environment preference extension. When
This policy setting allows you to permit or prohibit use of the Files preference extension. When a prefe
This policy setting allows you to permit or prohibit use of the Folder Options preference extension. Wh
This policy setting allows you to permit or prohibit use of the Folders preference extension. When a pr
This policy setting allows you to permit or prohibit use of the Ini Files preference extension. When a pr
This policy setting allows you to permit or prohibit use of the Internet Settings preference extension. W
This policy setting allows you to permit or prohibit use of the Local Users and Groups preference exten
This policy setting allows you to permit or prohibit use of the Network Options preference extension. W
This policy setting allows you to permit or prohibit use of the Network Shares preference extension. W
This policy setting allows you to permit or prohibit use of the Power Options preference extension. Wh
This policy setting allows you to permit or prohibit use of the Preferences tab. When prohibited, the Pr
This policy setting allows you to permit or prohibit use of the Printers preference extension. When a pr
This policy setting allows you to permit or prohibit use of the Regional Options preference extension. W
This policy setting allows you to permit or prohibit use of the Registry preference extension. When a p
This policy setting allows you to permit or prohibit use of the Scheduled Tasks preference extension. W
This policy setting allows you to permit or prohibit use of the Services preference extension. When a p
This policy setting allows you to permit or prohibit use of the Shortcuts preference extension. When a
This policy setting allows you to permit or prohibit use of the Start Menu preference extension. When
This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously whe
This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.
This policy setting allows you to restrict programs from being run from online Help. If you enable thi
This policy setting allows you to restrict programs from being run from online Help. If you enable thi
This policy setting allows you to exclude HTML Help Executable from being monitored by software-enf
This policy setting specifies whether active content links in trusted assistance content are rendered. B
This policy setting specifies whether users can participate in the Help Experience Improvement progra
This policy setting specifies whether users can provide ratings for Help content. If you enable this pol
This policy setting specifies whether users can search and view content from Windows Online in Help
This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider ro
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require
This policy setting allows you to remove access to Windows Update. If you enable this policy setting,
This policy setting specifies whether to use the Store service for finding an application to open a file w
This policy setting specifies whether to use the Store service for finding an application to open a file w
This policy setting specifies whether to automatically update root certificates using the Windows Upda
This policy setting specifies whether to allow this client to download print driver packages over HTTP.
This policy setting specifies whether to allow this client to download print driver packages over HTTP.
This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event
This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.
This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the H
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to down
This policy setting specifies whether Windows should download a list of providers for the web publishi
This policy setting specifies whether Windows should download a list of providers for the web publishi
This policy setting specifies whether to use the Microsoft Web service for finding an application to ope
This policy setting specifies whether to use the Microsoft Web service for finding an application to ope
This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP a
This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP a
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for o
This policy setting specifies whether Search Companion should automatically download content updat
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in W
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in W
This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the
This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the
This policy setting specifies whether Windows Messenger collects anonymous information about how W
This policy setting specifies whether Windows Messenger collects anonymous information about how W
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows C
This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to
This policy setting turns off the active tests performed by the Windows Network Connectivity Status In
This policy setting specifies whether Windows searches Windows Update for device drivers when no lo
"This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you
This policy setting allows you to manage whether Internet Explorer can access data from another secu
This policy setting allows you to add a specific list of search providers to the user's default list of searc
This policy setting allows you to add a specific list of search providers to the user's default list of searc
This policy setting allows you to add default Accelerators. If you enable this policy setting, the specifi
This policy setting allows you to add default Accelerators. If you enable this policy setting, the specifi
This policy setting allows you to add non-default Accelerators. If you enable this policy setting, the sp
This policy setting allows you to add non-default Accelerators. If you enable this policy setting, the sp
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer
For each zone, the Binary and Scripted Behavior security restrictions may be configured to allow only
For each zone, the Binary and Scripted Behavior security restrictions may be configured to allow only
This policy setting allows you to manage whether processes respect add-on management user prefere
This policy setting allows you to manage whether processes respect add-on management user prefere
Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functional
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling pr
Internet Explorer places zone restrictions on each Web page it opens, which are dependent upon the l
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK p
Internet Explorer may be configured to prevent active content obtained through restricted protocols fr
This policy setting allows you to manage whether the Notification bar is displayed for processes other
This policy setting allows you to manage whether the Notification bar is displayed for processes other
This policy setting defines whether a reference to an object is accessible when the user navigates with
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon
This policy setting enables applications hosting the Web Browser Control to block automatic prompting
Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various ty
This policy setting allows you to manage whether users receive a dialog requesting permission for act
This policy setting allows you to manage whether users receive a dialog requesting permission for act
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in
This policy setting allows you to manage whether script code on pages in the zone is run. If you enab
This policy setting allows you to manage dynamic binary and script behaviors: components that encap
This policy setting allows you to manage whether scripts can perform a clipboard operation (for exam
This policy setting allows the automatic deletion of specified items when the last browser window clos
This policy setting allows the automatic deletion of specified items when the last browser window clos
This policy setting allows you to manage whether users can drag files or copy and paste files from a s
This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Int
This policy setting allows you to manage whether file downloads are permitted from the zone. This op
This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you
This policy setting allows you to manage whether users can download and install self-installing progra
This policy setting allows you to manage whether users can download and install self-installing progra
This policy setting allows you to manage whether users can automatically download and install Web c
This policy setting allows you to manage whether users can automatically download and install Web c
This policy setting allows you to manage whether users can install Active Desktop items from this zon
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs an
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs an
This policy setting determines whether Internet Explorer uses the HTTP2 network protocol. HTTP2 requ
This policy setting determines whether Internet Explorer uses the HTTP2 network protocol. HTTP2 requ
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 wo
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 wo
This policy setting allows you to manage the loading of XAML Browser Applications (XBAPs). These are
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAM
This policy setting allows you to manage the loading of XPS files. These files contain a fixed-layout rep
This policy setting allows you to manage whether a user's browser can be redirected to another Web p
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the A
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the A
This policy setting allows the user to run natively implemented, scriptable XMLHTTP. If you enable thi
This policy setting allows the user to run natively implemented, scriptable XMLHTTP. If you enable thi
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on we
This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websi
This policy setting determines whether a page can control embedded WebBrowser controls via script.
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows
This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy
This policy setting allows you to manage whether software, such as ActiveX controls and file download
This policy setting allows you to manage whether software, such as ActiveX controls and file download
This policy setting specifies whether placeholders appear for graphical images while the images are d
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as
This policy setting allows you to manage whether script is allowed to update the status bar within the
This policy setting allows the playing of video and animation through older media players in specified
This policy setting controls whether websites can open new Internet Explorer windows that have no st
This policy setting determines whether scripted windows are automatically displayed. If you enable th
This policy setting allows websites to store file resources in application caches on client computers. If
This policy setting allows websites to store file resources in application caches on client computers. If
This policy setting allows websites to store indexed database cache information on client computers.
This policy setting allows websites to store indexed database cache information on client computers.
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header
Designates the Audio/Video Player ActiveX control as administrator-approved. This control is used for
This policy setting manages whether users will be automatically prompted for ActiveX control installat
This policy setting determines whether users will be prompted for non user-initiated file downloads. Re
This policy setting allows you to configure whether newly installed add-ons are automatically activate
This policy setting allows you to configure whether newly installed add-ons are automatically activate
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer vers
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer vers
This policy setting allows you to bypass prompting when a script that is running in any process on the
This policy setting allows you to bypass prompting when a script that is running in any process on the
This policy setting allows you to bypass prompting when a script that is running in the Internet Explore
This policy setting allows you to bypass prompting when a script that is running in the Internet Explore
Designates the Microsoft Network (MSN) Carpoint automatic pricing control as administrator-approved
This policy setting allows you to change the default connection limit for HTTP 1.1 from 6 connections p
This policy setting allows you to manage whether Internet Explorer will check revocation status of serv
This policy setting allows you to manage whether Internet Explorer will check revocation status of serv
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (whic
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (whic
Allows Administrators to enable and disable the Media Explorer Bar and set the auto-play default. The
Allows Administrators to enable and disable the ability for Outlook Express users to save or open attac
Specifies which buttons will be displayed on the standard toolbar in Microsoft Internet Explorer. If you
This policy setting allows you to choose among three different labels for command buttons: show all te
This policy setting allows you to choose among three different labels for command buttons: show all te
This policy setting allows you to customize the Internet Explorer version string as reported to web serv
This policy setting allows you to customize the Internet Explorer version string as reported to web serv
This policy setting allows you to define applications and processes that can access the Clipboard witho
This policy setting allows you to define applications and processes that can access the Clipboard witho
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on Lis
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on Lis
This ActiveX control enables users to edit HTML text and see a faithful rendition of how the text would
This setting specifies the number of days that Internet Explorer tracks views of pages in the History Li
This setting specifies the number of days that Internet Explorer tracks views of pages in the History Li
Prevents users from adding channels to Internet Explorer. Channels are Web sites that are updated au
Prevents users from specifying that Web pages can be downloaded for viewing offline. When users ma
Disables existing schedules for downloading Web pages for offline viewing. When users make Web pa
This AutoComplete feature suggests possible matches when users are filling up forms. If you enable t
Prevents Internet Explorer from automatically installing components. If you enable this policy, it preve
Prevents automatic proxy scripts, which interact with a server to automatically configure users' proxy
If you enable this policy, the user cannot modify the Accessibility options. All options in the "Accessibi
Prevents users from changing settings on the Advanced tab in the Internet Options dialog box. If you
This setting specifies to automatically detect the proxy server settings used to connect to the Internet
This setting specifies to automatically detect the proxy server settings used to connect to the Internet
Prevents users from changing the default programs for managing schedules and contacts. If you enab
Prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify th
Prevents users from changing the default Web page colors. If you enable this policy, the color setting
Prevents users from changing dial-up settings. If you enable this policy, the Settings button on the Co
Prevents users from changing dial-up settings. If you enable this policy, the Settings button on the Co
Prevents Microsoft Internet Explorer from checking to see whether it is the default browser. If you ena
Prevents users from changing font settings. If you enable this policy, users will not be able to change
The Home page specified on the General tab of the Internet Options dialog box is the default Web pag
Prevents users from changing language preference settings. If you enable this policy, users will not b
Prevents users from changing the colors of links on Web pages. If you enable this policy, the color set
Prevents users from changing the default programs for messaging tasks. If you enable this policy, the
Prevents users from changing Profile Assistant settings. If you enable this policy, the My Profile button
Prevents users from changing ratings that help control the type of Internet content that can be viewed
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from t
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from t
Prevents users from changing the browser cache settings, such as the location and amount of disk spa
Prevents users from viewing the Channel bar interface. Channels are Web sites that are automatically
Prevents users from determining which buttons appear on the Microsoft Internet Explorer and File Exp
Prevents users from determining which toolbars are displayed in Microsoft Internet Explorer and File E
Prevents content from being downloaded from Web sites that users have subscribed to. When users m
Prevents users from adding, editing, or removing schedules for offline viewing of Web pages and grou
Prevents users from editing an existing schedule for downloading Web pages for offline viewing. Whe
Prevents branding of Internet programs, such as customization of Internet Explorer and Outlook Expre
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settin
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settin
Prevents users from running the Internet Connection Wizard. If you enable this policy, the Setup butto
Prevents channel providers from recording information about when their channel pages are viewed by
Prevents using the shortcut menu to open a link in a new browser window. If you enable this policy, u
Prevents Internet Explorer from checking whether a new version of the browser is available. If you en
Prevents users from disabling channel synchronization in Microsoft Internet Explorer. Channels are We
Prevents users from clearing the preconfigured settings for Web pages to be downloaded for offline vie
Prevents users from saving a program or file that Microsoft Internet Explorer has downloaded to the ha
Prevents the Internet Explorer splash screen from appearing when users start the browser. If you ena
Specifies that programs using the Microsoft Software Distribution Channel will not notify users when th
Removes the Advanced tab from the interface in the Internet Options dialog box. If you enable this po
Removes the Advanced tab from the interface in the Internet Options dialog box. If you enable this po
Removes the Connections tab from the interface in the Internet Options dialog box. If you enable this
Removes the Connections tab from the interface in the Internet Options dialog box. If you enable this
If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, A
If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, A
Removes the General tab from the interface in the Internet Options dialog box. If you enable this poli
Removes the General tab from the interface in the Internet Options dialog box. If you enable this poli
Removes the Privacy tab from the interface in the Internet Options dialog box. If you enable this polic
Removes the Privacy tab from the interface in the Internet Options dialog box. If you enable this polic
Removes the Programs tab from the interface in the Internet Options dialog box. If you enable this po
Removes the Programs tab from the interface in the Internet Options dialog box. If you enable this po
Prevents users from restoring default settings for home and search pages. If you enable this policy, th
Removes the Security tab from the interface in the Internet Options dialog box. If you enable this poli
Removes the Security tab from the interface in the Internet Options dialog box. If you enable this poli
Specifies that error messages will be displayed to users if problems occur with proxy scripts. If you en
This policy setting allows you to manage whether users can display nonsecure items and manage whe
This policy setting allows you to manage where tabs are displayed. If you enable this policy setting, ta
This policy setting allows you to manage where tabs are displayed. If you enable this policy setting, ta
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protecte
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protecte
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Int
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Int
This policy setting allows you to manage whether users have the ability to allow or deny add-ons thro
This policy setting allows you to manage whether users have the ability to allow or deny add-ons thro
This policy setting allows you to hide the reveal password button when Internet Explorer prompts user
This policy setting allows you to hide the reveal password button when Internet Explorer prompts user
This policy setting allows you to manage whether users are prompted to select a certificate when no c
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that con
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that con
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX c
This policy setting allows you to manage whether users may download signed ActiveX controls from a
This policy setting allows you to manage whether users may download unsigned ActiveX controls from
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Tempo
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Tempo
This policy setting allows you to set options for dragging content from one domain to a different doma
This policy setting allows you to manage MIME sniffing for file promotion from one type to another bas
This policy setting allows you to enforce full-screen mode, which disables the navigation bar, the men
This policy setting allows you to enforce full-screen mode, which disables the navigation bar, the men
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode. The th
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode. The th
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode. The
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode. The
Prevents users from closing Microsoft Internet Explorer and File Explorer. If you enable this policy, the
Prevents users from opening a new browser window from the File menu. If this policy is enabled, user
Prevents users from opening a file or Web page from the File menu in Internet Explorer. If you enable
Prevents users from saving the complete contents that are displayed on or run from a Web page, inclu
Prevents users from saving Web pages from the browser File menu to their hard disk or to a network s
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. If
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. If
Prevents users from displaying tips for users who are switching from Netscape. If you enable this polic
Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the He
Prevents users from viewing or changing the Tip of the Day interface in Microsoft Internet Explorer. If
Prevents users from running the Internet Explorer Tour from the Help menu in Internet Explorer. If you
Prevents users from adding, removing, editing or viewing the list of Favorite links. The Favorites list is
This policy setting allows you to show or hide the Command bar. If you enable this policy setting, the
This policy setting allows you to show or hide the Command bar. If you enable this policy setting, the
This policy setting allows you to show or hide the status bar. If you enable this policy setting, the stat
This policy setting allows you to show or hide the status bar. If you enable this policy setting, the stat
Prevents users from configuring unique identities by using Identity Manager. Identity Manager enable
This policy setting controls whether or not local path information is sent when the user is uploading a
This policy controls the website compatibility lists that Microsoft provides. The updated website lists a
This policy controls the website compatibility lists that Microsoft provides. The updated website lists a
This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and o
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and o
This policy setting configures Internet Explorer to automatically install new versions of Internet Explor
File Explorer and Internet Explorer may be configured to prevent active content obtained through rest
File Explorer and Internet Explorer may be configured to prevent active content obtained through rest
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explore
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explore
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer proces
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer proces
This policy setting enables blocking of file download prompts that are not user initiated. If you enable
This policy setting enables blocking of file download prompts that are not user initiated. If you enable
For each zone, the Network Protocol Lockdown security restriction may be configured to prevent activ
This template policy setting allows you to configure policy settings in this zone consistent with a selec
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet securi
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet securi
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intr
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intr
Designates a set of Microsoft Network (MSN) Investor controls as administrator-approved. These contr
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting
This policy setting allows you to manage whether applications may be run and files may be download
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compa
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compa
This policy setting allows you to control which Domains are included in the discovery functionality of t
This policy setting allows you to control which Domains are included in the discovery functionality of t
This policy setting allows you to control which site zones are included in the discovery functionality of
This policy setting allows you to control which site zones are included in the discovery functionality of
This policy setting allows you to lock or unlock the toolbars on the user interface. If you enable this po
This policy setting allows you to lock or unlock the toolbars on the user interface. If you enable this po
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward butto
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward butto
This policy setting allows you to manage settings for logon options. If you enable this policy setting, y
Applies proxy settings to all users of the same computer. If you enable this policy, users cannot set us
Designates a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as adm
Designates the Microsoft Agent ActiveX control as administrator-approved. Microsoft Agent is a set of
Designates the Microsoft Chat ActiveX control as administrator-approved. This control is used by Web
Designates Microsoft Scriptlet Component as an administrator approved control. It is an Active X contr
Designates Microsoft Survey Control as an administrator approved control. If you enable this policy, th
Designates a set of MSNBC controls as administrator-approved. These controls enable enhanced brow
This policy setting allows you to manage the opening of windows and frames and access of application
Designates NetShow File Transfer Control as an administrator approved control. If you enable this poli
This policy setting allows you to choose whether users will be notified if Internet Explorer is not the de
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop. If you e
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop. If you e
This policy setting allows you to manage whether Internet Explorer will display animated pictures foun
This policy setting allows you to manage whether Internet Explorer will display animated pictures foun
This policy setting allows you to manage whether Internet Explorer will play sounds found in web cont
This policy setting allows you to manage whether Internet Explorer will play sounds found in web cont
This policy setting allows you to manage whether Internet Explorer will display videos found in Web co
This policy setting allows you to manage whether Internet Explorer will display videos found in Web co
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up window
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up window
This policy setting positions the menu bar above the navigation bar. The navigation bar contains icons
This policy setting prevents the user from using the "Fix settings" functionality related to Security Sett
This policy setting prevents the user from using the "Fix settings" functionality related to Security Sett
This policy setting prevents the user from performing actions which will delete browsing history. For m
This policy setting prevents the user from performing actions which will delete browsing history. For m
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting
This policy setting prevents the user from accessing Help in Internet Explorer. If you enable this policy
This policy setting prevents the user from accessing Help in Internet Explorer. If you enable this policy
This policy setting prevents users from having Internet Explorer automatically discover whether a feed
This policy setting prevents users from having Internet Explorer automatically discover whether a feed
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartS
This policy setting prevents the user from changing the level of pop-up filtering. The available levels a
This policy setting prevents the user from changing the level of pop-up filtering. The available levels a
This policy setting specifies if a user can change proxy settings. If you enable this policy setting, the u
This policy setting specifies if a user can change proxy settings. If you enable this policy setting, the u
This policy setting prevents the user from changing the default search provider for the Address bar an
This policy setting prevents the user from changing the default search provider for the Address bar an
This policy setting prevents the user from changing the default URL for checking updates to Internet E
This policy setting prevents the user from choosing the default text size in Internet Explorer. If you en
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks
This policy setting allows you to configure how new tabs are created by default in Internet Explorer. If
This policy setting allows you to configure how new tabs are created by default in Internet Explorer. If
This policy setting specifies whether the user can conduct a search on the Address bar. If you enable
This policy setting specifies whether the user can conduct a search on the Address bar. If you enable
This policy setting allows you to specify whether a user can browse to the website of a top result when
This policy setting allows you to specify whether a user can browse to the website of a top result when
In Internet Explorer 9 and Internet Explorer 10: This policy setting prevents users from deleting Active
In Internet Explorer 9 and Internet Explorer 10: This policy setting prevents users from deleting Active
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Brow
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Brow
This policy setting prevents the user from deleting his or her download history. This feature is availabl
This policy setting prevents the user from deleting his or her download history. This feature is availabl
This policy setting prevents the user from deleting favorites site data. This feature is available in the D
This policy setting prevents the user from deleting favorites site data. This feature is available in the D
This policy setting prevents the user from deleting form data. This feature is available in the Delete Br
This policy setting prevents the user from deleting form data. This feature is available in the Delete Br
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects In
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects In
This policy setting prevents users from deleting passwords. This feature is available in the Delete Brow
This policy setting prevents users from deleting passwords. This feature is available in the Delete Brow
This policy setting prevents the user from deleting temporary Internet files. This feature is available in
This policy setting prevents the user from deleting temporary Internet files. This feature is available in
This policy setting prevents the user from deleting the history of websites that he or she has visited. T
This policy setting prevents the user from deleting the history of websites that he or she has visited. T
This policy setting prevents the user from having enclosures (file attachments) downloaded from a fee
This policy setting prevents the user from having enclosures (file attachments) downloaded from a fee
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box
You can allow pop-ups from specific websites by adding the sites to the exception list. If you enable th
You can allow pop-ups from specific websites by adding the sites to the exception list. If you enable th
This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the w
This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the w
This policy setting prevents the user from managing a filter that warns the user if the website being v
This policy setting prevents the user from managing a filter that warns the user if the website being v
This policy setting prevents the user from participating in the Customer Experience Improvement Prog
This policy setting prevents the user from participating in the Customer Experience Improvement Prog
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user st
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user st
This policy setting prevents the user from specifying the background color in Internet Explorer. If you
This policy setting prevents the user from specifying a URL that contains update information about cip
This policy setting prevents the user from specifying the text color in Internet Explorer. If you enable t
This policy setting prevents the user from specifying the code download path for each computer. The I
This policy setting prevents the user from specifying the color of webpage links that he or she has alre
This policy setting prevents the user from specifying the color of webpage links that he or she has not
This policy setting prevents the user from specifying the color to which hyperlinks change when the m
This policy setting prevents the user from specifying the update check interval. The default value is 30
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice. If you enab
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice. If you enab
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) a
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) a
This policy setting is used to manage temporary Internet files and cookies associated with your Intern
This policy setting is used to manage temporary Internet files and cookies associated with your Intern
This policy setting prevents the user from using Windows colors as a part of the display settings. If yo
This policy setting allows you to manage whether the listed processes respect add-on management us
This policy setting allows you to manage whether the listed processes respect add-on management us
This policy setting allows you to manage whether the Notification bar is displayed for specific processe
This policy setting allows you to manage whether the Notification bar is displayed for specific processe
This policy setting allows you to stop users from seeing the "Run this time" button and from running s
This policy setting allows you to stop users from seeing the "Run this time" button and from running s
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone. If you
This policy setting restricts the list of Accelerators that the user can access to only the set deployed th
This policy setting restricts the list of Accelerators that the user can access to only the set deployed th
This policy setting allows you to restrict the search providers that appear in the Search box in Internet
This policy setting allows you to restrict the search providers that appear in the Search box in Internet
This policy setting allows you to manage whether .NET Framework components that are not signed wi
This policy setting allows you to manage whether .NET Framework components that are signed with A
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages fr
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can inte
This policy setting allows you to manage whether applets are exposed to scripts within the zone. If yo
Disables using the F3 key to search in Internet Explorer and File Explorer. If you enable this policy, the
Makes the Customize button in the Search Assistant appear dimmed. The Search Assistant is a tool th
Prevents users from adding or removing sites from security zones. A security zone is a group of Web s
Prevents users from changing security zone settings. A security zone is a group of Web sites with the s
Applies security zone information to all users of the same computer. A security zone is a group of Web
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in M
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in M
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names t
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names t
This policy setting sets file storage limits for application caches of websites that have been allowed to
This policy setting sets file storage limits for application caches of websites that have been allowed to
This policy setting sets the number of days an inactive application cache will exist before it is removed
This policy setting sets the number of days an inactive application cache will exist before it is removed
This policy setting sets data storage limits for indexed database and application caches for individual
This policy setting sets data storage limits for indexed database and application caches for individual
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explore
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explore
This policy setting sets data storage limits for indexed databases of websites that have been allowed
This policy setting sets data storage limits for indexed databases of websites that have been allowed
This policy setting sets the maximum size for an individual resource file contained in a manifest file. T
This policy setting sets the maximum size for an individual resource file contained in a manifest file. T
This policy setting sets the maximum number of resource entries that can be specified in a manifest fi
This policy setting sets the maximum number of resource entries that can be specified in a manifest fi
This policy setting sets the file storage limit for all combined application caches for a user. When you s
This policy setting sets the file storage limit for all combined application caches for a user. When you s
This policy setting sets the data storage limit for all combined indexed databases for a user. When you
This policy setting sets the data storage limit for all combined indexed databases for a user. When you
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. The
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. The
This policy setting allows you to change the default limit of WebSocket connections per server. The de
This policy setting allows you to change the default limit of WebSocket connections per server. The de
Designates Shockwave flash as an administrator approved control. If you enable this policy, this contr
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog
This policy setting controls whether or not the "Open File - Security Warning" message appears when
This policy setting allows you to manage a list of sites that you want to associate with a particular sec
This policy setting allows you to manage a list of sites that you want to associate with a particular sec
This policy setting allows you to manage software channel permissions. If you enable this policy settin
This policy setting allows you to specify what is displayed when the user opens a new tab. If you enab
This policy setting allows you to specify what is displayed when the user opens a new tab. If you enab
This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy se
This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy se
This policy setting configures what Internet Explorer displays when a new browsing session is started.
This policy setting configures what Internet Explorer displays when a new browsing session is started.
This policy setting determines whether the Internet Connection Wizard was completed. If the Internet
This policy setting allows you to manage whether data on HTML forms on pages in the zone may be su
Restricts the amount of information downloaded for offline viewing. If you enable this policy, you can
Prevents users from opening the Internet Options dialog box from the Tools menu in Microsoft Internet
This policy setting prevents the user's computer from starting Microsoft .NET Framework Setup when t
This policy setting allows you to manage whether users can pin sites to locations where pinning is allo
This policy setting allows you to manage whether users can pin sites to locations where pinning is allo
This policy setting allows you to manage whether users can access Accelerators. If you enable this po
This policy setting allows you to manage whether users can access Accelerators. If you enable this po
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites f
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites f
This policy setting prevents Internet Explorer from displaying a notification when the average time to
This policy setting prevents Internet Explorer from displaying a notification when the average time to
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Inte
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Inte
This policy setting turns off Automatic Crash Recovery. If you enable this policy setting, Automatic Cra
This policy setting turns off Automatic Crash Recovery. If you enable this policy setting, Automatic Cra
This setting determines whether IE automatically downloads updated versions of Microsofts VersionLi
This policy setting specifies that you want Internet Explorer to automatically resize large images so th
This policy setting controls whether to have background synchronization for feeds and Web Slices. If y
This policy setting controls whether to have background synchronization for feeds and Web Slices. If y
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Ou
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Ou
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking
This policy setting allows you to disable browser geolocation support. This will prevent websites from
This policy setting allows you to disable browser geolocation support. This will prevent websites from
This policy setting prevents the text on the screen from being rendered through the ClearType technol
This policy setting prevents the text on the screen from being rendered through the ClearType technol
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automati
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automati
This policy setting controls the Compatibility View feature, which allows the user to fix website display
This policy setting controls the Compatibility View feature, which allows the user to fix website display
This policy setting controls the Compatibility View button that appears on the Command bar. This butt
This policy setting controls the Compatibility View button that appears on the Command bar. This butt
This policy setting allows you to define the user experience related to how pop-up windows appear in
This policy setting allows you to define the user experience related to how pop-up windows appear in
This policy setting specifies how you want links on webpages to be underlined. If you enable this polic
This policy setting allows you to manage the crash detection feature of add-on Management. If you e
This policy setting allows you to manage the crash detection feature of add-on Management. If you e
This policy setting allows you to manage whether documents can request data across third-party dom
This policy setting allows you to manage whether documents can request data across third-party dom
This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developer
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developer
This policy setting specifies whether, when there is a problem connecting with an Internet server, to p
This policy setting allows you to manage whether the user can access Developer Tools in Internet Exp
This policy setting allows you to manage whether the user can access Developer Tools in Internet Exp
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Ex
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Ex
This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When th
This policy setting specifies whether graphical images are included when pages are displayed. Somet
This policy setting let you turn off Inline AutoComplete in File Explorer. Inline AutoComplete provides s
This policy setting allows you to turn off the InPrivate Browsing feature. InPrivate Browsing prevents I
This policy setting allows you to turn off the InPrivate Browsing feature. InPrivate Browsing prevents I
This policy setting allows you to turn off InPrivate Filtering. InPrivate Filtering helps users control whet
This policy setting allows you to turn off InPrivate Filtering. InPrivate Filtering helps users control whet
This policy setting determines whether Internet Explorer preemptively loads websites and content in t
This policy setting determines whether Internet Explorer preemptively loads websites and content in t
This policy setting allows the user to enable the SmartScreen Filter, which warns the user if the websit
This policy setting allows the user to enable the SmartScreen Filter, which warns the user if the websit
This policy setting specifies if, as you move from one Web page to another, Internet Explorer fades ou
This policy setting prevents the user from zooming in to or out of a page to better see the content. If
This policy setting prevents the user from zooming in to or out of a page to better see the content. If
This policy setting determines whether phone numbers are recognized and turned into hyperlinks, wh
This policy setting determines whether phone numbers are recognized and turned into hyperlinks, wh
This policy setting allows you to manage pop-up management functionality in Internet Explorer. If you
This policy setting allows you to manage pop-up management functionality in Internet Explorer. If you
This policy setting allows you to manage whether users can access the Print menu. Starting with Wind
This policy setting allows you to manage whether users can access the Print menu. Starting with Wind
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant inform
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant inform
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer. If you enable
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer. If you enable
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Sess
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Sess
This policy setting specifies whether to use 8-bit Unicode Transformation Format (UTF-8), a standard th
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UT
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UT
This policy setting prevents the shortcut menu from appearing when a user right-clicks a webpage wh
This policy setting specifies whether you want Internet Explorer to smooth images so that they appear
This policy setting specifies whether smooth scrolling is used to display content at a predefined speed
This policy setting allows you to turn off suggestions for all user-installed search providers. If you ena
This policy setting allows you to turn off suggestions for all user-installed search providers. If you ena
This policy setting allows you to manage whether the user has access to Tab Grouping in Internet Expl
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Ex
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Ex
This policy setting allows you to manage whether users can launch the report site problems dialog usi
This policy setting allows you to manage whether users can launch the report site problems dialog usi
This AutoComplete feature suggests possible matches when users are entering Web addresses in the
This AutoComplete feature suggests possible matches when users are entering Web addresses in the
This policy setting determines whether a user can swipe across a screen or click Forward to go to the
This policy setting determines whether a user can swipe across a screen or click Forward to go to the
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer securi
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer securi
The WebSocket object allows websites to request data across domains from your browser by using the
The WebSocket object allows websites to request data across domains from your browser by using the
This policy setting allows you to choose whether websites can request data across domains by using t
This policy setting allows you to choose whether websites can request data across domains by using t
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determine
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determine
This policy setting allows you to turn off Tracking Protection. Tracking Protection helps users control w
This policy setting allows you to turn off Tracking Protection. Tracking Protection helps users control w
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in th
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in th
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the I
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the I
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security
This policy setting determines whether Internet Explorer saves log information for ActiveX controls. If
This policy setting determines whether Internet Explorer saves log information for ActiveX controls. If
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls.
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls.
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs
This policy setting allows Internet Explorer to be started automatically to complete the signup process
This policy setting allows users to have their feeds authenticated through the Basic authentication sch
This policy setting allows users to have their feeds authenticated through the Basic authentication sch
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse t
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse t
This policy setting allows you to turn on the certificate address mismatch security warning. When this
This policy setting allows you to turn on the certificate address mismatch security warning. When this
This policy setting logs information that is blocked by new features in Internet Explorer. The logged co
This policy setting logs information that is blocked by new features in Internet Explorer. The logged co
This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-si
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit pr
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit pr
This policy setting allows you to turn on inline AutoComplete in Internet Explorer and File Explorer. The
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View deter
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View deter
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is de
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is de
This policy setting allows you to turn on or turn off the earlier menus (for example, File, Edit, and View
This policy setting allows you to turn on or turn off the earlier menus (for example, File, Edit, and View
This policy setting causes a Notification bar notification to appear when intranet content is loaded and
This policy setting causes a Notification bar notification to appear when intranet content is loaded and
This policy setting specifies whether Internet Explorer prints background colors and images when the
This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explor
This policy setting allows you to turn on your script debugger, if one is installed. Website developers u
This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site dis
This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site dis
This policy setting allows you to manage the XML output functionality of the Internet Explorer Site disc
This policy setting allows you to manage the XML output functionality of the Internet Explorer Site disc
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
This policy setting controls the Suggested Sites feature, which recommends websites based on the us
This policy setting controls the Suggested Sites feature, which recommends websites based on the us
This AutoComplete feature can remember and suggest User names and passwords on Forms. If you e
This policy setting specifies whether to display script errors when a page does not appear properly be
This policy setting makes hyperlinks change color when the mouse pointer pauses on them. If you en
Specifies that Automatic Detection will be used to configure dial-up settings for users. Automatic Dete
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1. If you enable this p
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1. If you enable this p
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy conn
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy conn
This policy setting allows you increase the size of icons for command buttons. If you enable this polic
This policy setting allows you increase the size of icons for command buttons. If you enable this polic
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compati
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compati
Compatibility View determines how Internet Explorer identifies itself to a web server and determines w
Compatibility View determines how Internet Explorer identifies itself to a web server and determines w
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows
This policy setting lets you specify where to find the list of websites you want opened using Enterprise
This policy setting lets you specify where to find the list of websites you want opened using Enterprise
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation
This policy setting allows you to manage the preservation of information in the browser's history, in fa
Prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar.
Prevents users from viewing the HTML source of Web pages by clicking the Source command on the V
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restric
This policy setting allows you to manage whether Web sites from less privileged zones, such as Intern
Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting
Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting
If enabled then new targets may not be manually configured by entering the target name and target p
If enabled then only those sessions that are established via a persistent login will be established and n
If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHA
If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn nam
If enabled then only those connections that are configured for IPSec may be established. If disabled th
If enabled then discovered targets may not be manually configured. If disabled then discovered target
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS s
If enabled then new target portals may not be added and thus new targets discovered on those portal
If enabled then only those sessions that are configured for mutual CHAP may be established. If disable
If enabled then only those sessions that are configured for one-way CHAP may be established. If disab
This policy setting allows you to configure a domain controller to support claims and compound authe
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If
This policy setting controls whether the domain controller provides information about previous logons
This policy setting allows you to configure a domain controller to request compound authentication. N
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches w
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event
This policy setting controls whether a device always sends a compound authentication request when t
This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to
This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerbero
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC p
This policy setting controls whether a computer requires that Kerberos message exchanges be armore
This policy setting controls whether a device will request claims and compound authentication for Dyn
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart ca
This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contai
This policy setting allows you to set the value returned to applications which request the maximum siz
This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based o
This policy setting controls configuring the device's Active Directory account for compound authentica
Support for device authentication using certificate will require connectivity to a DC in the device accou
This policy setting defines the list of trusting forests that the Kerberos client searches when attemptin
This policy setting determines the cipher suites used by the SMB server. If you enable this policy setti
This policy setting specifies whether a hash generation service generates hashes, also called content
This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1
This policy setting determines how the SMB server selects a cipher suite when negotiating a new conn
This policy setting determines the cipher suites used by the SMB client. If you enable this policy settin
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If y
This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB sh
This policy setting determines the behavior of Offline Files on clients connecting to an SMB share whe
This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak proble
This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO
This policy setting changes the operational behavior of the Responder network protocol driver. The Re
This policy setting turns off the Windows Location Provider feature for this computer. If you enable thi
This policy is not available in this version of Windows.
This policy setting ignores Windows Logon Background. This policy setting may be used to make Wind
This policy setting determines whether Group Policy processing is synchronous (that is, whether comp
This policy prevents the user from showing account details (email address or user name) on the sign-i
This policy setting directs the system to display highly detailed status messages. This policy setting is
This policy setting allows you to control whether anyone can interact with available networks UI on the
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each tim
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each tim
This policy setting prevents connected users from being enumerated on domain-joined computers. If
This policy setting ignores the customized run list. You can create a customized list of additional prog
This policy setting ignores the customized run list. You can create a customized list of additional prog
This policy setting ignores customized run-once lists. You can create a customized list of additional pr
This policy setting ignores customized run-once lists. You can create a customized list of additional pr
This policy setting allows local users to be enumerated on domain-joined computers. If you enable th
This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and th
This policy setting suppresses system status messages. If you enable this setting, the system does no
This policy setting specifies additional programs or documents that Windows starts automatically whe
This policy setting specifies additional programs or documents that Windows starts automatically whe
This policy setting allows you to control whether users see the first sign-in animation when signing in
This policy setting allows you to prevent app notifications from appearing on the lock screen. If you e
This policy is not available in this version of Windows.
This policy setting specifies whether Mobile Device Management (MDM) Enrollment is allowed. When M
This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. If yo
This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. If yo
This setting lets you decide whether employees can load extensions in Microsoft Edge. If you enable o
This setting lets you decide whether employees can load extensions in Microsoft Edge. If you enable o
This policy setting lets you decide whether employees can browse using InPrivate website browsing. I
This policy setting lets you decide whether employees can browse using InPrivate website browsing. I
This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default,
This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default,
This policy setting lets you decide whether employees can use Autofill to automatically fill in form field
This policy setting lets you decide whether employees can use Autofill to automatically fill in form field
This setting lets you configure how to work with cookies. If you enable this setting, you must also dec
This setting lets you configure how to work with cookies. If you enable this setting, you must also dec
This policy setting lets you decide whether employees can send Do Not Track requests to websites tha
This policy setting lets you decide whether employees can send Do Not Track requests to websites tha
This policy setting lets you configure the default list of Favorites that appear for your employees. Emp
This policy setting lets you configure the default list of Favorites that appear for your employees. Emp
This policy setting lets you configure one or more Home pages. for domain-joined devices. Your emplo
This policy setting lets you configure one or more Home pages. for domain-joined devices. Your emplo
This policy setting lets you decide whether employees can save their passwords locally, using Passwo
This policy setting lets you decide whether employees can save their passwords locally, using Passwo
This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is tur
This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is tur
This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft
This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft
This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provide
This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provide
This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site Lis
This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site Lis
This policy settings lets you decide whether employees can access the about:flags page, which is used
This policy settings lets you decide whether employees can access the about:flags page, which is used
This policy setting lets you decide whether employees can override the SmartScreen Filter warnings a
This policy setting lets you decide whether an employee's LocalHost IP address shows while making ca
This policy setting lets you decide whether an employee's LocalHost IP address shows while making ca
This policy setting lets you decide whether your intranet sites should all open using Internet Explorer
This policy setting lets you decide whether your intranet sites should all open using Internet Explorer
This policy setting lets you decide whether employees see an additional page in Microsoft Edge, statin
This policy setting lets you decide whether employees see an additional page in Microsoft Edge, statin
Permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disa
Prevents users from entering author mode. This setting prevents users from opening the Microsoft Ma
Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. -- I
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the sn
Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and C
This policy setting turns off Windows Mobility Center. If you enable this policy setting, the user is unab
This policy setting turns off Windows Mobility Center. If you enable this policy setting, the user is unab
This policy setting turns off Windows presentation settings. If you enable this policy setting, Windows
This policy setting turns off Windows presentation settings. If you enable this policy setting, Windows
This policy setting allows you to configure Automatic Maintenance activation boundary. The maintena
This policy setting allows you to configure Automatic Maintenance activation random delay. The main
This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance w
This policy setting determines the execution level for Microsoft Support Diagnostic Tool. Microsoft Sup
This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. Microsoft S
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication wit
This policy setting permits users to change installation options that typically are available only to syst
This policy setting allows users to search for installation files during privileged installations. If you ena
This policy setting allows users to patch elevated products. If you enable this policy setting, all users
This policy setting allows users to install programs from removable media during privileged installatio
This policy setting directs Windows Installer to use elevated permissions when it installs any program
This policy setting directs Windows Installer to use elevated permissions when it installs any program
This policy controls the percentage of disk space available to the Windows Installer baseline file cache
This policy setting causes the Windows Installer to enforce strict rules for component upgrades. If you
This policy setting controls the ability to prevent embedded UI. If you enable this policy setting, no pa
This policy setting allows Web-based programs to install software on the computer without notifying th
This policy setting prevents users from installing any programs from removable media. If you enable
This policy setting prevents users from using Windows Installer to install patches. If you enable this p
This policy setting controls the ability to turn off all patch optimizations. If you enable this policy setti
This policy setting controls the ability of non-administrators to install updates that have been digitally
This policy setting controls the ability for users or administrators to remove Windows Installer based u
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse
This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Mana
This policy setting allows you to configure user installs. To configure this policy setting, set it to enable
This policy setting prevents users from searching for installation files when they add features or comp
This policy setting saves copies of transform files in a secure location on the local computer. Transform
This policy setting specifies the order in which Windows Installer searches for installation files. If you
Specifies the types of events that Windows Installer records in its transaction log for each installation.
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time a
This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging
This policy setting controls the ability to turn off shared components. If you enable this policy setting,
This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can pre
This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three
Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is
Specifies commands configured by the administrator for custom logging. These commands will run in
Specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing
Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking no
Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that ena
Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the u
Specifies the e-mail address to be used when sending the log files that are generated by NCA to the n
Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking
This policy setting enables you to specify the expected address of the host name used for the DNS pr
This policy setting enables you to specify the host name of a computer known to be on the corporate
This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corpora
This policy setting enables you to specify the URL of the corporate website, against which an active pr
This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to d
This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements t
This policy setting controls whether the Net Logon service will allow the use of older cryptography alg
This policy setting defines whether a domain controller (DC) should attempt to verify the password pro
This policy setting allows you to control the processing of incoming mailslot messages by a local doma
This policy setting allows you to control the domain controller (DC) location algorithm. By default, the
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
This policy setting detremines the type of IP address that is returned for a domain controller. The DC L
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a d
This policy setting specifies the Priority field in the SRV resource records registered by domain controll
This policy setting determines the interval at which Netlogon performs the following scavenging opera
This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a do
This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are r
This policy setting specifies the Weight field in the SRV resource records registered by the domain con
This policy setting configures how a domain controller (DC) behaves when responding to a client whos
This policy setting determines which DC Locator DNS records are not registered by the Net Logon serv
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resour
This policy setting specifies the additional time for the computer to wait for the domain controllers (D
This policy setting specifies the level of debug output for the Net Logon service. The Net Logon servic
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %w
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is ap
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to wh
This policy setting specifies the Active Directory site to which computers belong. An Active Directory
This policy setting specifies the sites for which the domain controllers (DC) that host the application d
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site l
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator si
This policy setting specifies whether the computers to which this setting is applied attemps DNS name
This policy setting specifies whether the computers to which this setting is applied attempt DNS name
This policy setting determines when retries are no longer allowed for applications that perform period
This policy setting determines the amount of time (in seconds) to wait before the first retry for applica
This policy setting determines the maximum retry interval allowed when applications performing peri
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is ap
This policy setting configures whether the computers to which this setting is applied are more aggress
Determines whether a user can view and change the properties of remote access connections that are
Determines whether users can delete all user remote access connections. To create an all-user remot
Determines whether users can enable/disable LAN connections. If you enable this setting, the Enable
Determines whether nonadministrators can rename all-user remote access connections. To create an
Determines whether nonadministrators can rename a LAN connection. If you enable this setting, the
Determines whether users can rename LAN or all user remote access connections. If you enable this
Specifies whether or not the "local access only" network icon will be shown. When enabled, the icon f
Determines whether settings that existed in Windows 2000 Server family will apply to Administrators.
Determines whether users can change the properties of a LAN connection. This setting determines w
Determines whether Administrators and Network Configuration Operators can change the properties o
Determines whether users can view and change the properties of components used by a private or all
Determines whether the Advanced Settings item on the Advanced menu in Network Connections is en
Determines whether users can use the New Connection Wizard, which creates new network connectio
Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connec
Determines whether administrators can add and remove network components for a LAN or remote acc
Determines whether users can view and change the properties of their private remote access connect
Determines whether users can connect and disconnect remote access connections. If you enable this
Determines whether users can delete remote access connections. If you enable this setting (and enab
Determines whether administrators can enable and disable the components used by LAN connections
Determines whether a user can install and configure the Network Bridge. Important: This settings is lo
Determines whether users can rename their private remote access connections. Private connections
Determines whether users can configure advanced TCP/IP settings. If you enable this setting (and ena
Prohibits use of Internet Connection Firewall on your DNS domain network. Determines whether users
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) fe
Determines whether users can view the status for an active connection. Connection status is availabl
This policy setting determines whether to require domain users to elevate when setting a network's lo
This policy setting determines whether a remote client computer routes Internet traffic through the in
This policy setting allows you to manage whether notifications are shown to the user when a DHCP-co
This setting does not apply to desktop apps. A semicolon-separated list of Internet proxy server IP a
This setting does not apply to desktop apps. A semicolon-separated list of intranet proxy server IP a
This setting does not apply to desktop apps. A comma-separated list of IP address ranges that are in
This setting does not apply to desktop apps. Turns off Windows Network Isolation's automatic proxy
This setting does not apply to desktop apps. Turns off Windows Network Isolation's automatic discov
This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allo
Determines whether network files remain available if the computer is suddenly disconnected from the
Determines whether network files remain available if the computer is suddenly disconnected from the
This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy o
Deletes local copies of the user's offline files when the user logs off. This setting specifies that autom
This policy setting controls when background synchronization occurs while operating in slow-link mode
Configures the threshold value at which Offline Files considers a network connection to be "slow". Any
This policy setting controls the network latency and throughput thresholds that will cause a client com
Limits the percentage of the computer's disk space that can be used to store automatically cached offl
This policy setting enables administrators to block certain file types from being created in the folders
This policy setting determines whether offline files are synchronized in the background when it could r
This policy setting controls whether files read from file shares over a slow network are transparently c
This policy setting determines whether offline files are encrypted. Offline files are locally cached copie
Determines which events the Offline Files feature records in the event log. Offline Files records events
Determines which events the Offline Files feature records in the event log. Offline Files records events
Lists types of files that cannot be used offline. This setting lets you exclude certain types of files from
Determines how long the first reminder balloon for a network status change is displayed. Reminder b
Determines how long the first reminder balloon for a network status change is displayed. Reminder b
This policy setting limits the amount of disk space that can be used to store offline files. This includes
Determines how computers respond when they are disconnected from particular offline file servers. Th
Determines how computers respond when they are disconnected from particular offline file servers. Th
Disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. A
Disables the Offline Files folder. This setting disables the "View Files" button on the Offline Files tab. A
Prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting rem
Prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting rem
Determines how often reminder balloon updates appear. If you enable this setting, you can select how
Determines how often reminder balloon updates appear. If you enable this setting, you can select how
Determines how long updated reminder balloons are displayed. Reminder balloons appear when the u
Determines how long updated reminder balloons are displayed. Reminder balloons appear when the u
This policy setting prevents users from making network files and folders available offline. If you enabl
This policy setting prevents users from making network files and folders available offline. If you enabl
This policy setting allows you to manage a list of files and folders for which you want to block the "Ma
This policy setting allows you to manage a list of files and folders for which you want to block the "Ma
This policy setting removes the "Work offline" command from Explorer, preventing users from manual
This policy setting removes the "Work offline" command from Explorer, preventing users from manual
This policy setting lists network files and folders that are always available for offline use. This ensures
This policy setting lists network files and folders that are always available for offline use. This ensures
Makes subfolders available offline whenever their parent folder is made available offline. This setting
Determines whether offline files are fully synchronized when users log off. This setting also disables t
Determines whether offline files are fully synchronized when users log off. This setting also disables t
Determines whether offline files are fully synchronized when users log on. This setting also disables t
Determines whether offline files are fully synchronized when users log on. This setting also disables t
Determines whether offline files are synchonized before a computer is suspended. If you enable this s
Determines whether offline files are synchonized before a computer is suspended. If you enable this s
Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloon
Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloon
This policy setting allows you to turn on economical application of administratively assigned Offline Fil
By default, when a Peer Group is created that allows for password-authentication (or the password for
This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolu
This setting sets the seed server for the global cloud to a specified node in the enterprise. The Peer Na
This setting sets the seed server for the link local cloud to a specified node in the enterprise. The Pee
This setting sets the seed server for the site local cloud to a specified node in the enterprise. The Pee
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all depe
This setting disables PNRP protocol from advertising the computer or from searching other computers
This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution pro
This setting specifies the period of time (in days) that a PIN can be used before the system requires th
This setting specifies the period of time (in days) that a PIN can be used before the system requires th
This setting specifies the number of past PINs that can be associated to a user account that cant be r
This setting specifies the number of past PINs that can be associated to a user account that cant be r
Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest
Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest
Minimum PIN length configures the minimum number of characters required for the PIN. The lowest n
Minimum PIN length configures the minimum number of characters required for the PIN. The lowest n
Use this policy setting to configure the use of digits in the Microsoft Passport for PIN. If you enable or
Use this policy setting to configure the use of digits in the Microsoft Passport for PIN. If you enable or
Use this policy setting to configure the use of lowercase letters in the Microsoft Passport for PIN. If you
Use this policy setting to configure the use of lowercase letters in the Microsoft Passport for PIN. If you
Use this policy setting to configure the use of special characters in the Microsoft Passport for PIN. Allo
Use this policy setting to configure the use of special characters in the Microsoft Passport for PIN. Allo
Use this policy setting to configure the use of uppercase letters in the Microsoft Passport for PIN. If yo
Use this policy setting to configure the use of uppercase letters in the Microsoft Passport for PIN. If yo
A Trusted Platform Module (TPM) provides additional security benefits over software because data stor
Microsoft Passport for Work enables users to use biometric gestures, such as face and fingerprints, as
Microsoft Passport for Work is an alternative method for signing into Windows using your Active Direct
Use this policy setting to configure use of Remote Passport. Remote Passport provides the ability for a
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with appl
This policy setting is used only when you have deployed one or more BranchCache-enabled file server
This policy setting specifies whether BranchCache-capable client computers operate in a downgraded
This policy setting specifies whether client computers are configured to use hosted cache mode and p
This policy setting specifies whether client computers should attempt the automatic configuration of h
This policy setting specifies the default age in days for which segments are valid in the BranchCache d
This policy setting specifies whether BranchCache distributed cache mode is enabled on client compu
This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers
This policy setting specifies the default percentage of total disk space that is allocated for the BranchC
This policy setting specifies whether BranchCache is enabled on client computers to which this policy
Turns off Tablet PC Pen Training. If you enable this policy setting, users cannot open Tablet PC Pen Trai
Turns off Tablet PC Pen Training. If you enable this policy setting, users cannot open Tablet PC Pen Trai
Determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy s
Determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this po
Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable
Determines the execution level for Windows System Responsiveness Diagnostics. If you enable this p
This policy setting specifies whether to enable or disable tracking of responsiveness events. If you en
This policy setting allows applications and services to prevent automatic sleep. If you enable this poli
This policy setting allows applications and services to prevent automatic sleep. If you enable this poli
This policy setting allows you to manage automatic sleep with open network files. If you enable this p
This policy setting allows you to manage automatic sleep with open network files. If you enable this p
This policy setting allows you to control network connectivity state on connected-standby capable sys
This policy setting allows you to control network connectivity state on connected-standby capable sys
This policy setting manages whether or not Windows is allowed to use standby states when putting th
This policy setting manages whether or not Windows is allowed to use standby states when putting th
This policy setting specifies the action that Windows takes when battery capacity reaches the critical b
This policy setting specifies the percentage of battery capacity remaining that triggers the critical bat
This policy setting allows you to configure whether power is automatically turned off when Windows sh
This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If yo
This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If yo
This policy setting specifies the action that Windows takes when battery capacity reaches the low batt
This policy setting specifies the percentage of battery capacity remaining that triggers the low battery
This policy setting allows you to configure client computers to lock and prompt for a password when re
This policy setting allows you to specify the period of inactivity before Windows automatically reduces
This policy setting allows you to specify the period of inactivity before Windows automatically reduces
This policy setting specifies whether or not the user is prompted for a password when the system resu
This policy setting specifies whether or not the user is prompted for a password when the system resu
This policy setting specifies the percentage of battery capacity remaining that triggers the reserve po
This policy setting specifies the active power plan from a list of default Windows power plans. To speci
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
This policy setting specifies the action that Windows takes when a user presses the power button. Pos
This policy setting specifies the action that Windows takes when a user presses the power button. Pos
This policy setting specifies the action that Windows takes when a user presses the sleep button. Pos
This policy setting specifies the action that Windows takes when a user presses the sleep button. Pos
This policy setting specifies the action that Windows takes when a user presses the Start menu Power
This policy setting specifies the action that Windows takes when a user presses the Start menu Power
This policy setting specifies the active power plan from a specified power plans GUID. The GUID for a
This policy setting allows you to specify the brightness of the display when Windows automatically red
This policy setting allows you to specify the brightness of the display when Windows automatically red
This policy setting allows you to specify the period of inactivity before Windows transitions the system
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep au
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep au
This policy setting allows you to manage how long a computer must be inactive before Windows turns
This policy setting allows you to manage how long a computer must be inactive before Windows turns
This policy setting allows you to turn off hybrid sleep. If you enable this policy setting, a hiberfile is no
This policy setting allows you to turn off hybrid sleep. If you enable this policy setting, a hiberfile is no
This policy setting turns off the user notification when the battery capacity remaining equals the low b
This policy setting allows you to specify the period of inactivity before Windows turns off the display. I
This policy setting allows you to specify the period of inactivity before Windows turns off the display. I
This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you ena
This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you ena
This policy setting allows you to specify if Windows should enable the desktop background slideshow.
This policy setting allows you to specify if Windows should enable the desktop background slideshow.
This policy setting allows you to turn on the ability for applications and services to prevent the system
This policy setting allows you to turn on the ability for applications and services to prevent the system
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this p
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this p
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/O
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/O
This policy setting lets you capture the input and output of Windows PowerShell commands into text-b
This policy setting lets you capture the input and output of Windows PowerShell commands into text-b
This policy setting lets you configure the script execution policy, controlling which scripts are allowed
This policy setting lets you configure the script execution policy, controlling which scripts are allowed
This policy setting lets you hide the list of previous versions of files that are on local disks. The previou
This policy setting lets you hide the list of previous versions of files that are on local disks. The previou
This policy setting lets you hide the list of previous versions of files that are on file shares. The previou
This policy setting lets you hide the list of previous versions of files that are on file shares. The previou
This policy setting lets you hide entries in the list of previous versions of a file in which the previous ve
This policy setting lets you hide entries in the list of previous versions of a file in which the previous ve
This policy setting lets you suppress the Restore button in the previous versions property page when t
This setting lets you suppress the Restore button in the previous versions property page when the use
This setting lets you suppress the Restore button in the previous versions property page when the use
Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and
If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add P
This policy sets the maximum number of printers (of each type) that the Add Printer wizard will displa
This policy controls whether the print job name will be included in print event logs. If you disable or d
Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use
When printing through a print server, determines whether the print spooler on the client will process p
Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to d
Allows users to use the Add Printer Wizard to search the network for shared printers. If you enable thi
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, W
If this policy setting is enabled, it specifies the default location criteria used when searching for printe
By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with
Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard give
Determines whether printers using kernel-mode drivers may be installed on the local computer. Kerne
This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers m
This policy setting determines whether the print spooler will execute print drivers in an isolated or sep
This policy setting allows you to manage where client computers search for Point and Printer drivers.
Determines if print driver components are isolated from applications instead of normally loading them
This policy restricts clients computers to use package point and print only. If this setting is enabled, u
This policy restricts clients computers to use package point and print only. If this setting is enabled, u
This policy setting determines whether the print spooler will override the Driver Isolation compatibility
Restricts package point and print to approved servers. This policy setting restricts package point and
Restricts package point and print to approved servers. This policy setting restricts package point and
This policy setting controls the client Point and Print behavior, including the security prompts for Wind
This policy setting controls the client Point and Print behavior, including the security prompts for Wind
Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a
Prevents users from using familiar methods to add local and network printers. If this policy setting is
If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tri
Announces the presence of shared printers to print browse master servers for the domain. On domain
This preference allows you to change default printer management. If you enable this setting, Window
This policy controls whether the print spooler will accept client connections. When the policy is uncon
Determines whether the computer's shared printers can be published in Active Directory. If you enabl
Determines whether the domain controller can prune (delete from Active Directory) the printers publis
Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in
Directs the system to periodically verify that the printers published by this computer still appear in Ac
Specifies how often the pruning service on a domain controller contacts computers to verify that their
Sets the priority of the pruning thread. The pruning thread, which runs only on domain controllers, de
Specifies how many times the pruning service on a domain controller repeats its attempt to contact a
Specifies whether or not to log events when the pruning service on a domain controller attempts to co
Determines whether the pruning service on a domain controller prunes printer objects that are not au
Prevents users from viewing or installing published programs from the network. This setting prevents
This setting prevents users from accessing "Installed Updates" page from the "View installed updates"
This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repa
This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As
This setting prevents users from accessing the "Turn Windows features on or off" task from the Progra
This setting prevents users from access the "Get new programs from Windows Marketplace" task from
This setting prevents users from using the Programs Control Panel in Category View and Programs and
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Be
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Be
Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (S
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Co
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Co
Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service ty
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Gu
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Gu
Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (
Specifies the maximum number of outstanding packets permitted on the system. When the number o
Determines the percentage of connection bandwidth that the system can reserve. This value limits th
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Ne
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Ne
Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service ty
Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow spe
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qu
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qu
Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (S
Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for tran
This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_Reliabilit
Determines the execution level for Windows Resource Exhaustion Detection and Resolution. If you en
Requirements: Windows 7 Description: This policy setting controls whether users can access the optio
This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.
The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an
This policy setting allows the system to detect the time of unexpected shutdowns by writing the curre
This policy setting controls whether or not unplanned shutdown events can be reported when error rep
This policy setting enables Remote Assistance invitations to be generated with improved encryption s
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this comp
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this comp
This policy setting lets you customize warning messages. The "Display warning message before shari
This policy setting allows you to improve performance in low bandwidth scenarios. This setting is incr
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents fo
Configure access to all removable storage classes. This policy setting takes precedence over any indi
Configure access to all removable storage classes. This policy setting takes precedence over any indi
This policy setting grants normal users direct access to removable storage devices in remote sessions
This policy setting denies execute access to the CD and DVD removable storage class. If you enable t
This policy setting denies read access to the CD and DVD removable storage class. If you enable this
This policy setting denies read access to the CD and DVD removable storage class. If you enable this
This policy setting denies write access to the CD and DVD removable storage class. If you enable this
This policy setting denies write access to the CD and DVD removable storage class. If you enable this
This policy setting denies read access to custom removable storage classes. If you enable this policy
This policy setting denies read access to custom removable storage classes. If you enable this policy
This policy setting denies write access to custom removable storage classes. If you enable this policy
This policy setting denies write access to custom removable storage classes. If you enable this policy
This policy setting denies execute access to the Floppy Drives removable storage class, including USB
This policy setting denies read access to the Floppy Drives removable storage class, including USB Flo
This policy setting denies read access to the Floppy Drives removable storage class, including USB Flo
This policy setting denies write access to the Floppy Drives removable storage class, including USB Flo
This policy setting denies write access to the Floppy Drives removable storage class, including USB Flo
This policy setting denies execute access to removable disks. If you enable this policy setting, execut
This policy setting denies read access to removable disks. If you enable this policy setting, read acces
This policy setting denies read access to removable disks. If you enable this policy setting, read acces
This policy setting denies write access to removable disks. If you enable this policy setting, write acce
This policy setting denies write access to removable disks. If you enable this policy setting, write acce
This policy setting configures the amount of time (in seconds) that the operating system waits to rebo
This policy setting configures the amount of time (in seconds) that the operating system waits to rebo
This policy setting denies execute access to the Tape Drive removable storage class. If you enable thi
This policy setting denies read access to the Tape Drive removable storage class. If you enable this po
This policy setting denies read access to the Tape Drive removable storage class. If you enable this po
This policy setting denies write access to the Tape Drive removable storage class. If you enable this p
This policy setting denies write access to the Tape Drive removable storage class. If you enable this p
This policy setting denies read access to removable disks, which may include media players, cellular p
This policy setting denies read access to removable disks, which may include media players, cellular p
This policy setting denies write access to removable disks, which may include media players, cellular
This policy setting denies write access to removable disks, which may include media players, cellular
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when
This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is re
This policy setting determines whether the RPC Runtime maintains RPC state information for the syste
This policy setting controls whether the RPC runtime generates extended error information when an e
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecti
This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting
This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not co
This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files o
This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files o
This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are bat
This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch file
This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logo
This policy setting directs the system to wait for logon scripts to finish running before it starts the File
This policy setting directs the system to wait for logon scripts to finish running before it starts the File
This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files th
This policy setting determines whether Windows PowerShell scripts are run before non-Windows Powe
This policy setting determines how long the system waits for scripts applied by Group Policy to run. T
This policy setting determines whether scripted diagnostics will execute diagnostic packages that are
This policy setting allows users to access and run the troubleshooting tools that are available in the Tr
This policy setting allows users who are connected to the Internet to access and search troubleshootin
Determines whether scheduled diagnostics will run to proactively detect and resolve system problems
Enabling this policy allows you to add a primary intranet search location within Windows Desktop Sear
Enabling this policy allows you to add intranet search locations in addition to the primary intranet sea
This policy setting specifies whether Cortana is allowed on the device. If you enable or don't configu
This policy setting determines whether or not the user can interact with Cortana using speech while th
This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing wi
This policy setting specifies whether search and Cortana can provide location aware search and Cortan
This policy setting allows words that contain diacritic characters to be treated as separate words. If yo
This policy setting determines when Windows uses automatic language detection results, and when it
Enabling this policy defines a semicolon-delimited list of file extensions which will be allowed to have
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user
Enabling this policy allows you to specify a list of paths to index by default. The user may override the
Enabling this policy allows you to specify a list of paths to index by default. The user may override the
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed eve
This policy setting configures whether or not locations on removable drives can be added to libraries.
Enabling this policy removes the option of searching the Web from Windows Desktop Search. When th
This policy setting allows you to control whether or not Search can perform queries on the web, and if
This policy setting allows you to control whether or not Search can perform queries on the web over m
Enabling this policy allows indexing of items for online delegate mailboxes on a Microsoft Exchange se
Enabling this policy allows indexing of mail items on a Microsoft Exchange server when Microsoft Outlo
When using Microsoft Office Outlook in online mode, you can enable this policy to control how fast onl
Store indexer database in this directory. This directory must be located on a local fixed drive.
Enabling this policy prevents users from adding UNC locations to the index from the Search and Index
Enabling this policy prevents users from adding UNC locations to the index from the Search and Index
This policy setting allows you to enable or disable the Add/Remove location options on the All Location
This policy setting configures how Windows Search adds shared folders to the search index. If you ena
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsi
If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations
If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations
If you enable this policy setting, you specify a list of paths to exclude from indexing. The user cannot e
If you enable this policy setting, you specify a list of paths to exclude from indexing. The user cannot e
Enable this policy setting to prevent the indexing of the content of e-mail attachments. If enabled, ind
If enabled, files on network shares made available offline are not indexed. Otherwise they are indexed
Enable this policy to prevent indexing of any Microsoft Outlook items. The default is to automatically i
Enabling this policy allows you to edit the list of file types to exclude from indexing. The end user cann
Enable this policy to prevent indexing public folders in Microsoft Office Outlook. When this policy is dis
If enabled, the indexer pauses whenever the computer is running on battery. If disabled, the indexing
This policy setting hides or displays the Advanced Options dialog for Search and Indexing Options in th
Enabling this policy prevents Windows Desktop Search from using iFilters and protocol handlers unless
Enabling this policy allows you to set the location of the preview pane in the Desktop Search results. Y
Enabling this policy allows you to specify whether you want large icon or small icon view for your Desk
This policy setting allows you to control the SafeSearch setting used when performing a query in Sear
This policy setting allows you to control what information is shared with Bing in Search. If you enable
Enabling this policy prevents indexing from continuing after less than the specified amount of hard dri
This policy setting prevents search queries from being stored in the registry. If you enable this policy s
This policy setting specifies whether Security Center is turned on or off for computers that are joined t
This policy setting turns off the location feature for this computer. If you enable this policy setting, the
This policy setting turns off the location feature for this computer. If you enable this policy setting, the
This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts
This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts
This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the
This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the
This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Ser
This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window
This policy setting allows you to turn off the automatic display of the Manage Your Server page. If you
This policy setting allows you to turn off the automatic display of Server Manager at logon. If you ena
This policy setting specifies the network locations that will be used for the repair of operating system
Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the
Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "ap
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSy
Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browse
Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disab
Prevent syncing to and from this PC when on metered Internet connections. This turns off and disable
Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disab
Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "pass
Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "per
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Star
Specifies an alternate location for Windows installation files. If you enable this policy setting, enter th
Specifies an alternate location for Windows Service Pack installation files. If you enable this policy set
Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognit
Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognit
This policy setting determines whether the user can publish DFS roots in Active Directory Domain Serv
This policy setting determines whether the user can publish shared folders in Active Directory Domain
This policy setting specifies whether users can add computers to a homegroup. By default, users can a
This policy setting specifies whether users can share files within their profile. By default users are allo
Prevents Windows from running the programs you specify in this policy setting. If you enable this poli
Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries t
This policy setting prevents users from running the interactive command prompt, Cmd.exe. This polic
Limits the Windows programs that users have permission to run on the computer. If you enable this p
This policy setting prevents the display of the Welcome Center at user logon. If you enable this policy
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display infor
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display infor
This policy setting allows you to turn off desktop gadgets that have been installed by the user. If you
This policy setting allows you to turn off desktop gadgets that have been installed by the user. If you
This policy setting allows configuration of OneDrive file sync behavior on metered connections.
This policy setting lets you prevent apps and features from working with files on OneDrive. If you ena
This policy setting lets you prevent apps and features from working with files on OneDrive for Window
This policy setting lets you disable OneDrive as the default save location. It does not prevent apps and
This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for l
This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a sm
This policy setting lets you determine whether the integrated unblock feature will be available in the l
This policy setting lets you allow signature key-based certificates to be enumerated and available for
This policy setting permits those certificates to be displayed for logon that are either expired or not ye
This policy setting lets you determine whether an optional field will be displayed during logon and ele
This policy setting allows you to manage the clean up behavior of root certificates. If you enable this
This policy setting allows you to manage the displayed message when a smart card is blocked. If you
This policy settings lets you configure if all your valid logon certificates are displayed. During the cert
This policy setting allows you to manage the reading of all certificates from the smart card for logon.
This policy setting allows you to control whether a confirmation message is displayed when a smart ca
This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable t
This policy setting lets you reverse the subject name from how it is stored in the certificate when disp
This policy setting allows you to manage the certificate propagation that occurs when a smart card is
This policy setting allows you to manage the root certificate propagation that occurs when a smart car
This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable o
This policy setting configures a list of the communities defined to the Simple Network Management Pr
This policy setting determines the permitted list of hosts that can submit a query to the Simple Netwo
This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) age
Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista th
Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista th
This policy setting specifies the message that users see when they are denied access to a file or folde
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all
This policy setting controls whether the Classification tab is displayed in the Properties dialog box in Fi
This policy setting controls which set of properties is available for classifying files on affected compute
Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. All D
This policy only applies to the classic version of the start menu and does not affect the new style start
If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the
If you enable this setting, the Run command is added to the Start menu. If you disable or do not confi
Set the default action of the power button on the Start menu. If you enable this setting, the Start Men
Clear history of recently opened documents on exit. If you enable this setting, the system deletes sho
If you enable this policy setting, the recent programs list in the start menu will be blank for each new
If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the T
This setting affects the taskbar. The taskbar includes the Start button, buttons for currently running ta
Prevents the operating system and installed programs from creating and displaying shortcuts to recen
If you enable this policy the start menu search box will not search for communications. If you disable
If you enable this policy setting the Start menu search box will not search for files. If you disable or do
If you enable this policy the start menu search box will not search for internet history or favorites. If y
If you enable this policy setting the Start menu search box will not search for programs or Control Pan
This policy setting prevents the system from conducting a comprehensive search of the target drive to
This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. If you
This setting affects the presentation of the Start menu. The classic Start menu in Windows 2000 Profe
If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users w
This policy setting allows users to go to the desktop instead of the Start screen when they sign in. If y
Displays Start menu shortcuts to partially installed programs in gray text. This setting makes it easier
This setting affects the notification area (previously called the "system tray") on the taskbar. Descript
This policy setting allows desktop apps to be listed first in the Apps view in Start. If you enable this po
This setting affects the taskbar, which is used to switch between running applications. The taskbar in
This policy setting allows pinning apps to Start by default, when they are included by AppID on the list
This policy setting allows pinning apps to Start by default, when they are included by AppID on the list
This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. If you enable th
This setting affects the taskbar buttons used to switch between running programs. Taskbar grouping c
This policy setting allows you to prevent users from changing their Start screen layout. If you enable
If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not c
This policy setting allows you to remove access to the context menus for the taskbar. If you enable th
This policy setting allows you to remove the All Programs list from the Start menu. If you enable this p
This policy setting prevents users from performing the following commands from the Start menu or W
Hides pop-up text on the Start menu and in the notification area. When you hold the cursor over an it
Prevents the clock in the system notification area from being displayed. If you enable this setting, the
Removes items in the All Users profile from the Programs menu on the Start menu. By default, the Pro
This policy setting allows you to remove the Default Programs link from the Start menu. If you enable
This policy setting allows you to remove the Documents icon from the Start menu and its submenus.
This policy setting allows you to remove the Downloads link from the Start Menu. If you enable this po
Prevents users from adding the Favorites menu to the Start menu or classic Start menu. If you enable
If you enable this setting, the frequently used programs list is removed from the Start menu. If you di
If you enable this policy the start menu will not show a link to the Games folder. If you disable or do n
This policy setting allows you to remove the Help command from the Start menu. If you enable this p
If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homeg
This policy setting allows you to remove links and access to Windows Update. If you enable this policy
This policy setting allows you to removes the "Log Off <username>" item from the Start menu and pr
This policy setting allows you to remove the Music icon from Start Menu. If you enable this policy sett
This policy setting allows you to remove Network Connections from the Start Menu. If you enable this
This policy setting allows you to remove the Network icon from Start Menu. If you enable this policy s
This policy setting allows you to remove the Pictures icon from Start Menu. If you enable this policy se
If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin
This policy setting allows you to remove programs on Settings menu. If you enable this policy setting
Removes the Recent Items menu from the Start menu. Removes the Documents menu from the class
This policy setting allows you to remove the Recorded TV link from the Start Menu. If you enable this
Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. If
If you enable this policy, the "See all results" link will not be shown when the user performs a search i
This policy setting allows you to remove the Search link from the Start menu, and disables some File E
If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the u
If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC
If you enable this policy the start menu will not show a link to the user's storage folder. If you disable
This policy setting allows you to remove the user name label from the Start Menu in Windows XP and
Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders a
This policy setting allows you to remove the Videos link from the Start Menu. If you enable this policy
This policy setting prevents the user from searching apps, files, settings (and the web if enabled) whe
This policy setting shows or hides the "Run as different user" command on the Start application bar. I
This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. If you enable thi
This policy setting allows the Start screen to appear on the display the user is using when they press t
This policy setting allows the Apps view to be opened by default when the user goes to Start. If you e
Specifies the Start layout for users. This setting lets you specify the Start layout for users and preven
Specifies the Start layout for users. This setting lets you specify the Start layout for users and preven
This setting affects the notification area, also called the "system tray." The notification area is located
Disables personalized menus. Windows personalizes long menus by moving recently used items to th
This policy setting allows you to turn off user tracking. If you enable this policy setting, the system do
Allows you to disable System Restore configuration through System Protection. This policy setting allo
Allows you to disable System Restore. This policy setting allows you to turn off System Restore. Syste
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Wi
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Wi
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications whe
Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed tex
Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed tex
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications wh
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications wh
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Pa
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Pa
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-sha
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-sha
Prevents start of InkBall game. If you enable this policy, the InkBall game will not run. If you disable t
Prevents start of InkBall game. If you enable this policy, the InkBall game will not run. If you disable t
Prevents printing to Journal Note Writer. If you enable this policy, the Journal Note Writer printer drive
Prevents printing to Journal Note Writer. If you enable this policy, the Journal Note Writer printer drive
Prevents the snipping tool from running. If you enable this policy setting, the Snipping Tool will not ru
Prevents the snipping tool from running. If you enable this policy setting, the Snipping Tool will not ru
Prevents start of Windows Journal. If you enable this policy, the Windows Journal accessory will not ru
Prevents start of Windows Journal. If you enable this policy, the Windows Journal accessory will not ru
Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications t
Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications t
Makes pen flicks and all related features unavailable. If you enable this policy, pen flicks and all relate
Makes pen flicks and all related features unavailable. If you enable this policy, pen flicks and all relate
Makes pen flicks learning mode unavailable. If you enable this policy, pen flicks are still available but
Makes pen flicks learning mode unavailable. If you enable this policy, pen flicks are still available but
Prevents the user from launching an application from a Tablet PC hardware button. If you enable this
Prevents the user from launching an application from a Tablet PC hardware button. If you enable this
Prevents press and hold actions on hardware buttons, so that only one action is available per button.
Prevents press and hold actions on hardware buttons, so that only one action is available per button.
Turns off Tablet PC hardware buttons. If you enable this policy, no actions will occur when the buttons
Turns off Tablet PC hardware buttons. If you enable this policy, no actions will occur when the buttons
Disables visual pen action feedback, except for press and hold feedback. If you enable this policy, all
Disables visual pen action feedback, except for press and hold feedback. If you enable this policy, all
This policy disables the functionality that converts balloons to toast notifications. If you enable this po
This policy setting allows you to control pinning items in Jump Lists. If you enable this policy setting, u
This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy sett
This policy setting allows you to control pinning the Store app to the Taskbar. If you enable this policy
This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If y
This policy setting allows you to control displaying or tracking items in Jump Lists from remote location
This policy setting allows you to lock all taskbar settings. If you enable this policy setting, the user ca
This policy setting allows you to prevent users from adding or removing toolbars. If you enable this po
This policy setting allows you to prevent users from moving taskbar to another screen dock location.
This policy setting allows you to prevent users from rearranging toolbars. If you enable this policy set
This policy setting allows you to prevent users from resizing the taskbar. If you enable this policy sett
This policy setting removes Notifications and Action Center from the notification area on the taskbar.
This policy setting allows you to remove pinned programs from the taskbar. If you enable this policy s
This policy setting allows you to remove the battery meter from the system control area. If you enabl
This policy setting allows you to remove the networking icon from the system control area. If you ena
This policy setting allows you to remove Security and Maintenance from the system control area. If yo
This policy setting allows you to remove the volume control icon from the system control area. If you
This policy setting allows users to see Windows Store apps on the taskbar. If you enable this policy s
This policy setting allows you to turn off all notification balloons. If you enable this policy setting, no n
This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. If yo
This policy setting allows you to turn off feature advertisement balloon notifications. If you enable thi
This policy setting allows you to turn off taskbar thumbnails. If you enable this policy setting, the task
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from th
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from th
Prevents users from viewing and changing the properties of an existing task. This setting removes the
Prevents users from viewing and changing the properties of an existing task. This setting removes the
Prevents users from starting and stopping tasks manually. This setting removes the Run and End Task
Prevents users from starting and stopping tasks manually. This setting removes the Run and End Task
Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the sc
Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the sc
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks
Prevents users from creating new tasks. This setting removes the Add Scheduled Task item that starts
Prevents users from creating new tasks. This setting removes the Add Scheduled Task item that starts
Prevents users from deleting tasks from the Scheduled Tasks folder. This setting removes the Delete c
Prevents users from deleting tasks from the Scheduled Tasks folder. This setting removes the Delete c
This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a de
This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 rela
This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic
This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do n
This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS proto
This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for
This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an
This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you l
This policy setting allows you to set Teredo to be ready to communicate, a process referred to as quali
This policy setting allows you to configure the Teredo refresh rate. Note: On a periodic basis (by defau
This policy setting allows you to specify the name of the Teredo server. This server name will be used
This policy setting allows you to configure Teredo, an address assignment and automatic tunneling tec
This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rd
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rd
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files fro
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files fro
This policy setting allows you to specify whether users can redirect the remote computer's audio and v
This policy setting allows you to specify whether users can record audio to the remote computer in a R
This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from
This policy setting determines whether the client computer redirects its time zone settings to the Rem
This policy setting allows you to configure remote access to computers by using Remote Desktop Serv
This policy setting specifies whether Remote Desktop Services always prompts the client for a passwo
This policy setting determines whether the desktop is always displayed after a client connects to a rem
Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions
This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm
This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connec
This policy setting allows you to specify the visual quality for remote users when connecting to this co
This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD
This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Conne
This policy setting allows you to specify the RD Connection Broker server that the RD Session Host ser
This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtua
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop
This policy setting allows you to specify whether the client will establish a connection to the RD Sessio
This policy setting determines whether an administrator attempting to connect remotely to the consol
This policy setting allows you to specify whether to prevent the mapping of client printers in Remote D
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirectio
This policy setting specifies whether to prevent the redirection of data to client COM ports from the re
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Serv
This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration i
This policy setting specifies whether to disable the administrator rights to customize security permissi
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Rem
Controls whether a user can save passwords using Remote Desktop Connection. If you enable this se
Controls whether passwords can be saved on this computer from Remote Desktop Connection. If you
This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Ser
This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devic
This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary
This policy setting allows you to specify whether the client default printer is automatically set as the d
This policy setting allows you to prevent Remote Desktop Services from creating session-specific temp
If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remot
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remo
This policy setting specifies whether to end a Remote Desktop Services session that has timed out ins
This policy setting specifies whether to end a Remote Desktop Services session that has timed out ins
Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Se
This policy setting determines whether notifications are displayed on an RD Session Host server when
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD C
This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop licen
This policy setting allows you to limit the audio playback quality for a Remote Desktop Services sessio
This policy setting allows you to specify the maximum color resolution (color depth) for Remote Deskt
This policy setting allows you to specify the maximum display resolution that can be used by each mo
Specifies whether Remote Desktop Services limits the number of simultaneous connections to the ser
This policy setting allows you to limit the number of monitors that a user can use to display a Remote
This policy setting allows you to limit the size of the entire roaming user profile cache on the local driv
This policy setting allows you to specify the visual experience that remote users receive in Remote De
This policy setting allows you to specify the visual experience that remote users will have in Remote D
This policy setting allows you to specify which version of Remote Desktop Services client access licens
This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. Wh
This policy setting determines whether a user will be prompted on the client computer to provide cred
This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog
Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop c
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all
This policy setting specifies whether to require the use of a specific security layer to secure communic
This policy setting allows you to specify whether to require user authentication for remote connections
This policy setting allows you to restrict users to a single Remote Desktop Services session. If you ena
This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the networ
This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RD
This policy setting allows you to specify the name of the certificate template that determines which ce
Specifies whether to require the use of a specific encryption level to secure communications between
This policy setting allows you to specify the network path that Remote Desktop Services uses for roam
Specifies the authentication method that clients must use when attempting to connect to an RD Sessi
Specifies the address of the RD Gateway server that clients must use when attempting to connect to a
Specifies whether Remote Desktop Services uses the specified network share or local directory path a
If you enable this policy setting, administrators can interact with a user's Remote Desktop Services se
If you enable this policy setting, administrators can interact with a user's Remote Desktop Services se
This policy setting allows you to specify the type of Remote Desktop Services client access license (RD
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Service
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Service
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sess
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sess
This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The
This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. B
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprin
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprin
Configures Remote Desktop Services to run a specified program automatically upon connection. You c
Configures Remote Desktop Services to run a specified program automatically upon connection. You c
This policy setting allows you to specify whether the app registration is completed before showing the
This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desk
This policy setting allows you to enable RemoteApp programs to use advanced graphics, including sup
This policy setting allows you to specify the redirection method to use when a client device reconnect
This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile fo
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used
This policy setting enables system administrators to change the graphics rendering for all Remote Des
This policy setting allows you to specify the order in which an RD Session Host server attempts to loca
This policy setting allows you to specify whether desktop composition is allowed for remote desktop s
This policy setting allows you to specify whether remote users can start any program on the RD Sessio
This policy setting allows you to specify whether the client computer redirects its time zone settings to
This policy setting allows you to specify whether the desktop is always displayed after a client connec
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirectio
This policy setting allows you to specify whether font smoothing is allowed for remote connections. Fo
This policy setting specifies whether a session uses the IP address of the Remote Desktop Session Hos
This policy setting allows you to specify whether the default client printer is the only printer redirected
This policy setting allows you to specify whether the default client printer is the only printer redirected
This policy setting allows you to specify whether desktop wallpaper is displayed to clients when they a
This policy setting specifies the IP address and network mask that corresponds to the network adapter
This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconn
This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconn
Fair Share CPU Scheduling dynamically distributes processor time across all Remote Desktop Services
This policy setting specifies whether Windows Installer RDS Compatibility runs on a per user basis for
This policy setting specifies whether Remote Desktop IP Virtualization is turned on. By default, Remot
This policy setting allows you to specify whether to use the RD Connection Broker load balancing featu
Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configu
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on net
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the
Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their compu
Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their compu
Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a comp
Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a comp
This policy setting configures how much of the TPM owner authorization information is stored in the re
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) comm
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platfo
This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform
This policy setting allows you to manage the maximum number of authorization failures for each stan
This policy setting allows you to manage the duration in minutes for counting standard user authoriza
This policy setting allows you to manage the maximum number of authorization failures for all standa
This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft
This policy setting configures the synchronization of user settings of Calculator. By default, the user s
This policy setting configures the synchronization of user settings of Calculator. By default, the user s
This policy setting configures the backup of certain user settings which are common between the Micr
This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync
This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync
This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.
This policy setting specifies the URL for the Contact IT link in the Company Settings Center. If you ena
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settin
This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboo
This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft E
This policy setting configures the synchronization of user settings for the Finance app. By default, the
This policy setting configures the synchronization of user settings for the Finance app. By default, the
This policy setting enables a notification in the system tray that appears when the User Experience Vi
This policy setting configures the synchronization of user settings for the Games app. By default, the
This policy setting configures the synchronization of user settings for the Games app. By default, the
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsof
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsof
This policy setting configures the synchronization of user settings of Internet Explorer 10. By default,
This policy setting configures the synchronization of user settings for Internet Explorer 8. By default, t
This policy setting configures the synchronization of user settings which are common between the ver
This policy setting configures the synchronization of user settings which are common between the ver
This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Ly
This policy setting configures the synchronization of user settings for the Maps app. By default, the us
This policy setting configures the synchronization of user settings for the Maps app. By default, the us
This policy setting configures the synchronization of user settings for Microsoft Access 2010. By defau
This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By defa
This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default,
This policy setting configures the synchronization of user settings which are common between the Mic
This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Cen
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013.
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 201
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 201
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013.
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 20
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 201
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 20
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint D
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint D
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013.
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013.
This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By
This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By def
This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By defa
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By d
This policy setting configures the synchronization of user settings for Microsoft Project 2010. By defau
This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By def
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 20
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace
This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default
This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default
This policy setting configures the synchronization of user settings for the Music app. By default, the u
This policy setting configures the synchronization of user settings for the Music app. By default, the u
This policy setting configures the synchronization of user settings for the News app. By default, the u
This policy setting configures the synchronization of user settings for the News app. By default, the u
This policy setting configures the synchronization of user settings of Notepad. By default, the user se
This policy setting configures the synchronization of user settings of Notepad. By default, the user se
This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microso
This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsof
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to p
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to p
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Micro
This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft
This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microso
This policy setting configures the synchronization of user settings for the Reader app. By default, the
This policy setting configures the synchronization of user settings for the Reader app. By default, the
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log wh
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log wh
This policy setting configures where the settings package files that contain user settings are stored. If
This policy setting configures where the settings package files that contain user settings are stored. If
This policy setting configures where custom settings location templates are stored and if the catalog w
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 20
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 20
This policy setting configures the synchronization of user settings for the Sports app. By default, the u
This policy setting configures the synchronization of user settings for the Sports app. By default, the u
This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE
This policy setting configures the number of milliseconds that the computer waits when retrieving use
This policy setting configures the number of milliseconds that the computer waits when retrieving use
This policy setting configures the synchronization of Windows settings between computers. Certain W
This policy setting configures the synchronization of Windows settings between computers. Certain W
This policy setting configures the synchronization of user settings for the Travel app. By default, the u
This policy setting configures the synchronization of user settings for the Travel app. By default, the u
This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon app
This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies t
This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies t
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback info
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback info
This policy setting configures the synchronization of user settings for the Video app. By default, the u
This policy setting configures the synchronization of user settings for the Video app. By default, the u
This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Vi
This policy setting configures the synchronization of user settings for the Weather app. By default, the
This policy setting configures the synchronization of user settings for the Weather app. By default, the
This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft W
This policy setting configures the synchronization of user settings of WordPad. By default, the user se
This policy setting configures the synchronization of user settings of WordPad. By default, the user se
This policy setting adds the Administrator security group to the roaming user profile share. Once an a
This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment va
This policy setting defines a slow connection for roaming user profiles and establishes thresholds for t
This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local
This policy setting allows an administrator to automatically delete user profiles on system restart that
This policy setting disables the detection of slow network connections. Slow link detection measures t
This policy setting disables the more secure default setting for the user's roaming user profile folder.
This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if th
This policy setting will automatically log off a user when Windows cannot load their profile. If Window
This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a us
This policy setting controls how long Windows waits for a user response before it uses a default user p
This policy setting lets you exclude folders that are normally included in the user's profile. As a result,
This policy setting determines whether the system retains a roaming user's Windows Installer and Gro
This policy setting sets the maximum size of each user profile and determines the system's response
This policy setting determines how many times the system tries to unload and update the registry por
This setting determines if roaming user profiles are available on a particular computer. By default, whe
This policy setting determines if the changes a user makes to their roaming profile are merged with th
This policy setting provides users with the ability to download their roaming profile, even when a slow
This policy setting controls how long Windows waits for a response from the network before logging on
This policy setting specifies whether Windows should use the specified network path as the roaming u
This policy setting sets the schedule for background uploading of a roaming user profile's registry file
This policy setting allows you to specify the location and root (file share or local path) of a user's home
This policy setting allows you to specify which network directories will be synchronized only at logon a
This policy setting turns off the advertising ID, preventing apps from using the ID for experiences acro
This setting prevents users from managing the ability to allow apps to access the user name, account
This policy setting directs the system to wait for the remote copy of the roaming user profile to load, e
This policy setting configures whether or not fixed data drives formatted with the FAT file system can b
This policy setting configures whether or not removable data drives formatted with the FAT file system
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLock
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wire
This policy setting allows you to configure whether Secure Boot will be allowed as the platform integri
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive En
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive E
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the
This policy setting allows you to control how BitLocker-protected operating system drives are recovere
This policy setting allows you to control how BitLocker-protected removable data drives are recovered
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can displ
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) star
This policy setting lets you configure the entire recovery message or replace the existing URL that are
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security
This policy setting allows you to manage BitLockers use of hardware-based encryption on fixed data d
This policy setting allows you to manage BitLockers use of hardware-based encryption on operating s
This policy setting allows you to manage BitLockers use of hardware-based encryption on removable
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data d
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operatin
This policy setting specifies whether a password is required to unlock BitLocker-protected removable d
This policy setting allows you to specify whether smart cards can be used to authenticate user access
This policy setting allows you to specify whether smart cards can be used to authenticate user access
This policy setting controls the use of BitLocker on removable data drives. This policy setting is applie
This policy setting determines whether BitLocker protection is required for fixed data drives to be writa
This policy setting configures whether BitLocker protection is required for a computer to be able to wri
This policy setting allows you to configure whether or not standard users are allowed to change BitLoc
This policy setting allows users to turn on authentication options that require user input from the pre-b
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. Thi
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. Th
This policy setting allows you to associate unique organizational identifiers to a new drive that is enab
This policy setting allows you to configure whether BitLocker requires additional authentication each t
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be ab
This policy setting allows you to control whether or not platform validation data is refreshed when Win
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitL
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify durin
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLoc
This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable
This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP C
This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable th
This policy setting allows you to specify Clock discipline and General values for the Windows Time serv
This policy setting specifies that power management is disabled when the machine enters connected
This policy setting prevents computers from establishing multiple simultaneous connections to either
This policy setting prevents computers from connecting to both a domain based network and a non-do
This policy setting prevents clients from connecting to Mobile Broadband networks when the client is r
This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. If you
This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario dat
Windows Calendar is a feature that allows users to manage appointments and tasks by creating perso
Windows Calendar is a feature that allows users to manage appointments and tasks by creating perso
By default, Add features to Windows 10 is available for all administrators. If you enable this policy set
By default, Add features to Windows 10 is available for all administrators. If you enable this policy set
This policy setting allows you to manage whether backups of only system volumes is allowed or both O
This policy setting allows you to manage whether backups of a machine can run to locally attached st
This policy setting allows you to manage whether backups of a machine can run to a network share or
This policy setting allows you to manage whether backups of a machine can run to an optical media o
This policy setting allows you to manage whether run-once backups of a machine can be run or not. I
This policy setting affects the ability of users to install or uninstall color profiles. If you enable this pol
This policy setting affects the ability of users to install or uninstall color profiles. If you enable this pol
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). Th
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy
This policy setting allows you to configure whether or not the antimalware service remains running wh
This policy setting controls the load priority for the antimalware service. Increasing the load priority w
This policy setting allows you to enable download of definition updates from Microsoft Update even if
This policy setting allows you to configure definition updates when the computer is running on battery
This policy setting allows you to configure the antimalware service to receive notifications to disable in
This policy setting allows you to enable real-time definition updates in response to reports sent to Mic
This policy setting allows you to manage whether or not end users can pause a scan in progress. If yo
This policy setting allows you to manage whether a check for new virus and spyware definitions will oc
This policy setting allows you to manage whether a check for new virus and spyware definitions will oc
This policy setting controls whether or not complex list settings configured by a local administrator are
This policy setting configures a local override for the configuration of maximum percentage of CPU uti
This policy setting configures a local override for the configuration of monitoring for file and program a
This policy setting configures a local override for the configuration of monitoring for incoming and out
This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting
This policy setting configures a local override for the configuration of scanning for all downloaded files
This policy setting configures a local override for the configuration of scheduled scan day. This setting
This policy setting configures a local override for the configuration of scheduled quick scan time. This
This policy setting configures a local override for the configuration of scheduled scan time. This settin
This policy setting configures a local override for the configuration of the number of days items should
This policy setting configures a local override for the configuration of the scan type to use during a sc
This policy setting configures a local override for the configuration of the time to run a scheduled full s
This policy setting configures a local override for the configuration of behavior monitoring. This setting
This policy setting configures a local override for the configuration to turn on real-time protection. This
This policy setting allows you to configure monitoring for incoming and outgoing files, without having
This policy setting defines the number of days items should be kept in the Quarantine folder before be
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS
This policy setting configures the time in minutes before a detection in the critically failed state to m
This policy setting configures the time in minutes before a detection in the "non-critically failed" state
This policy setting configures the time in minutes before a detection in the "completed" state moves t
This policy setting configures the time in minutes before a detection in the "additional action" state m
This policy setting allows you to configure whether or not Watson events are sent. If you enable or do
This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Softw
This policy setting allows you to create a system restore point on the computer on a daily basis prior t
This policy, if defined, will prevent antimalware from using the configured proxy server when commun
This policy setting allows you to configure UNC file share sources for downloading definition updates. S
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to
This policy setting allows you to configure the named proxy that should be used when the client attem
This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that
This policy setting allows you to define the number of days after which a catch-up definition update w
This policy setting allows you to define the number of consecutive scheduled scans that can be misse
This policy setting allows you to define the number of days that must pass before spyware definitions
This policy setting allows you to define the number of days that must pass before virus definitions are
This policy setting allows you to define the order in which different definition update sources should b
This policy setting allows you to configure whether or not to display additional text to clients when the
This policy setting allows you to configure whether or not to display AM UI to the users. If you enable
This policy setting allows you specify a list of file types that should be excluded from scheduled, custo
This policy setting allows you to configure definition updates on startup when there is no antimalware
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that help
This policy setting allows you to configure monitoring for file and program activity. If you enable or do
This policy setting allows you to disable scheduled and real-time scanning for files under the paths sp
This policy setting allows you to disable scheduled and real-time scanning for any file opened by any o
This policy setting allows you to enable or disable randomization of the scheduled scan start time and
This policy setting allows you to configure scanning mapped network drives. If you enable this setting
This policy setting allows you to configure scanning for all downloaded files and attachments. If you e
This policy setting allows you to configure scans for malicious software and unwanted software in arch
This policy setting allows you to configure scanning for network files. It is recommended that you do n
This policy setting allows you to configure scanning for packed executables. It is recommended that th
This policy setting allows you to manage whether or not to scan for malicious software and unwanted
This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.
This policy setting defines additional definition sets to enable for network traffic inspection. Definition
This policy setting allows you to specify the day of the week on which to check for definition updates.
This policy setting allows you to specify the day of the week on which to perform a scheduled full scan
This policy setting allows you to specify the day of the week on which to perform a scheduled scan. Th
This policy setting allows you to specify an interval at which to check for definition updates. The time
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is
This policy setting allows you to configure the maximum directory depth level into which archive files
This policy setting allows you to configure the maximum percentage CPU utilization permitted during
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that
This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type optio
This policy setting allows you to specify the time of day at which to perform a daily quick scan. The tim
This policy setting allows you to specify the time of day at which to perform a scheduled full scan in o
This policy setting allows you to specify the time of day at which to perform a scheduled scan. The tim
This policy setting allows you to specify the time of day at which to check for definition updates. The t
This policy setting allows you to customize which automatic remediation action will be taken for each
This policy setting customize which remediation action will be taken for each listed Threat ID when it i
This policy setting allows you to configure scheduled scans to start only when your computer is on but
Use this policy setting to specify if you want Windows Defender notifications to display on clients. If y
This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off
This policy setting turns off real-time protection prompts for known malware detection. Windows Defe
This policy setting allows you to configure whether Windows Defender automatically takes action on a
This policy setting turns off Windows Defender. If you enable this policy setting, Windows Defender do
This policy setting allows you to configure behavior monitoring. If you enable or do not configure this
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan
This policy setting allows you to configure definition retirement for network protection against exploits
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engi
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right be
This policy setting allows you to configure process scanning when real-time protection is turned on. Th
This policy setting allows you to configure protocol recognition for network protection against exploits
This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If
This policy setting defines the number of days items should be kept in the scan history folder before b
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be sca
This policy setting allows you to configure the automatic scan which starts after a definition update ha
This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable
This policy setting allows you to manage whether OpenSearch queries in this zone can be performed u
This policy setting allows you to manage whether a user may preview an item from this zone or displa
This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. If y
This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScree
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to
This policy setting allows you to specify a list of known folders that should be disabled. Disabling a kn
Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to t
This policy setting allows you to prevent users from accessing Folder Options through the View tab on
When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin.
Prevents users from submitting alternate logon credentials to install a program. This setting suppress
This policy removes the end-user notification for new application associations. These associations are
This policy setting determines whether Windows traces shortcuts back to their sources when it cannot
Hide the Back button in the Open dialog box. This policy setting lets you remove new features added
Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you re
Removes the list of most recently used files from the Open dialog box. If you disable this setting or do
This policy setting allows you to hide these specified drives in My Computer. This policy setting allows
Removes the Manage item from the File Explorer context menu. This context menu appears when you
Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this
This policy setting allows you to specify a location where all default Library definition files for users/ma
This policy setting allows you to specify a location where all default Library definition files for users/ma
Limits the percentage of a volume's disk space that can be used to store deleted files. If you enable t
"This policy setting allows you to set the maximum number of shortcuts the system can display in the
This policy setting allows you to remove computers in the user's workgroup and domain from lists of n
Removes all computers outside of the user's workgroup or local domain from lists of network resource
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at th
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again"
Prevents users from using My Computer to gain access to the content of selected drives. If you enabl
Prevents users from using File Explorer or Network Locations to map or disconnect network drives. If y
This policy setting allows you to remove CD Burning features. File Explorer allows you to create and m
This policy setting allows you to remove the DFS tab from File Explorer. If you enable this policy settin
Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-c
Removes the File menu from My Computer and File Explorer. This setting does not prevent users from
Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sound
This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enabl
Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties d
This policy setting allows you to remove the Shared Documents folder from My Computer. When a Wi
If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a
Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control P
This policy setting allows you to prevent users from enabling or disabling minor animations in the ope
Prompts users for alternate logon credentials during network-based installations. This setting displays
This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains
Shows or hides hibernate from the power options menu. If you enable this policy setting, the hibernat
Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be s
Shows or hides sleep from the power options menu. If you enable this policy setting, the sleep option
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File
This policy setting allows you to turn off caching of thumbnail pictures. If you enable this policy settin
Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from b
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rath
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rath
This policy setting allows you to configure the amount of functionality that the shell protocol can have
This policy setting allows you to configure the amount of functionality that the shell protocol can have
This policy setting allows you to turn off the display of snippets in Content view mode. If you enable t
This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to
Turn off Windows+X hotkeys. Keyboards with a Windows key provide users with shortcuts to common
This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior
This policy setting allows you to prevent data loss when you change the target location for Folder Red
This policy setting hides the file scan progress window. This window provides status information to sop
This policy setting specifies the maximum amount of disk space that can be used for the Windows File
This policy setting allows you to set when Windows File Protection scans protected files. This policy se
This policy setting specifies an alternate location for the Windows File Protection cache. If you enable
Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transp
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allow
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allow
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, an
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, an
Allows remote administration of this computer using administrative tools such as the Microsoft Manag
Allows remote administration of this computer using administrative tools such as the Microsoft Manag
Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Firewall opens
Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Firewall opens
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices,
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices,
Allows administrators to use the Windows Firewall component in Control Panel to define a local port ex
Allows administrators to use the Windows Firewall component in Control Panel to define a local port ex
Allows administrators to use the Windows Firewall component in Control Panel to define a local progra
Allows administrators to use the Windows Firewall component in Control Panel to define a local progra
Allows Windows Firewall to record information about the unsolicited incoming messages that it receive
Allows Windows Firewall to record information about the unsolicited incoming messages that it receive
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Firew
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Firew
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall
Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides
Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides
Prevents Windows Firewall from displaying notifications to the user when a program requests that Win
Prevents Windows Firewall from displaying notifications to the user when a program requests that Win
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messa
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messa
Turns on Windows Firewall. If you enable this policy setting, Windows Firewall runs and ignores the "C
Turns on Windows Firewall. If you enable this policy setting, Windows Firewall runs and ignores the "C
Allow suggested apps in Windows Ink Workspace
Allow Windows Ink Workspace
Windows Mail will not check your newsgroup servers for Communities support.
Windows Mail will not check your newsgroup servers for Communities support.
Denies or allows access to the Windows Mail application. If you enable this setting, access to the Wind
Denies or allows access to the Windows Mail application. If you enable this setting, access to the Wind
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).
This policy setting allows a screen saver to interrupt playback. If you enable this policy setting, a scre
This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you ena
This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enab
This policy setting allows you to specify whether network buffering uses the default or a specified num
This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you ena
Prevents the anchor window from being displayed when Windows Media Player is in skin mode. This p
This policy setting allows you to prevent the anchor window from being displayed when Windows Med
This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network t
This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this polic
This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this poli
This policy setting allows you to turn off do not show first use dialog boxes. If you enable this policy s
This policy setting allows you to prevent media information for CDs and DVDs from being retrieved fro
This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enab
This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's
This policy setting allows you to prevent media sharing from Windows Media Player. If you enable this
This policy setting allows you to prevent media information for music files from being retrieved from th
This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Laun
This policy setting allows you to prevent radio station presets from being retrieved from the Internet.
This policy setting allows you to prevent video smoothing from occurring. If you enable this policy set
This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified sk
This policy setting allows you to specify that Windows Media Player can attempt to use selected proto
This policy setting allows you to prevent Windows Messenger from running. If you enable this policy s
This policy setting allows you to prevent Windows Messenger from running. If you enable this policy s
This policy setting prevents Windows Messenger from automatically running at logon. If you enable th
This policy setting prevents Windows Messenger from automatically running at logon. If you enable th
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client u
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client s
This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM
This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes i
This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes
This policy setting configures access to remote shells. If you enable this policy setting and set it to Fa
This policy setting configures the maximum number of users able to concurrently perform remote she
This policy setting configures the maximum time in milliseconds remote shell will stay open without a
This policy setting configures the maximum total amount of memory in megabytes that can be allocat
This policy setting configures the maximum number of processes a remote shell is allowed to launch.
This policy setting configures the maximum number of concurrent shells any user can remotely open o
This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Co
Disable turns off the launch of all apps from the Windows Store that came pre-installed or were downl
Denies access to the retail catalog in the Windows Store app, but displays the private store. If you en
Denies access to the retail catalog in the Windows Store app, but displays the private store. If you en
Enables or disables the automatic download and installation of app updates. If you enable this setting
Enables or disables the automatic download of app updates on PCs running Windows 8. If you enable
Enables or disables the Store offer to update to the latest version of Windows. If you enable this settin
Enables or disables the Store offer to update to the latest version of Windows. If you enable this settin
Denies or allows access to the Store application. If you enable this setting, access to the Store applica
Denies or allows access to the Store application. If you enable this setting, access to the Store applica
Specifies whether Automatic Updates should automatically install certain updates that neither interrup
This policy setting allows you to control whether non-administrative users will receive update notificat
This policy setting allows you to manage whether Automatic Updates accepts updates signed by entit
If you enable this policy, a restart timer will always begin immediately after Windows Update installs i
Specifies the hours that Windows will use to determine how long to wait before checking for available
Specifies whether this computer will receive security updates and other important downloads through
Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restar
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowe
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowe
Even when Windows Update is configured to receive updates from an intranet update service, it will p
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is display
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is display
Enable this policy to not include drivers with Windows quality updates.
Specifies the target group name or names that should be used to receive updates from an intranet Mi
Specifies whether the Windows Update will use the Windows Power Management features to automati
Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to b
This setting allows you to remove access to Windows Update. If you enable this setting, all Windows U
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled
Specifies the amount of time for Automatic Updates to wait, following system startup, before proceedi
Enable this policy to specify what type of feature updates to receive, and when. The branch readiness
Enable this policy to specify when to receive quality updates. You can defer receiving quality updates
Specifies an intranet server to host updates from Microsoft Update. You can then use this update servi
If you enable this policy, the PC will not automatically restart after updates during active hours. The PC
Specifies whether Automatic Updates will deliver both important as well as recommended updates fro
This policy setting allows you to control whether users see detailed enhanced notification messages a
This setting controls automatic updates to a user's computer. Whenever a user connects to the Intern
This setting allows you to remove access to scan Windows Update. If you enable this setting, Windows
Specify the deadline in days before automatically executing a scheduled restart outside of active hour
This policy setting controls the use of fast startup. If you enable this policy setting, the system require
This policy setting configures the number of minutes the system waits for the hung logon sessions bef
This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remo
Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the fami
This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS
This policy setting controls whether or not the system displays information about previous logons and
This policy controls whether the logged on user should be notified when his logon hours are about to e
This policy controls whether the logged on user should be notified if the logon server could not be con
This policy controls whether the logged on user should be notified if the logon server could not be con
This policy controls which action will be taken when the logon hours expire for the logged on user. The
This policy setting controls whether a device will automatically sign-in the last interactive user after W
Enables or disables the automatic download and update of map data. If you enable this setting the au
This policy setting allows you to turn on or turn off unsolicited network traffic on the Offline Maps page
This policy setting specifies whether Windows will allow console applications and GUI applications with
This policy setting allows you to turn off projection to a PC. If you turn it on, your PC isn't discoverab
This policy setting allows you to require a pin for pairing. If you turn this on, the pairing ceremony for
This policy setting determines whether users can enable the following WLAN settings: "Connect to sug
This policy applies to Wireless Display connections. This policy changes the preference order of the pa
This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing
This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. If th
Set up the menu name and URL for the custom Internet search provider. If you enable this setting, th
This policy setting specifies whether Work Folders should be set up automatically for all users of the a
This policy setting specifies the Work Folders server for affected users, as well as whether or not users
This setting lets you configure how domain joined computers become registered as devices. When yo
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to b
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to e
This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, v
This policy setting turns off notification mirroring. If you enable this policy setting, notifications from a
This policy setting blocks applications from using the network to send notifications to update tiles, tile
This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notificat
This policy setting turns off tile notifications. If you enable this policy setting, applications and system
This policy setting turns off toast notifications for applications. If you enable this policy setting, applic
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, app
This policy setting configures the cost of 3G connections on the local machine. If this policy setting is
This policy setting configures the cost of 4G connections on the local machine. If this policy setting is
New in Win10?
or can create a list of approved ActiveX Install sites specified by host URL. If you disable or do not configure th
the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service respo
tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigu
grams button is available to all users. This setting does not prevent users from using other tools and methods t
re components of Windows from the installation files. If you disable this setting or do not configure it, the Add/R
the Change or Remove Programs page is available to all users. This setting does not prevent users from using
able to all users. This setting does not prevent users from using other tools and methods to add or remove prog
vent users from using other tools and methods to connect to Windows Update. Note: If the "Hide Add New Progr
ograms that the system administrator has explicitly made available to the user with a tool such as Windows Ins
ell as which programs are accessible from the Start menu, desktop, and other locations. If you disable this sett
al and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remov
ncluding a link to the installation files and data that users need to obtain product support, such as the Product ID
s in other categories. To use this setting, type the name of a category in the Category box for this setting. You m
RTM
lications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed t
ve the most common issues affecting legacy applications. Enabling this policy setting removes the property pag
plays an Application Help message if the application has a know problem. Turning off the application compatibi
er Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this
or will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Co
System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy set
oard input and mouse input, user interface data, and screen shots. Steps Recorder includes an option to turn on
policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older appl
1607
TP4
TP4
TP4
TP4
TP4
TP4
TP4
1607
TP4
TP4
TP4
TP4
TP4
TP4
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
RTM
he local computer). If you disable or do not configure this policy setting, you cannot install LOB or developer-sig
up Policy setting applies Mandatory user profiles and super-mandatory profiles, which are created by an adminis
you cannot develop Windows Store apps or install them directly from an IDE.
RTM
RTM
to sign in with an enterprise account instead. If you disable or do not configure this policy setting, users will ne
app for a file type. If you enable this policy setting, Windows Store apps cannot open files in the default deskto
app for a file type. If you enable this policy setting, Windows Store apps cannot open files in the default deskto
hing a desktop app. If you enable this policy setting, Windows Store apps cannot open URIs in the default desk
hing a desktop app. If you enable this policy setting, Windows Store apps cannot open URIs in the default desk
RTM
RI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If
er from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the fi
make proper risk assessments. If you enable this policy setting, Windows does not mark file attachments with t
us file attachments that Windows has blocked users from opening. If you enable this policy setting, Windows hid
takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than o
precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inc
ws and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusio
redundant. If you enable this policy setting, Windows tells the registered antivirus program to scan the file whe
e the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using b
curity event log as part of the Audit Process Creation event 4688, "a new process has been created," on the wor
er's choice of what to do when a device is connected.
er's choice of what to do when a device is connected.
program without user intervention. This creates a major security concern as code may be executed without use
program without user intervention. This creates a major security concern as code may be executed without use
as the floppy disk drive (but not the CD-ROM drive), and on network drives. Starting with Windows XP SP2, Auto
as the floppy disk drive (but not the CD-ROM drive), and on network drives. Starting with Windows XP SP2, Auto
1607
RTM
setting, Windows prevents domain users from logging on to a domain-joined computer using biometrics. Note:
you must also configure the "Allow users to log on using biometrics" policy setting. If you disable this policy se
o the domain. If you enable or do not configure this policy setting, all users can log on to a local Windows-base
fy the number of seconds the event remains active. This value cannot exceed 60 seconds. If you disable or do n
TP4
akes them available to other BITS peers. When transferring a download job, BITS first requests the files for the j
ch Cache. If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. No
puter will no longer use the BITS peer caching feature to download files; files will be downloaded only from the o
puter will no longer cache downloaded files and offer them to its peers. However, the computer will still downlo
pecify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. If you dis
nt of the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of
efault BITS uses a maximum download time of 90 days (7,776,000 seconds). If you enable this policy setting, y
width to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours
rk interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are
maximum number of BITS jobs a user can create to the specified number. If you disable or do not configure this
ng, BITS will limit the maximum number of BITS jobs to the specified number. If you disable or do not configure
specified number. If you disable or do not configure this policy setting, BITS will use the default value of 200 for
t can be added to a file to the specified number. If you disable or do not configure this policy setting, BITS will li
ou can define a default download policy for each BITS job priority. This setting does not override a download pol
fine a separate set of network bandwidth limits and set up a schedule for the maintenance period. You can spec
e not defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set u
ob are deleted from the disk. Note: Any property changes to the job or any successful download action will rese
1607
ations Manager server.
RTM
m/fwlink/?LinkId=517265
1607
TP4
1607
TP4
ndows has internally registered the required components. If you enable this policy setting and a component re
ndows has internally registered the required components. If you enable this policy setting and a component re
w used in the last Control Panel session. Note: Icon size is dependent upon what the user has set it to in the pre
upport or command lines that use control.exe. This policy has no effect on items displayed in PC settings. If you
The Start screen File Explorer This setting removes PC settings from: The Start screen Settings charm Accoun
ays to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe.
d "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) se
TRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock scree
effect on the system. If you enable it, a screen saver runs, provided the following two conditions hold: First, a v
ange those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with
TP4
nd users cannot change it. If the specified background is not supported, the default background is used.
ify will be used. Also, a user may not apply a different visual style when changing themes. If you disable or do n
ging the screen saver. If you disable this setting or do not configure it, users can select any screen saver. If you
kground, color, sounds, or screen saver after the first logon. If you disable or do not configure this setting, the d
er dialog in the Personalization or Display Control Panel, preventing users from changing the password protectio
, glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. If
use the "Prevent changing color and appearance" setting.
be changed by the user. To specify wallpaper for a group, use the "Desktop Wallpaper" setting. Note: You must
sta, this setting also hides the Desktop tab in the Display Control Panel.
een and logon image, and they will instead see the default image.
wed to change them. If the "Force a specific background and accent color" policy is also set on a supported ver
t configure this setting, there is no effect. Note: If you enable this setting but do not specify a theme using the
etting prevents users and applications from changing the visual style through the command line. Also, a user m
C Settings, and the camera cannot be invoked on the lock screen.
show will ever start.
ze" drop-down list on the Appearance tab.
mstances: - The setting is disabled or not configured. - The wait time is set to zero. - The "Enable Screen Saver"
count Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures
vice's screen turns off before a password is required when waking the device. The allowable time is limited by a
RTM
he computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. If you enable this
d and Smart Card. An administrator can install additional credential providers for different sets of credentials (f
he user's domain password will be cached in the system vault when using this feature.
Windows Components\Microsoft Passport for Work. If you enable this policy setting, a domain user can set up a
s default credentials can be delegated (default credentials are those that you use when first logging on to Windo
(default credentials are those that you use when first logging on to Windows). If you disable or do not configur
h credentials can be delegated (fresh credentials are those that you are prompted for when executing the applic
resh credentials are those that you are prompted for when executing the application). If you do not configure (
d credentials can be delegated (saved credentials are those that you elect to save/remember using the Window
(saved credentials are those that you elect to save/remember using the Windows credential manager). If you d
s). If you disable or do not configure (by default) this policy setting, this policy setting does not specify any serv
plication). If you disable or do not configure (by default) this policy setting, this policy setting does not specify a
dows credential manager). If you disable or do not configure (by default) this policy setting, this policy setting d
Remote Desktop Client If you enable this policy setting, restricted mode is enforced and participating apps will n
ing, the password reveal button will be displayed after a user types a password in the password entry text box.
ing, the password reveal button will be displayed after a user types a password in the password entry text box.
will be displayed so the user can choose one and enter the correct password. If you disable this policy setting,
abled. If you enable this policy setting, users will be required to enter Windows credentials on the Secure Deskt
stem. The system prompts users for a new password when an administrator requires a new password or their pa
If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard u
the Start menu. Also, see the 'Remove Logoff on the Start Menu' policy setting. If you disable or do not config
e priority of the process in which programs run. If you enable this policy setting, users will not be able to access
RTM
TP5
TP5
1607
will be turned off. If you do not configure this policy setting, user can configure the Let Microsoft try features o
d), DCOM will look for an entry in the locally configured list. If you disable this policy setting, DCOM will not look
nd list when this policy setting is configured, unless the "Allow local activation security check exemptions" polic
1607
RTM
RTM
RTM
RTM
RTM
1607
1607
1607
1607
1607
particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item
mp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as
the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C
p" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored.
Note: This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, fo
g, shared folders are not added to Network Locations automatically when you open a document in the shared fo
" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored.
e it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. To see the fi
appears in the Network Locations folder. This setting is designed to let users search Active Directory but not te
ms displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Ope
missions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of obje
Tip: To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar be
e Desktop, or prevent users from removing existing Web content. Also, see the "Disable all items" setting.
onfiguration. Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting.
enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web c
rom items on the Web tab in Display in Control Panel. Note: This setting does not prevent users from deleting it
t to their Active Desktop. Also, see the "Prohibit closing items" and "Disable all items" settings.
of an item, such as its synchronization schedule, password, or display characteristics.
he Target box.
puter folder. This setting allows administrators to restrict their users from seeing Computer in the shell namesp
he contents of the My Documents folder. This setting does not remove the My Documents icon from the Start m
figure this setting, the Properties option is displayed as usual.
pens the File menu. Clicks the My Documents icon, and then presses ALT+ENTER. If you disable or do not config
this setting, the Properties option is displayed as usual.
tents of the Recycle Bin folder. Note: To make changes to this setting effective, you must log off and then log ba
or of the Desktop Clean Wizard running every 60 days occurs. Note: When this setting is not enabled, users can
is window minimizing and restoring gesture will apply.
1607
y the machine must be rebooted. The file path must be either a UNC path (for example, \\ServerName\ShareNam
port and will only be enabled on correctly configured devices. Virtualization Based Protection of Code Integrity
tall and update the drivers for any device. If you enable this policy setting on a remote desktop server, the polic
ce installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or u
prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed
st be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublis
d, the system does not implement any setting less secure than the one the setting established. When you enab
300 seconds for a device installation task to complete before terminating the installation.
ents device installation. If you disable or do not configure this policy setting, Windows displays a default title in
you disable or do not configure this policy setting, Windows displays a default message when a policy setting pr
nt enables you to more easily restore your system to its state before the activity. If you enable this policy settin
match any of these device IDs" or the "Allow installation of devices for these device classes" policy setting. If yo
om installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this polic
prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you crea
USB hub to which the device is connected. This policy setting takes precedence over any other policy setting tha
not signed at all. If you enable or do not configure this policy setting, drivers that are signed by a Microsoft Win
cy setting, the system does not force a reboot. Note: If no reboot is forced, the device installation restriction righ
e search algorithm. If you enable this setting, you can remove the locations by selecting the associated check b
error report is sent when a generic driver is installed.
anel > System and Security > System > Advanced System Settings > Hardware tab). If you disable or do not c
ce driver. If you disable or do not configure this policy setting, Windows sends an error report when a device dr
ows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually sea
ill first search the Managed Server, such as a Windows Server Update Services (WSUS) server. Only if no update
device is being installed, unless the driver for the device suppresses the balloons.
ication settings" is disabled or not configured. If you enable this setting, administrators will not be prompted to
ication settings" is disabled or not configured. If you enable this setting, administrators will not be prompted to
o discover domain controllers. This value is specified in minutes. If you disable or do not configure this policy se
cker will not run. If you disable or do not configure this setting, Digital Locker can be run.
cker will not run. If you disable or do not configure this setting, Digital Locker can be run.
ure this policy setting, Windows displays the default alert text in the disk diagnostic message. No reboots or se
ervice (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. If you enable this policy setting
me. The system determines the data that will be stored in the NV cache to optimize boot and resume. The requ
s mode, the system tries to save power by aggressively spinning down the disk. If you do not configure this pol
cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the s
V) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer per
ll apply the disk quota to both fixed and removable media.
ned off, and users cannot turn it on. If this policy setting is not configured, disk quota management is turned off
s the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make
this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disable
ng, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Qu
e Quota Entries window changes to indicate that the user is approaching the disk quota limit. This setting overr
n another computer. The DLT client can more reliably track links when allowed to use the DLT server. This polic
me "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. For
not configure this policy setting, NetBT queries will only be issued for single-label names such as "example" an
e applied to all network connections used by computers that receive this policy setting. If you disable this polic
eld. To use this policy setting, you must enter at least one IP address. If you enable this policy setting, the list o
mputers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. F
twork connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registra
s are not converted to the Nameprep form.
LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols w
s that receive it, you must restart Windows. If you enable this policy setting, it supersedes the primary DNS suffi
name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a u
hat suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settin
ient performing dynamic DNS registration registers A and PTR resource records with a concatenation of its comp
rds will be determined by the option that you choose under Register PTR records. To use this policy setting, clic
ven if the record has not changed. This reregistration is required to indicate to DNS servers that records are cur
rce records and does not allow a DNS client to overwrite records that are registered by other computers. Durin
fy will be applied to DNS resource records registered for all network connections used by computers that receive
configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS serve
s LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolutio
d, the network binding order is used to determine which response to accept. If you enable this policy setting, th
If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT
ynamic updates. Only secure - computers send only secure dynamic updates. If you enable this policy setting,
nless the authoritative zone is a top-level domain or root zone. If you enable this policy setting, computers send
an be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a speci
an be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a speci
D is accessible, if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab k
D is accessible, if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab k
licy setting requires a logoff for it to be applied.
licy setting requires a logoff for it to be applied.
color is used, if the user does not specify a color. Note: This policy setting can be used in conjunction with the "P
color is used, if the user does not specify a color. Note: This policy setting can be used in conjunction with the "P
tart Personalization. However, setting the accent will have no effect.
le or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are
of following values: 0x0001 // JIS208 area 0x0002 // NEC special char code 0x0004 // NEC selected IBM extend
ou disable or do not configure this policy setting, the custom dictionary can be used by default. For Japanese Mi
Changes to this setting will not take effect until the user logs off.
ng, the search integration function can be used by default. This policy setting applies to Japanese Microsoft IME
onversion. For Simplified Chinese Microsoft Pinyin, an Open Extended Dictionary that is added before enabling t
RTM
1607
mplified Chinese Microsoft Pinyin.
d and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that y
1607
1607
g touch gestures, keyboard shortcuts, and the Start screen. If you disable or don't configure this policy setting,
n't be able to replace it with Windows PowerShell. Users will still be able to access Windows PowerShell, but not
orner. They'll still be available if the mouse is pointing to the lower-right corner. If you disable or don't configure
tting, Windows will keep track of the apps that are used and searched most frequently. Most frequently used ap
s that are moved to an encrypted folder. This setting applies only to files moved within a volume. When files ar
root hub connected Enhanced Storage devices are allowed. If you disable or do not configure this policy setting
isable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
e on your computer. If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storag
ble devices are allowed on your computer.
rage device.
anced Storage device state is not changed when the computer is locked.
TP4
TP4
nnect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port numb
TP4
TP4
mputer Configuration/Administrative Templates/System/Internet Communication Management/Internet Commun
t to Store parameters only, only the minimum information required to check for an existing solution is stored. Th
t to Store parameters only, only the minimum information required to check for an existing solution is stored. Th
whether the report should be placed in the reporting queue, or the user should be prompted to send it immediat
whether the report should be placed in the reporting queue, or the user should be prompted to send it immediat
c, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a conse
c, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a conse
rrors. If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are r
events and errors are logged to the system event log, as with other Windows-based programs.
events and errors are logged to the system event log, as with other Windows-based programs.
soft. Additionally, solution information is not available in Security and Maintenance in Control Panel. If you disa
soft. Additionally, solution information is not available in Security and Maintenance in Control Panel. If you disa
an also report the error. If you disable this policy setting, users are not notified that errors have occurred. If the
ble or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative
ble or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative
B files that can contain data about the same event types as an earlier uploaded report. If you disable or do not
B files that can contain data about the same event types as an earlier uploaded report. If you disable or do not
custom consent policy settings for error reporting determine the consent level for specified event types, and the
custom consent policy settings for error reporting determine the consent level for specified event types, and the
f application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by a
ver reports errors, click Show, and then add or remove applications from the list of application file names in the
ver reports errors, click Show, and then add or remove applications from the list of application file names in the
never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or rem
interface for critical errors.
configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting
wer source. If you enable this policy setting, WER does not determine whether the computer is running on batte
wer source. If you enable this policy setting, WER does not determine whether the computer is running on batte
ou disable or do not configure this policy setting, WER does not send data, but will check the network cost polic
ou disable or do not configure this policy setting, WER does not send data, but will check the network cost polic
ents. If you disable or do not configure this policy setting, forwarder resource usage is not specified. This settin
ption specifics. Use the following syntax when using the HTTPS protocol: Server=https://<FQDN of the collector
s full. A new file is then started. If you disable this policy setting and the "Retain old events" policy setting is en
and system services can write, read, or clear this log. Note: If you enable this policy setting, some tools and API
nable this policy setting, only those users whose security descriptor matches the configured specified value can
and system services can write, read, or clear this log. Note: If you enable this policy setting, some tools and API
descriptor matches the configured value can access the log. If you disable or do not configure this policy setting
RTM
RTM
RTM
RTM
events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automa
the Event Log uses the system32 or system64 subdirectory.
he maximum size of the log file will be set to the locally configured value. This value can be changed by the loc
dard and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt thes
Explorer. Note: When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key.
RTM
you disable or do not configure this policy setting, users will be able to add new items such as files or folders to
workspace, can't hibernate the PC.

rom a Windows To Go workspace, can use standby states to make the PC sleep.
device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startu
TP4
This is the default recovery behavior for corrupted files. Silent: Detection, troubleshooting, and recovery of corr
that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application.
otocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. Note:
1607
on please refer to the Windows Help section NOTE: If this policy is Disabled or Not Configured, local administra
If you disable them on all volumes then they will never be generated. If you set short name creation to be confi
e offline. If you disable or do not configure this policy setting, redirected shell folders are automatically made a
omatically made available offline. All subfolders within the redirected folders are also made available offline. No
tion to another and Folder Redirection is configured to move the content to the new location, instead of copying
uter in a remote office. To designate a user's primary computers, an administrator must use management softw
uter in a remote office. To designate a user's primary computers, an administrator must use management softw
ws Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders w
ws Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders w
and cannot be hidden by the user. Note: This has a side effect of not being able to toggle to the Preview Pane sin
annot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handle
RTM
ser on that system. If you disable or do not configure this policy setting, language packs that are installed as pa
cy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers les
ed by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is igno
ed by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is igno
the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page.
ns of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. The pol
ns of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. The pol
d, users can still choose alternate locales installed on the system unless prevented by other policies, however, t
d, users can still choose alternate locales installed on the system unless prevented by other policies, however, t
the target computer or you disable this policy setting, the language selection defaults to the language selected
ues programmatically. This policy setting is used only to simplify the Regional Options control panel. If you enab
vent the user or an application from changing the GeoID programmatically. If you disable or do not configure thi
anguage. This does not prevent the user or an application from changing the UI language programmatically. If
pplication from changing their user locale or user overrides programmatically. If you disable or do not configure
Regional and Language Options control panel are not accessible to the logged on user. This prevents users from
restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;).
o locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-c
o locales in this list. To set this policy setting on a per-user basis, make sure that you do not configure the per-c
ministrator as the system UI languages. The UI language selected by the user will be ignored if it is different tha
for the selected user. If the specified language is not installed on the target computer or you disable this policy
e option will be locked to not autocorrect misspelled words. If the policy is Disabled or Not Configured, then the
ed includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the In
ed includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the In
n will be locked to not highlight misspelled words. If the policy is Disabled or Not Configured, then the user will b
xt prediction candidate when using the on-screen keyboard. If the policy is Enabled, then the option will be lock
rd. If the policy is Enabled, then the option will be locked to not offer text predictions. If the policy is Disabled o
do not configure this policy setting: - No user-based policy settings are applied from the user's forest. - Users
ADM files that were used to create the GPO while editing this GPO. This leads to the following behavior: - If you
g, when a slow network connection is detected, Group Policy processing will always run in an asynchronous man
ndwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules
implementing the disk quota policy set when it was installed. If you enable this policy setting, you can use the
on policy set when it was installed. If you enable this policy setting, you can use the check boxes provided to ch
ory, not for Group Policy objects on the local computer. This policy setting overrides customized settings that th
nchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Grou
the domain controller designated as the PDC Operations Master for the domain. "Inherit from Active Directory S
w. The system's response to a slow policy connection varies among policies. The program implementing the po
w. The system's response to a slow policy connection varies among policies. The program implementing the po
that the program implementing the Internet Explorer Maintenance policy set when it was installed. If you enab
ed settings that the program implementing the IP security policy set when it was installed. If you enable this po
contention. If you enable this policy setting, Group Policy will wait for the specified amount of time before runn
able this policy setting, you can use the check boxes provided to change the options. If you disable or do not co
talled. If you enable this policy setting, you can use the check boxes provided to change the options. If you disa
hen it was installed. If you enable this policy setting, you can use the check boxes provided to change the optio
ects stored in Active Directory, not for Group Policy Objects on the local computer. This policy setting overrides
computer that is being used. By default, the user's Group Policy Objects determine which user settings apply. If
wired network set when it was installed. If you enable this policy, you can use the check boxes provided to cha
ing the wireless network set when it was installed. If you enable this policy, you can use the check boxes provid
1607
Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links fo
y setting, interactive users can generate RSoP. Note: This policy setting does not affect administrators. If you e
y setting, interactive users can generate RSoP. Note: This policy setting does not affect administrators. If you e
1607
runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is r
ows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in o
1607
1607
setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It als
he display name can contain environment variables and can be a maximum of 255 characters long. If this settin
pdated when the system starts. By default, computer Group Policy is updated in the background every 90 minut
f you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 min
sers log on. By default, user Group Policy is updated in the background every 90 minutes, with a random offset
ous, the computer is not blocked and policy processing will occur in the background. In either case, configuring t
nchronous, the computer is not blocked and policy processing will occur in the background. In either case, config
t Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and
tings. If you disable or do not configure this policy setting, updates can be applied while users are working. The
Local GPOs to ensure that only domain-based GPOs are applied. If you enable this policy setting, the system d
t-side extension settings that were included. If you enable this setting, RSoP logging is turned off. If you disabl
RTM
wed to process across a slow network connection, to be applied during background processing, and to process e
ogging and turn on tracing for the Applications extension for client computers. If you disable or do not configure
e allowed to process across a slow network connection, to be applied during background processing, and to proc
logging and turn on tracing for the Data Sources extension for client computers. If you disable or do not config
ss across a slow network connection, to be applied during background processing, and to process even if the Gr
nd turn on tracing for the Devices extension for client computers. If you disable or do not configure this policy s
wed to process across a slow network connection, to be applied during background processing, and to process ev
ging and turn on tracing for the Drive Maps extension for client computers. If you disable or do not configure th
erence items are allowed to process across a slow network connection, to be applied during background proces
logging and turn on tracing for the Environment extension for client computers. If you disable or do not configu
a slow network connection, to be applied during background processing, and to process even if the Group Policy
on tracing for the Files extension for client computers. If you disable or do not configure this policy setting, by
r Options, Open With, and File Type preference items are allowed to process across a slow network connection,
ent logging and turn on tracing for the Folder Options extension for client computers. If you disable or do not co
across a slow network connection, to be applied during background processing, and to process even if the Grou
d turn on tracing for the Folders extension for client computers. If you disable or do not configure this policy set
ess across a slow network connection, to be applied during background processing, and to process even if the G
d turn on tracing for the Ini Files extension for client computers. If you disable or do not configure this policy se
ed to process across a slow network connection, to be applied during background processing, and to process ev
nd turn on tracing for the Internet extension for client computers. If you disable or do not configure this policy s
r and Local Group preference items are allowed to process across a slow network connection, to be applied duri
ng, you can configure event logging and turn on tracing for the Local User and Local Group extension for client
onnection and DUN Connection preference items are allowed to process across a slow network connection, to be
e event logging and turn on tracing for the Network Options extension for client computers. If you disable or do
tems are allowed to process across a slow network connection, to be applied during background processing, and
event logging and turn on tracing for the Network Shares extension for client computers. If you disable or do no
ns and Power Scheme preference items are allowed to process across a slow network connection, to be applied
ent logging and turn on tracing for the Power Options extension for client computers. If you disable or do not co
d Printer, TCP/IP Printer, and Local Printer preference items are allowed to process across a slow network conne
d turn on tracing for the Printers extension for client computers. If you disable or do not configure this policy se
ce items are allowed to process across a slow network connection, to be applied during background processing,
e event logging and turn on tracing for the Regional Options extension for client computers. If you disable or do
ocess across a slow network connection, to be applied during background processing, and to process even if the
nd turn on tracing for the Registry extension for client computers. If you disable or do not configure this policy
ed Task and Immediate Task preference items are allowed to process across a slow network connection, to be a
event logging and turn on tracing for the Scheduled Tasks extension for client computers. If you disable or do
cess across a slow network connection, to be applied during background processing, and to process even if the G
and turn on tracing for the Services extension for client computers. If you disable or do not configure this policy
process across a slow network connection, to be applied during background processing, and to process even if th
g and turn on tracing for the Shortcuts extension for client computers. If you disable or do not configure this po
ed to process across a slow network connection, to be applied during background processing, and to process ev
ging and turn on tracing for the Start Menu extension for client computers. If you disable or do not configure thi
Application preference items. If you enable or do not configure this policy setting, you permit use of Application
icy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable
on is prohibited, it does not appear in the Group Policy Management Editor window. If you enable this policy set
prohibited, it does not appear in the Group Policy Management Editor window. If you enable this policy setting,
d by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" poli
he "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy se
cy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable t
licy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable
ng overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this pol
ed by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" po
etting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this p
etting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this
cted by the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides th
s restricted by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (U
cted by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)"
policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disa
d by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" po
nage preference items. If you enable this policy setting, you permit use of the Preferences tab. Enabling this po
he "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy se
cted by the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides th
setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this
ted by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" p
he "Permit use of Control Panel Settings (Computers)" policy setting. Enabling this policy setting overrides the "
setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable th
y the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Re
icy settings synchronously. If you enable this policy setting, Windows applies user Group Policy settings asynch
ed to this policy setting. If you enable this policy setting, the commands function only for .chm files in the spec
disable or do not configure this policy setting, users can run all applications from online Help. Note: You can a
disable or do not configure this policy setting, users can run all applications from online Help. Note: You can a
ure that they use system memory safely. If you enable this policy setting, DEP for HTML Help Executable is turn
t is displayed, but there are no clickable links for these elements. If you disable or do not configure this policy s
Experience Improvement program. If you disable or do not configure this policy setting, users can turn on the H
ty and usefulness of the Help and Support content.
isable or do not configure this policy setting, users can access online assistance if they have a connection to the
omatically on subsequent attempts. Credentials can also be configured by network operators. If you enable this
ble this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are s
ble this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are s
the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified a
use the Store service to find an application. If you enable this policy setting, the "Look for an app in the Store"
use the Store service to find an application. If you enable this policy setting, the "Look for an app in the Store"
ates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and othe
s downloading drivers that are not already installed locally. If you enable this policy setting, print drivers canno
s downloading drivers that are not already installed locally. If you enable this policy setting, print drivers canno
the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information
setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. If you disable o
default search options. If you enable this policy setting, it removes the Knowledge Base section from the Help
from retrieving the list of ISPs, which resides on Microsoft servers. If you disable or do not configure this policy
ded from a Windows website in addition to providers specified in the registry. If you enable this policy setting, W
ded from a Windows website in addition to providers specified in the registry. If you enable this policy setting, W
se the Web service to find an application. If you enable this policy setting, the link and the dialog for using the
se the Web service to find an application. If you enable this policy setting, the link and the dialog for using the
server and making its shared printers available via HTTP. If you enable this policy setting, it prevents this client
server and making its shared printers available via HTTP. If you enable this policy setting, it prevents this client
this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. Note that
es used to format and display results. If you enable this policy setting, Search Companion does not download co
Tasks in File Explorer folders. If you disable or do not configure this policy setting, the task is displayed.
Tasks in File Explorer folders. If you disable or do not configure this policy setting, the task is displayed.
to the web. If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows
to the web. If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows
n is used to improve the product in future releases. If you enable this policy setting, Windows Messenger does
n is used to improve the product in future releases. If you enable this policy setting, Windows Messenger does
ame, address, or any other personally identifiable information. There are no surveys to complete, no salesperso
rt errors. If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the In
age from a dedicated Web server or making a DNS request for a dedicated address. If you enable this policy se
ers when no local drivers are present. If you do not configure this policy setting, searching Windows Update is o
plications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy se
e zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be lo
nd remove search providers, but only from the set of search providers specified in the list of policy keys for sea
nd remove search providers, but only from the set of search providers specified in the list of policy keys for sea
ult Accelerators should not overlap. If you disable or do not configure this policy setting, the user has Accelerato
ult Accelerators should not overlap. If you disable or do not configure this policy setting, the user has Accelerato
default Accelerators should not overlap. If you disable or do not configure this policy setting, the user has Accel
default Accelerators should not overlap. If you disable or do not configure this policy setting, the user has Accel
be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines w
be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines w
nality or behavior on a page.) If you enable this policy setting, this sets the list of behaviors permitted in each z
nality or behavior on a page.) If you enable this policy setting, this sets the list of behaviors permitted in each z
erences and policy settings. If you enable this policy setting, all processes will respect add-on management use
erences and policy settings. If you enable this policy setting, all processes will respect add-on management use
s are prevented for all processes. Any use of binary behaviors for HTML rendering is blocked. If you disable or d
s are prevented for all processes. Any use of binary behaviors for HTML rendering is blocked. If you disable or d
pe of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer ren
lies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as
lies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as
ety Feature is disabled for all processes.
ety Feature is disabled for all processes.
icy setting, the MK Protocol is enabled.
icy setting, the MK Protocol is enabled.
through restricted protocols is allowed for all processes other than File Explorer or Internet Explorer. If you disa
through restricted protocols is allowed for all processes other than File Explorer or Internet Explorer. If you disa
Processes, for which the Notification bar is displayed by default). If you enable this policy setting, the Notificat
Processes, for which the Notification bar is displayed by default). If you enable this policy setting, the Notificat
s policy setting, object reference is retained when navigating within or across domains in the Restricted Zone sit
s policy setting, object reference is retained when navigating within or across domains in the Restricted Zone sit
he Local Machine security zone a prime target for malicious users. If you enable this policy setting, any zone ca
he Local Machine security zone a prime target for malicious users. If you enable this policy setting, any zone ca
y setting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all proce
y setting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all proce
his policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not use
his policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not use
nd status bars. If you enable this policy setting, scripted windows are restricted for all processes. If you disable
nd status bars. If you enable this policy setting, scripted windows are restricted for all processes. If you disable
not configure this policy, users can choose whether to be prompted before running active content on a CD.
not configure this policy, users can choose whether to be prompted before running active content on a CD.
kdown policy. If you enable this policy setting, no Intranet Zone content accessed is affected, even for protocols
tocol Lockdown policy. If you enable this policy setting, no Trusted Sites Zone content accessed is affected, eve
tocol Lockdown policy. If you enable this policy setting, no Trusted Sites Zone content accessed is affected, eve
disable this policy setting, script code on pages in the zone is prevented from running. If you do not configure t
only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are av
ipboard operations. If you disable this policy setting, a script cannot perform a clipboard operation. If you do n
e this policy setting, deleting browsing history on exit is turned on. If you disable this policy setting, deleting br
e this policy setting, deleting browsing history on exit is turned on. If you disable this policy setting, deleting br
rag or copy files from this zone. If you disable this policy setting, users are prevented from dragging files or cop
TP5
his policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy
If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this polic
Internet Explorer components will be automatically installed as necessary. If you disable this policy setting, use
Internet Explorer components will be automatically installed as necessary. If you disable this policy setting, use
ad the Japanese Language Pack component if it is not already installed. If you enable this policy setting, Web co
ad the Japanese Language Pack component if it is not already installed. If you enable this policy setting, Web co
nstall desktop items from this zone. If you disable this policy setting, users are prevented from installing deskto
ng shutdown. If you disable or do not configure this policy setting, OnUnLoad script handlers do not display UI d
ng shutdown. If you disable or do not configure this policy setting, OnUnLoad script handlers do not display UI d
files. If you do not configure this policy setting, the user can change the "Enable alternative codecs in HTML5 m
files. If you do not configure this policy setting, the user can change the "Enable alternative codecs in HTML5 m
RTM
RTM
1607
1607
policy setting and set the drop-down box to Enable, XBAPs are automatically loaded inside Internet Explorer. Th
tting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The use
et Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted
esh setting can be redirected to another Web page. If you disable this policy setting, a user's browser that loads
ss bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. If you disable t
ss bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. If you disable t
ing, the user can choose to run natively implemented, scriptable XMLHTTP.
ing, the user can choose to run natively implemented, scriptable XMLHTTP.
ontrol to run from the current site or from all sites. If you disable this policy setting, the user does not see the p
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
TP5
ing, the user can enable or disable script access to the WebBrowser control. By default, script access to the Web
If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and w
nstall or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with
nstall or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with
policy setting, placeholders appear for graphical images while the images are downloading. The user cannot cha
orer automatically launches any browser helper objects that are installed on the user's computer. If you disable
orer automatically launches any browser helper objects that are installed on the user's computer. If you disable
, as of Internet Explorer 8, this policy setting controls HTML+TIME media elements that refer to audio and video
rnet Explorer windows that have no status bar or Address bar. If you do not configure this policy setting, the use
e user can enable or disable the Notification bar behavior.
licy setting, websites will not be able to store application caches on client computers. Allow website database a
licy setting, websites will not be able to store application caches on client computers. Allow website database a
s policy setting, websites will not be able to store an indexed database on client computers. Allow website datab
s policy setting, websites will not be able to store an indexed database on client computers. Allow website datab
able this policy setting, Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enab
able this policy setting, Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enab
configure it, this control will not be designated as administrator-approved. To specify how administrator-approv
d using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do
do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Not
do not configure this setting, users will receive a file download dialog for automatic download attempts.
des to Internet Explorer 9. In Internet Explorer 9, add-ons are defined as toolbars, Browser Helper Objects, or Ex
des to Internet Explorer 9. In Internet Explorer 9, add-ons are defined as toolbars, Browser Helper Objects, or Ex
plorer checks the Internet for a new version approximately every 30 days and prompts the user to download new
plorer checks the Internet for a new version approximately every 30 days and prompts the user to download new
pboard operation. This means that if the zone behavior is currently set to prompt, it will be bypassed and enable
pboard operation. This means that if the zone behavior is currently set to prompt, it will be bypassed and enable
g in the Internet Explorer process performs a Clipboard operation. In the Internet Explorer process, if the zone b
g in the Internet Explorer process performs a Clipboard operation. In the Internet Explorer process, if the zone b
which you specify that administrator-approved controls can be run. If you disable this policy or do not configur
Internet Explorer uses the default connection limit for HTTP 1.1 (6 connections per host). In versions of Internet
Internet Explorer uses the default connection limit for HTTP 1.1 (6 connections per host). In versions of Internet
If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. If y
If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. If y
will check the digital signatures of executable programs and display their identities before downloading them to
will check the digital signatures of executable programs and display their identities before downloading them to
n a link within Internet Explorer, the content will be played by the default media client on their system. If you e
e blocking of attachments in options. If the block attachments setting is not checked, the user can specify to en
e displayed with its default settings, unless users customize it.
mmand buttons are displayed: Show all text labels: All command buttons have only text. Show selective text:
mmand buttons are displayed: Show all text labels: All command buttons have only text. Show selective text:
y setting, Internet Explorer sends the current Internet Explorer version in the User Agent header (for example, "
y setting, Internet Explorer sends the current Internet Explorer version in the User Agent header (for example, "
ernet Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" p
ernet Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" p
or web pages. By default, the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied throug
or web pages. By default, the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied throug
s restricted functionality and is intended for use by web sites. If you enable this policy, this control will be availa
enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages
enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages
will be disabled. Users also cannot add content that is based on a channel, such as some of the Active Desktop
nt. The Make Available Offline check box will be dimmed in the Add Favorite dialog box. If you disable this polic
es are cleared and users cannot select them. To display this tab, users click the Tools menu, click Synchronize, s
do not configure this setting, the user has the freedom to turn on the auto-complete feature for forms. To disp
component when visiting a Web site that uses that component. This policy is intended to help the administrato
oxy scripts can be stored in the users' cache.
b pages. If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templa
policy or do not configure it, users can select or clear settings on the Advanced tab. If you set the "Disable the A
to do automatic configuration. You can import your current connection settings from your machine using Interne
to do automatic configuration. You can import your current connection settings from your machine using Interne
sable this policy or do not configure it, users can determine which programs to use for managing schedules and
users can import new certificates, remove approved publishers, and change settings for certificates that have a
If you disable this policy or do not configure it, users can change the default background and text color of Web
age" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Inte
age" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Inte
onfigure it, users can determine whether Internet Explorer will check to see if it is the default browser. When Inte
users can change the default fonts for viewing Web pages. If you set the "Disable the General page" policy (loca
machines with at least Internet Explorer 7, the home page can be set within this policy to override other home p
e this policy or do not configure it, users can change the language preference settings for viewing Web sites for
isable this policy or do not configure it, users can change the default color of links on Web pages. If you set the
his policy or do not configure it, users can determine which programs to use for sending mail, viewing newsgrou
eet and e-mail addresses. The "Disable the Content page" policy (located in \User Configuration\Administrative
ings settings. The "Disable the Ratings page" policy (located in \User Configuration\Administrative Templates\W
ry home pages. The user cannot set custom default secondary home pages. If you disable or do not configure t
ry home pages. The user cannot set custom default secondary home pages. If you disable or do not configure t
then click the Settings button in the Internet Options dialog box. If you disable this policy or do not configure it
r check box on the Web tab in the Display Properties dialog box. If you disable this policy or do not configure it,
ars submenu of the Tools menu in the Command bar in subsequent versions of Internet Explorer. If you enable
re it, users can determine which toolbars are displayed in File Explorer and Internet Explorer. This policy can be
subscribed to. However, synchronization with the Web pages will still occur to determine if any content has been
Web page Properties dialog box are dimmed. To display this tab, users click the Tools menu, click Synchronize, se
hat have been set up for offline viewing. If users click the Tools menu, click Synchronize, select a Web page, and
icy or do not configure it, users could install customizations from another party-for example, when signing up fo
a file allows the user to import favorites, feeds and cookies from a file. Exporting settings to a file allows the use
a file allows the user to import favorites, feeds and cookies from a file. Exporting settings to a file allows the use
pointing to Programs, pointing to Accessories, pointing to Communications, and then clicking Internet Connectio
settings for downloading Web content. If you disable this policy or do not configure it, channel providers can re
using the shortcut menu. This policy can be used in coordination with the "File menu: Disable New menu option
nternet Explorer checks every 30 days by default, and then notifies users if a new version is available. This pol
e this policy or do not configure it, users can disable the synchronization of channels. This policy is intended to
Organize Favorites Favorite dialog box and the Make This Page Available Offline check box will be selected but d
ormed that the command is not available. If you disable this policy or do not configure it, users can download p
users start their browsers.
users will not be notified if their programs are updated using Software Distribution Channels. If you disable this
When you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (locate
When you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (locate
need to set the following policies for the Content tab, because this policy removes the Connections tab from th
need to set the following policies for the Content tab, because this policy removes the Connections tab from th
ings. When you set this policy, you do not need to set the following Internet Explorer policies (located in \User C
ings. When you set this policy, you do not need to set the following Internet Explorer policies (located in \User C
o not need to set the following policies for the Programs tab, because this policy removes the Programs tab from
o not need to set the following policies for the Programs tab, because this policy removes the Programs tab from
ges. The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows
ttings. When you set this policy, you do not need to set the following Internet Explorer policies, because this po
ttings. When you set this policy, you do not need to set the following Internet Explorer policies, because this po
en problems occur with proxy scripts.
a security information message (This page contains both secure and nonsecure items. Do you want to display t
ption to run the website in regular Protected Mode. This policy setting disables this notification and forces all we
ption to run the website in regular Protected Mode. This policy setting disables this notification and forces all we
Reset Internet Explorer Settings. If you disable or do not configure this policy setting, the user can use Reset Int
Reset Internet Explorer Settings. If you disable or do not configure this policy setting, the user can use Reset Int
policy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still m
policy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still m
you enable this policy setting, the reveal password button will be hidden for all password fields. Users and deve
you enable this policy setting, the reveal password button will be hidden for all password fields. Users and deve
nly one certificate. If you disable this policy setting, Internet Explorer prompts users with a "Client Authenticati
s containing secure (HTTPS) information to the cache. If you disable this policy setting, Internet Explorer will sav
s containing secure (HTTPS) information to the cache. If you disable this policy setting, Internet Explorer will sav
disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to
ishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy se
drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this po
pace usage. If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary I
pace usage. If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary I
n different windows. Users cannot change this setting. If you enable this policy setting and click Disable, users c
the same window. Users cannot change this setting. If you enable this policy setting and click Disable, users c
urity zone will run without the added layer of security provided by this feature. If you disable this policy setting
tion of search tools, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu
tion of search tools, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu
t a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value ran
t a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value ran
ut a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value ra
ut a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value ra
ner of the program will not work; if users click the Close button, they will be informed that the command is not a
rmed that the command is not available. If you disable this policy or do not configure it, users can open a new b
policy or do not configure it, users can open a Web page from the browser File menu. Caution: This policy does
e Save as Type box in the Save Web Page dialog box. Users can still save Web pages as hypertext markup langu
ver the "File Menu: Disable Save As Web Page Complete" policy, which prevents users from saving the entire co
this limit. Note: This setting does not appear in the user interface.
ot set this limit. Note: This setting does not appear in the user interface.
nnot set this limit. Note: This setting does not appear in the user interface.
nnot set this limit. Note: This setting does not appear in the user interface.
ot set this limit. Note: This setting does not appear in the user interface.
not go directly to an intranet site for a one-word entry in the Address bar.
not go directly to an intranet site for a one-word entry in the Address bar.
ommand on the Help menu. Caution: Enabling this policy does not remove the tips for Netscape users from the
soft products.
he browser.
mand on the shortcut menu is disabled; when users click it, they are informed that the command is unavailable.
ommand bar is shown by default, and the user can choose to hide it.
ommand bar is shown by default, and the user can choose to hide it.
hown by default, and the user can choose to hide it.
hown by default, and the user can choose to hide it.
ill not be able to create new identities, manage existing identities, or switch identities. The Switch Identity optio
he path. If you enable this policy setting, path information is sent when the user is uploading a file via an HTML
y displayed in Compatibility View. If you disable this policy setting, the Microsoft-provided website lists are not u
y displayed in Compatibility View. If you disable this policy setting, the Microsoft-provided website lists are not u
setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls
ble this policy setting, Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies. If you d
ble this policy setting, Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies. If you d
you do not configure this policy, users can turn on or turn off automatic updates from the About Internet Explore
s are prevented for the File Explorer and Internet Explorer processes. If you disable this policy setting, binary be
s are prevented for the File Explorer and Internet Explorer processes. If you disable this policy setting, binary be
lies to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the
lies to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the
esses will allow a MIME sniff promoting a file of one type to a more dangerous file type. If you do not configure
esses will allow a MIME sniff promoting a file of one type to a more dangerous file type. If you do not configure
disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will wo
disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will wo
content obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For ex
content obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For ex
plorer Processes. If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer
plorer Processes. If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer
policy setting, an object reference is retained when navigating within or across domains for Internet Explorer pro
policy setting, an object reference is retained when navigating within or across domains for Internet Explorer pro
ecurity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no s
ecurity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no s
be blocked for Internet Explorer processes. If you do not configure this policy setting, the user's preference will
be blocked for Internet Explorer processes. If you do not configure this policy setting, the user's preference will
ed for Internet Explorer processes. If you do not configure this policy setting, the user's preference determines w
ed for Internet Explorer processes. If you do not configure this policy setting, the user's preference determines w
nd status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and
nd status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and
plies to all processes which have opted in to the security restriction. If you enable this policy setting for a zone,
dard template defaults. If you disable this template policy setting, no security level is configured. If you do not
ocal sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would
ocal sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would
t map one there). If you do not configure this policy setting, users choose whether network paths are mapped in
t map one there). If you do not configure this policy setting, users choose whether network paths are mapped in
mapped into the Intranet Zone (other rules might map one there). If you do not configure this policy setting, u
mapped into the Intranet Zone (other rules might map one there). If you do not configure this policy setting, u
u disable this policy or do not configure it, these controls will not be designated as administrator-approved. Sel
x (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a sa
If you select Prompt in the drop-down box, users are queried to choose whether to run applications and downlo
RTM
RTM
RTM
RTM
RTM
RTM
rs are locked by default, but the user can unlock them through the shortcut menu of the Command bar.
rs are locked by default, but the user can unlock them through the shortcut menu of the Command bar.
xt to the Address bar, and the user cannot move them. If you do not configure this policy setting, the Stop and
xt to the Address bar, and the user cannot move them. If you do not configure this policy setting, the Stop and
password to query users for user IDs and passwords. After a user is queried, these values can be used silently fo
olicy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user
of Internet Explorer prior to Internet Explorer 8, the default connection limit for HTTP 1.0 was 4.
of Internet Explorer prior to Internet Explorer 8, the default connection limit for HTTP 1.0 was 4.
e controls will not be designated as administrator-approved. To specify a control as administrator-approved, clic
ou specify that administrator-approved controls can be run. If you disable this policy or do not configure it, thes
r-approved controls can be run. If you disable this policy or do not configure it, this control will not be designate
onfigure it, this control will not be designated as administrator-approved. To specify how administrator-approved
oved. To specify how administrator-approved controls are handled for each security zone, carry out the followin
do not configure it, these controls will not be designated as administrator-approved. Select the check boxes for
are queried whether to allow windows and frames to access applications from other domains. If you disable this
box, users are queried whether to allow additional windows and frames to access applications from other doma
-approved. To specify how administrator-approved controls are handled for each security zone, carry out the fol
fied if Internet Explorer is not the default web browser. Users cannot change the setting. If you do not configure
se how Internet Explorer tiles are opened.
se how Internet Explorer tiles are opened.
d in Web content. If you disable this policy setting, Internet Explorer will not play or download animated picture
d in Web content. If you disable this policy setting, Internet Explorer will not play or download animated picture
nt. If you disable this policy setting, Internet Explorer will not play or download sounds in Web content, helping
nt. If you disable this policy setting, Internet Explorer will not play or download sounds in Web content, helping
you disable this policy setting, Internet Explorer will not play or download videos, helping pages display more q
you disable this policy setting, Internet Explorer will not play or download videos, helping pages display more q
he domain name is allowed, so www.contoso.com is valid, but not http://www.contoso.com. Wildcards are allowe
he domain name is allowed, so www.contoso.com is valid, but not http://www.contoso.com. Wildcards are allowe
and newsgroups. The menu bar contains menus that open lists of commands. The commands include options fo
his policy setting is enabled, the "Fix settings" command on the Notification bar shortcut menu should be disabl
his policy setting is enabled, the "Fix settings" command on the Notification bar shortcut menu should be disabl
rowsing History dialog box. Starting with Windows 8, users cannot click the Delete Browsing History button on th
rowsing History dialog box. Starting with Windows 8, users cannot click the Delete Browsing History button on th
he feed list in the Favorites Center.
he feed list in the Favorites Center.
he Settings charm (starting with Internet Explorer 10 on Windows 8). If you disable or do not configure this polic
he Settings charm (starting with Internet Explorer 10 on Windows 8). If you disable or do not configure this polic
this policy setting, the user receives a notification when a feed or Web Slice is available and can click the feed d
this policy setting, the user receives a notification when a feed or Web Slice is available and can click the feed d
able this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy
able this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy
ble or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
ble or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
lter level by importing Privacy settings from your computer under Internet Explorer Maintenance. If you disable
lter level by importing Privacy settings from your computer under Internet Explorer Maintenance. If you disable
or do not configure this policy setting, the user can change the URL that is displayed for checking updates to Int
TP5
owing: Open in an existing Internet Explorer window. If tabbed browsing is enabled, a new tab is created in th
owing: Open in an existing Internet Explorer window. If tabbed browsing is enabled, a new tab is created in th
the background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select
the background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select
he Address bar for searches. The user can still perform searches on the Search bar by clicking the Search butto
he Address bar for searches. The user can still perform searches on the Search bar by clicking the Search butto
d in the main window. Enable top result search: When a user performs a search in the Address bar, the user is
d in the main window. Enable top result search: When a user performs a search in the Address bar, the user is
sers turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.
sers turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.
ure this policy setting, the user can choose whether to delete or preserve cookies when he or she clicks Delete.
ure this policy setting, the user can choose whether to delete or preserve cookies when he or she clicks Delete.
clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve dow
clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve dow
Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve favorites s
Delete. If you do not configure this policy setting, the user can choose whether to delete or preserve favorites s
figure this policy setting, the user can choose whether to delete or preserve form data when he or she clicks De
figure this policy setting, the user can choose whether to delete or preserve form data when he or she clicks De
te Browsing History dialog box. If you enable this policy setting, InPrivate Filtering data is preserved when the u
te Browsing History dialog box. If you enable this policy setting, InPrivate Filtering data is preserved when the u
onfigure this policy setting, the user can choose whether to delete or preserve passwords when he or she clicks
onfigure this policy setting, the user can choose whether to delete or preserve passwords when he or she clicks
when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or
when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to delete or
websites that the user has visited are deleted when he or she clicks Delete. If you do not configure this policy se
websites that the user has visited are deleted when he or she clicks Delete. If you do not configure this policy se
rough the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engin
rough the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engin
do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
this policy setting, the Search box appears by default in the Internet Explorer frame. Note: If you enable this po
this policy setting, the Search box appears by default in the Internet Explorer frame. Note: If you enable this po
tion list. Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Expl
tion list. Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Expl
een Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without p
een Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without p
hishing filter uses: manual, automatic, or off. If you select manual mode, the phishing filter performs only local
hishing filter uses: manual, automatic, or off. If you select manual mode, the phishing filter performs only local
must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Window
Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Window
, the user can specify the background color in Internet Explorer.
licy setting allows you to specify the URL to update the browser security setting. If you enable this policy settin
e text color in Internet Explorer.
ng, the user cannot specify the download path for the code. You must specify the download path. If you disable
already clicked in Internet Explorer. You must specify the link color (for example: 192,192,192). If you disable o
not yet clicked in Internet Explorer. You must specify the link color (for example: 192,192,192). If you disable o
etting, the user can specify the hover color.
update check interval.
a feed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders. If you disable or d
a feed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders. If you disable or d
nable this policy setting, toolbars and BHOs are not loaded by default during an InPrivate Browsing session. If y
nable this policy setting, toolbars and BHOs are not loaded by default during an InPrivate Browsing session. If y
cookies. If you disable or do not configure this policy setting, users will be able to delete temporary Internet file
cookies. If you disable or do not configure this policy setting, users will be able to delete temporary Internet file
s policy setting, the user can turn on or turn off Windows colors for display.
extend support for these user preferences and policy settings to specific processes listed in the process list. If y
extend support for these user preferences and policy settings to specific processes listed in the process list. If y
ne applications for which they want this security feature to be prevented or allowed. If you enable this policy se
ne applications for which they want this security feature to be prevented or allowed. If you enable this policy se
ty applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is u
ty applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is u
enter a Value of 1, this protection will be in effect. If you enter a Value of 0, any file may be promoted to more d
enter a Value of 1, this protection will be in effect. If you enter a Value of 0, any file may be promoted to more d
setting and enter a Value of 1, use of the MK protocol is prevented. If you enter a Value of 0, use of the MK proto
setting and enter a Value of 1, use of the MK protocol is prevented. If you enter a Value of 0, use of the MK proto
ns for which they want restricting content obtained through restricted protocols to be prevented or allowed. If y
ns for which they want restricting content obtained through restricted protocols to be prevented or allowed. If y
on bar is displayed by default). If you enable this policy setting and enter a Value of 1, the Notification bar is dis
on bar is displayed by default). If you enable this policy setting and enter a Value of 1, the Notification bar is dis
nter a Value of 1, references to objects are inaccessible after navigation. If you enter a Value of 0, references to
nter a Value of 1, references to objects are inaccessible after navigation. If you enter a Value of 0, references to
hine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there
hine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there
rol installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value
rol installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value
of non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is em
of non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is em
nd status bars. This policy setting allows administrators to define applications for which they want this security
nd status bars. This policy setting allows administrators to define applications for which they want this security
RTM
RTM
setting, users can choose whether or not to render filters in this zone. Users can change this setting on the Secu
is policy setting, the user can access any Accelerators that he or she has installed.
is policy setting, the user can access any Accelerators that he or she has installed.
d-party toolbars or in Setup, but the user can also add them from a search provider's website. If you enable this
d-party toolbars or in Setup, but the user can also add them from a search provider's website. If you enable this
ng, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, In
Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet
ols or plug-in to run. If you disable this policy setting, controls and plug-ins are prevented from running. If you d
ipt interaction. If you disable this policy setting, script interaction is prevented from occurring. If you do not co
you disable this policy setting, scripts are prevented from accessing applets. If you do not configure this policy
rms the user that this feature has been disabled. If you disable this policy or do not configure it, users can press
e this policy or do not configure it, users can change their settings for the Search Assistant. This policy is design
, click the Security tab, and then click the Sites button.) If you disable this policy or do not configure it, users ca
ers can change the settings for security zones. This policy prevents users from changing security zone settings
me computer can establish their own security zone settings. This policy is intended to ensure that security zone
1607
1607
es should be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are
es should be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are
main, Internet Explorer sends an error to the website. No notification will be displayed to the user. This group po
main, Internet Explorer sends an error to the website. No notification will be displayed to the user. This group po
g, Internet Explorer will remove application caches that haven't been used within the timeframe set in this polic
g, Internet Explorer will remove application caches that haven't been used within the timeframe set in this polic
disable or do not configure this policy setting, users can set default data storage limits for indexed databases an
disable or do not configure this policy setting, users can set default data storage limits for indexed databases an
ot configure this policy setting, users can choose how links are opened in Internet Explorer.
ot configure this policy setting, users can choose how links are opened in Internet Explorer.
domain, Internet Explorer sends an error to the website. No notification is sent to the user. This group policy set
domain, Internet Explorer sends an error to the website. No notification is sent to the user. This group policy set
et this policy setting, you provide the resource size limit, in MB. The default is 50 MB. If you enable this policy se
et this policy setting, you provide the resource size limit, in MB. The default is 50 MB. If you enable this policy se
error to the website. No notification will be displayed to the user. When you set this policy setting, you provide t
error to the website. No notification will be displayed to the user. When you set this policy setting, you provide t
omputer. The default maximum storage limit for all application caches is 1 GB. If you enable this policy setting,
omputer. The default maximum storage limit for all application caches is 1 GB. If you enable this policy setting,
their computer. The default maximum storage limit for all indexed databases is 4 GB. If you enable this policy
their computer. The default maximum storage limit for all indexed databases is 4 GB. If you enable this policy
; and high allows the tab process to grow very quickly and is intended only for computers that have ample phys
; and high allows the tab process to grow very quickly and is intended only for computers that have ample phys
gure this policy setting, Internet Explorer uses the default limit of 6 WebSocket connections per server.
gure this policy setting, Internet Explorer uses the default limit of 6 WebSocket connections per server.
To specify how administrator-approved controls are handled for each security zone, carry out the following steps
not configure this policy setting, Internet Explorer does not display the Content Advisor setting on the Content t
not configure this policy setting, Internet Explorer does not display the Content Advisor setting on the Content t
es open without a security warning. If you set the drop-down box to Prompt, a security warning appears before
ate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites
ate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites
nd software packages to be automatically installed on users' computers. Medium safety to allow users to be not
g, the user can select his or her preference for this behavior. The new tab page is the default setting.
g, the user can select his or her preference for this behavior. The new tab page is the default setting.
controls, including per-user controls, are installed through the standard installation process.
controls, including per-user controls, are installed through the standard installation process.
net Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change th
net Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change th
ser cannot prevent the wizard from starting. If you disable this policy setting, the Internet Connection Wizard do
es in this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to c
ing. If you disable this policy or do not configure it, then users can determine the amount of content that is sea
et Options command on the Tools menu, they are informed that the command is unavailable. If you disable this
developer tools. It includes the new managed code APIs for Windows. If you enable this policy setting, .NET Fra
u enable this policy setting, the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user f
u enable this policy setting, the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user f
le Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the use
le Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the use
In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you ena
In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you ena
or her data after a program stops responding.
or her data after a program stops responding.
TP5
on. The user cannot change this setting. If you do not configure this policy setting, the user can turn on or off au
the background.
the background.
RTM
RTM
blocked in Internet Explorer. Each domain entry must be formatted like one of the following: 1. "domain.name.T
blocked in Internet Explorer. Each domain entry must be formatted like one of the following: 1. "domain.name.T
re this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab
re this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab
o not configure this policy setting, applications that host MSHTML render text by using the Microsoft ClearType re
o not configure this policy setting, applications that host MSHTML render text by using the Microsoft ClearType re
cy setting, InPrivate Filtering data collection is turned off. If you disable this policy setting, InPrivate Filtering co
cy setting, InPrivate Filtering data collection is turned off. If you disable this policy setting, InPrivate Filtering co
nfigure this policy setting, the user can use the Compatibility View button and manage the Compatibility View si
nfigure this policy setting, the user can use the Compatibility View button and manage the Compatibility View si
ure this policy setting, the user can use the Compatibility View button.
ure this policy setting, the user can use the Compatibility View button.
1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs. If you disabl
1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs. If you disabl
cy setting, the user can choose when to underline links.
or Reporting continue to apply. If you disable or do not configure this policy setting, the crash detection feature
or Reporting continue to apply. If you disable or do not configure this policy setting, the crash detection feature
n request data across third-party domains embedded in the page.
n request data across third-party domains embedded in the page.
DEPPolicy function. If you disable or do not configure this policy setting, Internet Explorer uses the SetProcessDE
you enable this policy setting, Data URI support is turned off. Without Data URI support, a Data URI will be inte
you enable this policy setting, Data URI support is turned off. Without Data URI support, a Data URI will be inte
roblem connecting with an Internet server, the user does not see a detailed description or hints about how to co
d communication with the target server, the browser and server negotiate which protocol and version to use. T
d communication with the target server, the browser and server negotiate which protocol and version to use. T
Favorites bar.
Favorites bar.
policy setting, the first-run prompt is turned off in the corresponding zone. If you disable this policy setting, the
user cannot turn on image display. However, the user can still display an individual image by right-clicking the ic
e for File Explorer is turned off. The user cannot turn it on. If you disable this policy setting, Inline AutoComplet
isable this policy setting, InPrivate Browsing is available for use. If you do not configure this policy setting, InPri
isable this policy setting, InPrivate Browsing is available for use. If you do not configure this policy setting, InPri
ers have visited. If you enable this policy setting, InPrivate Filtering is turned off in all browsing sessions, and In
ers have visited. If you enable this policy setting, InPrivate Filtering is turned off in all browsing sessions, and In
tes or content in the background. If you disable this policy setting, Internet Explorer preemptively loads website
tes or content in the background. If you disable this policy setting, Internet Explorer preemptively loads website
Filter. You must specify which mode the SmartScreen Filter uses: on, or off.All website addresses that are not on
Filter. You must specify which mode the SmartScreen Filter uses: on, or off.All website addresses that are not on
tting, page transitions will be turned on. The user cannot change this behavior. If you do not configure this polic
ns that host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
ns that host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
etting, phone number detection is turned on. Users won't be able to modify this setting. If you don't configure t
etting, phone number detection is turned on. Users won't be able to modify this setting. If you don't configure t
-up windows will continue to function as they did in Windows XP Service Pack 1 or earlier, although windows lau
-up windows will continue to function as they did in Windows XP Service Pack 1 or earlier, although windows lau
ernet Explorer will not be available. Starting with Windows 8, the Print flyout for Internet Explorer will not be ava
ernet Explorer will not be available. Starting with Windows 8, the Print flyout for Internet Explorer will not be ava
ofile Assistant information, users will be prompted to choose which information to share. At that time, users can
ofile Assistant information, users will be prompted to choose which information to share. At that time, users can
ast Browsing Session feature.

ast Browsing Session feature.
orer does not allow sending the path portion of URLs as UTF-8. The user cannot change this policy setting. If yo
ngs. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for UR
ngs. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for UR
a webpage. If you disable or do not configure this policy setting, users can use the shortcut menu.
turn it off. If you do not configure this policy setting, the user can turn on or turn off smart image dithering.
If you do not configure this policy setting, the user can turn smooth scrolling on or off.
h providers that offer suggestions.
h providers that offer suggestions.
lorer, and the user cannot turn them on. If you disable this policy setting, tabbed browsing and related entry po
lorer, and the user cannot turn them on. If you disable this policy setting, tabbed browsing and related entry po
RTM
RTM
icy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-com
icy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-com
policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the backgro
policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the backgro
ser clicks in the Search box, the quick pick menu appears.
ser clicks in the Search box, the quick pick menu appears.
et Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a ser
et Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a ser
domain data through a server. If you enable this policy setting, websites cannot request data across domains b
domain data through a server. If you enable this policy setting, websites cannot request data across domains b
bars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check. If you
bars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check. If you
t users have visited. If you enable this policy setting, Tracking Protection is disabled in all browsing sessions, an
t users have visited. If you enable this policy setting, Tracking Protection is disabled in all browsing sessions, an
ons will be turned off. Users will not be able to turn on URL Suggestions. If you disable this policy setting, URL S
ons will be turned off. Users will not be able to turn on URL Suggestions. If you disable this policy setting, URL S
er Address bar. If you enable this policy setting, Internet Explorer does not use Windows Search AutoComplete
er Address bar. If you enable this policy setting, Internet Explorer does not use Windows Search AutoComplete
es are used. If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in
es are used. If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in
RTM
RTM
turn off ActiveX Filtering, although they may add per-site exceptions. If you disable or do not configure this pol
turn off ActiveX Filtering, although they may add per-site exceptions. If you disable or do not configure this pol
setting, automatic detection of the intranet is turned off, and intranet mapping rules are applied however they
setting, automatic detection of the intranet is turned off, and intranet mapping rules are applied however they
e signup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior. If you dis
HTTP connection. If you disable or do not configure this policy setting, the Windows RSS Platform does not auth
HTTP connection. If you disable or do not configure this policy setting, the Windows RSS Platform does not auth
ting is particularly useful to users who do not use a mouse. If you enable this policy setting, Caret Browsing is t
ting is particularly useful to users who do not use a mouse. If you enable this policy setting, Caret Browsing is t
e this policy setting, the certificate address mismatch warning always appears. If you disable or do not configur
e this policy setting, the certificate address mismatch warning always appears. If you disable or do not configur
f you disable this policy setting, the user cannot log information that is blocked by new Internet Explorer feature
f you disable this policy setting, the user cannot log information that is blocked by new Internet Explorer feature
cy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injecti
ble this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled w
ble this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled w
n. The user cannot turn it off. If you disable this policy setting, inline AutoComplete is turned off. The user cann
orer. If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an ad
orer. If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an ad
Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The u
Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The u
orer by default, and the user cannot turn it on. If you do not configure this policy setting, the menu bar is turned
orer by default, and the user cannot turn it on. If you do not configure this policy setting, the menu bar is turned
whenever the user browses to a page that loads content from an intranet site. If you disable this policy setting
whenever the user browses to a page that loads content from an intranet site. If you disable this policy setting
icy setting, the printing of background colors and images is turned on. The user cannot turn it off. If you disable
off Protected Mode. If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Prote
Microsoft JScript. If you enable this policy setting, script debugging is turned on. The user cannot turn off scrip
RTM
RTM
RTM
RTM
ou do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone
d Sites. The users browsing history is sent to Microsoft to produce suggestions. If you disable this policy setting
d Sites. The users browsing history is sent to Microsoft to produce suggestions. If you disable this policy setting
TP5
ot appear properly because of problems with its scripting. The user cannot change this policy setting. If you dis
policy setting, the user can turn on or turn off the hover color option.
on. If you disable this policy or do not configure it, dial-up settings will not be configured by Automatic Detectio
ot use HTTP 1.1.
ot use HTTP 1.1.
not configure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1 through proxy
not configure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1 through proxy
ade bigger (20 x 20 pixels). If you do not configure this policy setting, icons for command buttons are 16 x 16 pi
ade bigger (20 x 20 pixels). If you do not configure this policy setting, icons for command buttons are 16 x 16 pi
an add and remove sites from the list.
an add and remove sites from the list.
g (with an additional string appended). Additionally, webpages included in this list appear in Quirks Mode.
g (with an additional string appended). Additionally, webpages included in this list appear in Quirks Mode.
are not prevented from appearing. If you do not configure this policy setting, most unwanted pop-up windows
are not prevented from appearing. If you do not configure this policy setting, pop-up windows are not prevente
RTM
RTM
hrough the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user ca
hrough the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user ca
his policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directl
play the browser in a full screen. This policy is intended to prevent users from displaying the browser without t
er View menu. Caution: This policy does not prevent users from viewing the HTML source of a Web page by rig
er of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the
of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the dro
ndwriting recognition in future versions of Windows. If you enable this policy, users cannot start the handwriting
ndwriting recognition in future versions of Windows. If you enable this policy, users cannot start the handwriting
setting overrides this one.

Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy sh
1607
evious logons during user logon" policy setting located in the Windows Logon Options node under Windows Com
etting, domain controllers will request compound authentication. The returned service ticket will contain compo
earch is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a refe
set too high, then authentication failures might be occurring even though warning events are not being logged
equest compound authentication" must be configured and enabled in the resource account domain. If you enab
ble the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the synt
5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm,
connections. Warning: When revocation check is ignored, the server represented by the certificate is not guaran
its users will fail from computers with this policy setting enabled. If you enable this policy setting, the client co
equired to create compounded authentication and armor Kerberos messages in domains which support claims a
sions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches t
empt to use Kerberos by generating an SPN. If you enable this policy setting, only services running as LocalSy
ocessing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. If
KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(
ust configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers t
f you enable this policy setting, the devices credentials will be selected based on the following options: Autom
RTM
her suite order is used. SMB 3.11 cipher suites: AES_128_GCM AES_128_CCM SMB 3.0 and 3.02 cipher suites:
vices installed. Policy configuration Select one of the following: - Not Configured. With this selection, hash pub
RTM
RTM
TP4
guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an
1607
1607
TP5
e this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow oper
uch as bandwidth estimation and network health analysis. If you enable this policy setting, additional options a
icy setting, all programs on this computer can use the Windows Location Provider feature.
able or do not configure this policy setting, Windows uses the default Windows logon background or custom bac
network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which
1607
ging off the system. If you disable or do not configure this policy setting, only the default status messages are d
he PC from the network or can connect the PC to other available networks without signing into Windows.
the Start menu or by typing ""Welcome"" in the Run dialog box. If you disable or do not configure this policy, th
the Start menu or by typing ""Welcome"" in the Run dialog box. If you disable or do not configure this policy, th
ain-joined computers.
and services that the system starts. If you enable this policy setting, the system ignores the run list for Window
and services that the system starts. If you enable this policy setting, the system ignores the run list for Window
able this policy setting, the system ignores the run-once list. If you disable or do not configure this policy settin
able this policy setting, the system ignores the run-once list. If you disable or do not configure this policy settin
h User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not confi
sers to wait while their system starts or shuts down, or while users log on or off.
etting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable progra
etting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable progra
RTM
RTM
TP4
1607
this setting, employees can't change it. If you don't configure this setting, employees can choose how new tab
this setting, employees can't change it. If you don't configure this setting, employees can choose how new tab
e this setting, employees can't use Autofill to automatically fill in forms while using Microsoft Edge. If you don't
e this setting, employees can't use Autofill to automatically fill in forms while using Microsoft Edge. If you don't
you disable or don't configure this setting, all cookies are allowed from all sites.
you disable or don't configure this setting, all cookies are allowed from all sites.
for tracking info. If you disable this setting, Do Not Track requests are never sent to websites asking for trackin
for tracking info. If you disable this setting, Do Not Track requests are never sent to websites asking for trackin
provide a list of Favorites in the Options section. This list is imported after your policy is deployed. If you disable
provide a list of Favorites in the Options section. This list is imported after your policy is deployed. If you disable
es by using angle brackets in this format: <support.contoso.com><support.microsoft.com> If you disable or d
es by using angle brackets in this format: <support.contoso.com><support.microsoft.com> If you disable or d
Manager to save their passwords locally. If you don't configure this setting, employees can choose whether to us
Manager to save their passwords locally. If you don't configure this setting, employees can choose whether to us
gure this setting, employees can choose whether to use Pop-up Blocker.
gure this setting, employees can choose whether to use Pop-up Blocker.
Edge. If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
Edge. If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.
d employees can't turn it off. If you disable this setting, SmartScreen Filter is turned off and employees can't tu
d employees can't turn it off. If you disable this setting, SmartScreen Filter is turned off and employees can't tu
wed using Internet Explorer 11 and Enterprise Mode. If you disable or don't configure this setting, Microsoft Edg
wed using Internet Explorer 11 and Enterprise Mode. If you disable or don't configure this setting, Microsoft Edg
1607
1607
etting, employees can ignore SmartScreen Filter warnings and continue the download process.
etting, employees can ignore SmartScreen Filter warnings and continue the download process.
mployees can ignore SmartScreen Filter warnings and continue to the site.
mployees can ignore SmartScreen Filter warnings and continue to the site.
shown while making calls using the WebRTC protocol.
shown while making calls using the WebRTC protocol.
don't configure this setting, all intranet sites are automatically opened using Microsoft Edge.
don't configure this setting, all intranet sites are automatically opened using Microsoft Edge.
1607
1607
ed. -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in exc
r remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that th
snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting
into the Microsoft Management Console or run from the command line as a standalone console. An error messa
ory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group
s Mobility Center and the .exe file launches it. If you do not configure this policy setting, Windows Mobility Cent
s Mobility Center and the .exe file launches it. If you do not configure this policy setting, Windows Mobility Cent
rs a quick and easy way to configure their system settings before a presentation to block system notifications an
rs a quick and easy way to configure their system settings before a presentation to block system notifications an
ce/Automatic Maintenance Control Panel. If you disable or do not configure this policy setting, the daily schedu
s Activation Boundary, by upto this time. If you do not configure this policy setting, 4 hour random delay will be
ffect. If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a w
al to resolve a problem. If you disable this policy setting, MSDT cannot gather diagnostic data. If you do not con
red to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the roo
olve a problem. By default, the support provider is set to Microsoft Corporation. If you disable this policy setting
If you disable or do not configure this policy setting, the security features of Windows Installer prevent users fro
eges. Because the installation is running with elevated system privileges, users can browse through directories
patches can easily be vehicles for malicious programs, some installations prohibit their use. If you disable or do
eges. This policy setting does not affect installations that run in the user's security context. By default, users ca
to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This p
to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This p
prompts for source media when new updates are applied. If you enable this policy setting you can modify the m
nent from a feature. This can also occur if you change the GUID of a component. The component identified by th
efuse the installation. If you enable this policy setting, the warning is suppressed and allows the installation to p
n when the installation is running in the user's security context. If you disable or do not configure this policy set
or malicious programs, some installations prohibit their use. Note: This policy setting applies only to installation
The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The
policy setting, only administrators or users with administrative privileges can apply updates to Windows Install
by users or administrators. If you enable this policy setting, updates cannot be removed from the computer by a
also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cann
also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cann
er box to control file in use detection behavior. -- The "Restart Manager On" option instructs Windows Installer t
products that are installed per user, and products that are installed per computer. If the installer finds a per-use
e source from the "Use features from" list that the system administrator configures. This policy setting applies e
is policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an ins
policy setting, you can change the search order by specifying the letters representing each file source in the ord
is recorded, type the letter representing the event type. You can type the letters in any order and list as many o
staller does not generate System Restore checkpoints when installing applications. If you disable or do not confi
ttings box to control automatic logging via package settings behavior. -- The "Logging via package settings on"
fault, the shared component functionality is allowed.
tallation setting. -- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgra
This is the default recovery behavior on Windows client. Silent: Detection, troubleshooting, and notification of M
y qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver
tivity is Corporate Connection.

e DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically
es whatever normal name resolution is available to the client computer in its current network configuration, incl
s the generated log files as a .html file. The user can review the message and add additional information before
et access. If this setting is not configured, the entry for DirectAccess connectivity appears.
wise it is outside the network.
By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in t
sers may want to disable this feature if the PDC emulator is located over a slow WAN connection. If you enable
en sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote
allback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site
e the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and
address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So th
xclusive read access to files on the share even when the caller has only read permission. If you disable or do no
sts (specified in the SRV records Target field). DNS clients that query for SRV resource records attempt to contac
the <DomainName>[1B] NetBIOS name if it hasnt already been successfully added. None of these operations
ve read access to files on the share even when the caller has only read permission. When this setting is disable
nter a value in seconds (for example, the value "900" is 15 minutes). If you do not configure this policy setting,
to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV rec
n be computed, the DC may do an address lookup on the client network name to discover other IP addresses wh
ied. Select the mnemonics from the following list: Mnemonic Type DNS Record LdapIpAddress A <Dn
applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network co
fihgure this policy setting, it is not applied to any computers, and computers use their local configuration.
on will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonl
the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storag
ult value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum
Name that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes
c update. DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically r
e. When the site to which a computer belongs is not specified, the computer automatically discovers its site from
the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV record
ocator DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dyna
RTM
by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to
hey are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamic
is not used if the AllowSingleLabelDnsDomain policy setting is enabled. By default, when no setting is specified
to locate a domain controller hosting an Active Directory domain specified with a single-label name. If you ena
cy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use
0=4233600). The minimum value for this setting is 0. This setting is relevant only to those callers of DsGetDcN
this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Disco
m value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*
find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be m
whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog
, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application D
, or by using the File menu. If you disable this setting (and enable the "Enable Network Connections settings fo
ns. Any user can rename all-user connections by clicking an icon representing the connection or by using the Fil
ption is disabled for nonadministrators only. If you do not configure this setting, only Administrators and Networ
ork Connections settings for Administrators" setting), the Rename option for LAN and all user remote access con
n a user is connected to a network with local access only.
use of certain features from Administrators. By default, Network Connections group settings in Windows XP Prof
s for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the L
ctions settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configu
e "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all use
ou enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the A
lder. As a result, users (including administrators) cannot start the New Connection Wizard. Important: If the "En
e "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disa
omponents of connections are disabled, and administrators are not permitted to access network components in
ting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connectio
administrators). Important: If the "Enable Network Connections settings for Administrators" is disabled or not co
menu for a remote access connection and on the File menu in the Network Connections folder. Important: If th
ot enable or disable the components that a connection uses. Important: If the "Enable Network Connections set
etwork other than the one it was connected to when the setting was refreshed, this setting does not apply. The
ble the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all
users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS
er is connected to the same DNS domain network it was connected to when the setting was refreshed on that co
me resolution and addressing through DHCP, to the local private network. If you enable this setting, ICS cannot
properties of the connection. If you enable this setting, the connection status taskbar icon and Status dialog box
unnel that DirectAccess establishes between the computer and the internal network, or directly through the loca
hat a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request w
apps on proxied networks can access the Internet without relying on the Private Network capability. However, in
nistrator to configure a set of proxies that provide access to intranet resources. If you disable or do not configur
to apps if and only if the app has declared the Home/Work Networking capability. Windows Network Isolation a
with Group Policy are authoritative. This applies to both Internet and intranet proxies. If you disable or do not co
environment. Only network hosts within the address ranges configured via Group Policy will be classified as priva
ble this setting, you can use the "Action" box to specify how computers in the group respond. -- "Work offline"
ble this setting, you can use the "Action" box to specify how computers in the group respond. -- "Work offline"
ing, Offline Files is disabled and users cannot enable it. If you do not configure this policy setting, Offline Files i
configure it, automatically and manually cached copies are retained on the user's computer for later offline use
ntrol when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval'
econnect to a server when the presence of a server is detected. If you enable this setting, you can configure th
w-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working o
matic caching can be set on any network share. When a user opens a file on the share, the system automaticall
ble or do not configure this policy setting, a user can create a file of any type in the folders that have been made
esult in extra charges on cell phone or broadband plans. If this setting is disabled or not configured, synchroniza
onse times and decreases bandwidth consumption over WAN links. The cached files are temporary and are not
ffline Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the l
events you want Offline Files to record. To use this setting, in the "Enter" box, select the number corresponding
events you want Offline Files to record. To use this setting, in the "Enter" box, select the number corresponding
make a file of this type available offline, the operation will fail and the following message will be displayed in the
very 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first re
very 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first re
TP4
TP4
TP4
TP4
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
TP4
hronized. Full synchronization ensures that offline files are complete and current. If you disable this setting, the
hronized. Full synchronization ensures that offline files are complete and current. If you disable this setting, the
hronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting a
hronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting a
Full" ensures that all cached files and folders are up-to-date with the most current version. If you disable or do
Full" ensures that all cached files and folders are up-to-date with the most current version. If you disable or do
If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. I
If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. I
are synchronized later. If you disable this policy setting, all administratively assigned folders are synchronized a
weaker than what would be allowed for a login password. This setting controls this validation behavior. If set to
puters cannot detect that client and initiate sessions with it. If you enable this policy setting, this computer can
ng peer to peer can be used as a seed server. No configuration is needed for the seed server itself. This setting
allows for setting the seed server to a specified node in an enterprise. To use this setting, click Enable, and then
allows for setting the seed server to a specified node in an enterprise. To use this setting, click Enable, and then
will be turned off. If you disable this setting or do not configure it, the peer-to-peer protocols will be turned on.
s by using multicast on the same subnet. That is, PNRP publishes itself on the local subnet, so that other compu
lf is by using multicast on the same subnet. That is, PNRP publishes itself on the local subnet, so that other com
lf is by using multicast on the same subnet. That is, PNRP publishes itself on the local subnet, so that other com
o-peer (P2P) connections. The PNRP cloud is a group of connected PNRP nodes, in which connections exist betwe
licy is set to 0, then storage of previous PINs is not required. Default: 0.

licy is set to 0, then storage of previous PINs is not required. Default: 0.
TP5
TP5
owest. If you configure this policy setting, the PIN length must be greater than or equal to this number. If you d
owest. If you configure this policy setting, the PIN length must be greater than or equal to this number. If you d
s in their PIN.
s in their PIN.
allow users to use lowercase letters in their PIN.
TP5
TP5
N. If you disable or do not configure this policy setting, Microsoft Passport for Work does not allow users to use
allow users to use uppercase letters in their PIN.
allow users to use uppercase letters in their PIN.
PM is still preferred, but all devices may provision Microsoft Passport for Work using software if the TPM is non-fu
es. If you disable this policy setting, Microsoft Passport for Work prevents the use of biometric gestures. NOTE:
heir domain password. If you enable this policy, the device provisions Microsoft Passport for Work using keys or
olled in Passport for Work. If you enable this policy setting, Remote Passport will be enabled, allowing the use o
ssues. When failures are detected, the PCA will provide options to run the application in a compatibility mode o
ntent from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, w
e using different versions of BranchCache might store cache data in incompatible formats. If you enable this po
e servers that are installed in the same office location. You can use this setting to automatically configure clien
o which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both
nfiguration Select one of the following: - Not Configured. With this selection, BranchCache client computer cac
tent from BranchCache-enabled main office content servers, cache the content locally, and serve the content to
client, it is able to download cached content from a hosted cache server that is located at the branch office. In a
e is set to 5 percent of the total disk space on the client computer. Policy configuration Select one of the follow
et BranchCache Distributed Cache mode - Set BranchCache Hosted Cache mode - Configure Hosted Cache Ser
nd attempt to determine their root causes. These root causes will be logged to the event log when detected, bu
problems and attempt to determine their root causes. These root causes will be logged to the event log when de
Performance problems and attempt to determine their root causes. These root causes will be logged to the eve
s problems and attempt to determine their root causes. These root causes will be logged to the event log when
rocessed. If you do not configure this policy setting, the DPS will enable Windows Performance PerfTrack by defa
rvices, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to d
rvices, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to d
re this policy setting, users control this setting.

re this policy setting, users control this setting.
er may enter is hibernate.
er may enter is hibernate.
al Battery Notification Action" policy setting. If you disable this policy setting or do not configure it, users contro
ly on Windows shutdown behavior. This setting is only applicable when Windows shutdown is initiated by softw
this policy setting, users control this setting.
this policy setting, users control this setting.
Notification Action" policy setting. If you disable this policy setting or do not configure it, users control this sett
not configure this policy setting, users control if their computer is automatically locked or not after performing a
Windows will only reduce the brightness of the primary display integrated into the computer. If you disable or d
Windows will only reduce the brightness of the primary display integrated into the computer. If you disable or d
sword when the system resumes from sleep.
sword when the system resumes from sleep.
sers can see and change this setting.
control this setting.
nd change this setting.
nd change this setting.
change this setting.
rmat: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), i

able or do not configure this policy setting, users control this setting.
able or do not configure this policy setting, users control this setting.
olicy setting, users control this setting. If the user has configured a slide show to run on the lock screen when th
RTM
ing, users control this setting. If the user has configured a slide show to run on the lock screen when the machi
ing, users control this setting. If the user has configured a slide show to run on the lock screen when the machi
ns to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
ns to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
g, Windows uses the same setting regardless of users keyboard or mouse behavior. If you do not configure this
g, Windows uses the same setting regardless of users keyboard or mouse behavior. If you do not configure this
see the "Low Battery Notification Level" policy setting. The notification will only be shown if the "Low Battery N
control this setting. If the user has configured a slide show to run on the lock screen when the machine is locke
control this setting. If the user has configured a slide show to run on the lock screen when the machine is locke
and change this setting.
and change this setting.
ers control this setting.
ers control this setting.
e with the SourcePath parameter on the Update-Help cmdlet. If this policy setting is disabled or not configured,
e with the SourcePath parameter on the Update-Help cmdlet. If this policy setting is disabled or not configured,
ipelineExecutionDetails property of the module to True. If you disable this policy setting, logging of execution e
ipelineExecutionDetails property of the module to True. If you disable this policy setting, logging of execution e
u disable this policy setting, logging of PowerShell script input is disabled. If you enable the Script Block Invoc
u disable this policy setting, logging of PowerShell script input is disabled. If you enable the Script Block Invoc
Shell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directo
Shell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directo
sher. The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts tha
sher. The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts tha
users cannot list and restore previous versions of files on local disks. If you do not configure this policy setting,
users cannot list and restore previous versions of files on local disks. If you do not configure this policy setting,
t and restore previous versions of files on file shares. If you do not configure this policy setting, it is disabled by
t and restore previous versions of files on file shares. If you do not configure this policy setting, it is disabled by
up copies, and can see only previous versions corresponding to on-disk restore points. If you disable this policy
up copies, and can see only previous versions corresponding to on-disk restore points. If you disable this policy
y setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks
y setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks
orresponding to a backup. If you disable this policy setting, the Restore button remains active for a previous ve
orresponding to a backup. If you disable this policy setting, the Restore button remains active for a previous ve
le this policy setting, the Restore button remains active for a previous version corresponding to a file on a file sh
le this policy setting, the Restore button remains active for a previous version corresponding to a file on a file sh
net printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, a
etwork scan page will not be displayed. If this policy setting is not configured, the Add Printer wizard will displa
be displayed. If this setting is not configured, the Add Printer wizard will display the default number of printers
Direct Printing jobs.
hat have a relatively powerful CPU as compared to the machines GPU.
ss print jobs before sending them to the print server. This decreases the workload on the client at the expense
the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a hom
eck the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Ad
setting, the default MXDW output format is OpenXPS (*.oxps).
Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The va
page customized for your enterprise. If you disable this setting or do not configure it, or if you do not enter an a
s begin at the root of Active Directory. This setting only provides a starting point for Active Directory searches fo
vers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. I
policy setting, then all printer extensions will not be allowed to run. If you disable this policy setting or do not c
he print spooler will execute print drivers in an isolated process by default. If you disable this policy setting, the
server driver cache. If you disable this policy setting, the client computer will only search the local driver store
d 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be ca
t servers. If this setting is disabled, or not configured, users will not be restricted to package-aware point and p
t servers. If this setting is disabled, or not configured, users will not be restricted to package-aware point and p
at do not explicitly opt out of Driver Isolation. If you disable or do not configure this policy setting, the print spo
n-package point and print connections. Windows Vista and later clients will attempt to make a non-package poi
n-package point and print connections. Windows Vista and later clients will attempt to make a non-package poi
y download print driver components from a list of explicitly named servers. If a compatible print driver is availa
y download print driver components from a list of explicitly named servers. If a compatible print driver is availa
dard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to com
Control Panel. Also, users cannot add printers by dragging a printer icon into the Printers folder. If they try, a m
ams to delete a printer. If this policy is disabled, or not configured, users can delete printers using the methods
If you disable this setting, shared printers are not announced to print browse master servers, even if Active Dir
1607
ontinue to be shared. The spooler must be restarted for changes to this policy to take effect.
d printers cannot be published in Active Directory, and the "List in directory" option is not available. Note: This s
mputer that published the printers restarts, it republishes any deleted printer objects. If you enable this setting
h printers. However, you can publish shared printers manually. The default behavior is to automatically publish
uter is operating. To enable this additional verification, enable this setting, and then select a verification interva
g service "prunes" (deletes from Active Directory) printer objects the computer has published. By default, the p
nces the order in which the thread receives processor time and determines how likely it is to be preempted by h
ond to the contact message, the message is repeated for the specified number of times. If the computer still fai
not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. Th
ws 2000 printers published outside their forest. The Windows pruning service prunes printer objects from Activ
ge lists published programs and provides an easy way to install them. Published programs are those programs
his setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will
ols and methods to view or uninstall programs. It also does not prevent users from linking to related Programs C
ending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locat
is not configured, the "Turn Windows features on or off" task will be available to all users. This setting does not
stallation. Enabling this feature does not prevent users from navigating to Windows Marketplace using other me
ftware from Windows Marketplace. Programs published or assigned to the user by the system administrator also
If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.
cation. If you enable this setting, you can change the default DSCP value associated with the Best Effort service
est Effort service type. If you disable this setting, the system uses the default priority value of 0. Important: If t
ecification. If you enable this setting, you can change the default DSCP value associated with the Controlled Loa
flow specification. If you enable this setting, you can change the default DSCP value associated with the Control
with the Controlled Load service type. If you disable this setting, the system uses the default priority value of 0
on. If you enable this setting, you can change the default DSCP value associated with the Guaranteed service t
ecification. If you enable this setting, you can change the default DSCP value associated with the Guaranteed se
e Guaranteed service type. If you disable this setting, the system uses the default priority value of 0. Importan
s submitted to a network adapter for transmission, but which have not yet been sent. If you enable this setting
de the default. If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwi
ecification. If you enable this setting, you can change the default DSCP value associated with the Network Con
flow specification. If you enable this setting, you can change the default DSCP value associated with the Netwo
with the Network Control service type. If you disable this setting, the system uses the default priority value of
ackets. If you disable this setting, the system uses the default priority value of 0. Important: If the Layer-2 prior
n. If you enable this setting, you can change the default DSCP value associated with the Qualitative service type
fication. If you enable this setting, you can change the default DSCP value associated with the Qualitative serv
Qualitative service type. If you disable this setting, the system uses the default priority value of 0. Important: I
hed for the system, usually units of 10 microseconds. If you disable this setting or do not configure it, the settin
ing, the listed providers will respond to WMI queries, and Reliability Monitor will display system reliability inform
haustion problems and attempt to determine their root causes. These root causes will be logged to the event log
earlier to recover your computer" and "Reinstall Windows" (or "Return your computer to factory condition") app
indicates that the shutdown or restart is unplanned. If you disable this policy setting, the System State Data fe
menu list, the Shutdown Event Tracker is displayed when the computer shuts down. If you enable this policy se
e disk. You can specify the Timestamp Interval in seconds. If you disable this policy setting, the Persistent Syste
not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload u
s or the unsolicited Offer Remote Assistance. If you enable this policy setting, only computers running this vers
omputer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance
can configure additional Remote Assistance settings. If you disable this policy setting, users on this computer c
ify a custom message to display before a user allows a connection to his or her computer. If you enable this pol
o full window drag -Turn off background "Full optimization" will include the following optimizations: -Use 16-bit
are used.
disable or do not configure this policy setting, write and read accesses are allowed to all removable storage cla
disable or do not configure this policy setting, write and read accesses are allowed to all removable storage cla
ndles to removable storage devices in remote sessions.
RTM
RTM
ed storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located
ed storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located
ot configure this setting, the operating system does not force a reboot. Note: If no reboot is forced, the access
ot configure this setting, the operating system does not force a reboot. Note: If no reboot is forced, the access
removable storage class.

removable storage class.
is removable storage class.
is removable storage class.
er. If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they
encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications writte
e RPC runtime defaults to "Auto2" level. If you do not configure this policy setting, the RPC defaults to "Auto2"
retrieve the extended error information by using standard Windows application programming interfaces (APIs).
cessing itself. Reverting a change to this policy setting can require manual intervention on each affected machi
ecause connections will be timed out faster than expected. Using this policy setting you can force the RPC Runt
ed during cross-forest logons without the DNS suffixes being configured. If you disable or do not configure this p
s it runs. The instructions appear in a command window. This policy setting is designed for advanced users. If y
runs. The instructions appear in a command window. This policy setting is designed for advanced users. If you
ays each instruction in the shutdown script as it runs. The instructions appear in a command window. If you dis
he startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanc
although it does not display logon scripts written for Windows 2000. If you enable this setting, Windows 2000 d
g is complete before the user starts working, but it can delay the appearance of the desktop. If you disable or d
g is complete before the user starts working, but it can delay the appearance of the desktop. If you disable or d
e running of startup scripts. As a result, startup scripts can run simultaneously. If you disable or do not configure
(GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup an
werShell scripts are run before non-PowerShell scripts during user logon and logoff. For example, assume the fo
werShell scripts are run before non-PowerShell scripts during user logon and logoff. For example, assume the fo
m stops script processing and records an error event. If you enable this setting, then, in the Seconds box, you c
disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed
ools from the Troubleshooting Control Panel. If you disable this policy setting, users cannot access or run the tro
states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this poli
he problem for interactive resolution. If you choose detection, troubleshooting and resolution, Windows will reso
e. Use $w in place of the query term for the search service URL. If your intranet search service is SharePoint Po
://mysearch2?q=$w. For each search scope, provide: 1) A name for the scope, such as 'IT Web'. 2) The URL to
1607
rypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this pol
olicy setting is not configured by default. If you do not configure this policy setting, the local setting, configured
e. We recommend enabling this policy setting only on PCs where documents are stored in many languages. If yo
s;.xlsx;.ppt;.pptx;.vsd;.xlsb;.xltx;.dot;.rtf
hat do not reference a specific SID will not be excluded from indexing if these are only specified in the Group Po
erence a specific SID will not be included for indexing if these are only specified in the Group Policy under "User
cations on removable drives can be added to libraries. In addition, locations on removable drives can be indexe
licy setting, queries will be performed on the web and web results will be displayed when a user performs a que
ser performs a query in Search. If you disable this policy setting, queries will be performed on the web over me
portions of a delegate mailbox that are cached locally. To have this policy affect all parts of a delegate mailbox,
anaged separately from online mailboxes. The "Enable Indexing of Uncached Exchange Folders" has no effect on
ute. To lower the burden on Microsoft Exchange servers, lower the rate of items indexed per minute. If you disab
o the index. This policy has no effect if the Files on Microsoft Networks add-in is not installed. Disabled by defa
o the index. This policy has no effect if the Files on Microsoft Networks add-in is not installed. Disabled by defa
cy is enabled, the Add and Remove locations options and any previously defined user locations will not be visibl
If you disable or do not configure this policy setting, Windows Search monitors which folders are shared or not s
ot restored.
aths that do not reference a specific SID will not be excluded from indexing if these are only specified in the Gro
n-Microsoft document filters (iFilters). This policy is disabled by default.
se into a single exclusion list. When this policy is disabled or not configured, the user can edit the default list of
nload Public Folder Favorites option must be turned on.
an acess the Advanced Options dialog for Search and Indexing Options in the Control Panel. This is the default fo
ecify an allow list of add-ins by providing the classID or ProgId string. For example, if you plan to deploy a partic
er. The full preview pane functionality is only available for Office documents in Office XP or later. When this pol
that users can see snippets related to their desktop search query. When this policy is disabled or not configure
dult images and videos but not text from search results; -Off: Don't filter adult content from search results. If yo
their search and other Microsoft experiences. -User info only: Share a user's search history and some Microso
RTM
ure this policy setting, users will get search suggestions based on previous searches in the search pane.
lso contains a status section, where the user can get recommendations to help increase the computer's security
computer will not be prevented from using location information from the location feature.
computer will not be prevented from using location information from the location feature.
ed on managed servers. If you enable this policy setting, Server Manager uses the refresh interval specified in t
e this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the ser
layed each time an administrator logs on to the server. However, if the administrator has selected the "Dont di
er. If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. Ho
m corruption and for enabling optional features that have had their payload files removed. You must enter the fu
to turn syncing on" so that syncing it turned off by default but not disabled. If you do not set or disable this set
syncing it turned off by default but not disabled. If you do not set or disable this setting, syncing of the "app se
ff by default but not disabled. If you do not set or disable this setting, syncing of the "AppSync" group is on by d
nd favorites, will not be synced. Use the option "Allow users to turn browser syncing on" so that syncing is turn
n desktop personalization syncing on" so that syncing it turned off by default but not disabled. If you do not set
place when this PC is on a metered connection. If you do not set or disable this setting, syncing on metered con
n other Windows settings syncing on" so that syncing it turned off by default but not disabled. If you do not set
it turned off by default but not disabled. If you do not set or disable this setting, syncing of the "passwords" gr
cing it turned off by default but not disabled. If you do not set or disable this setting, syncing of the "personaliz
turned off by default but not disabled. If you do not set or disable this setting, syncing of the "Start layout" gro
ndows Setup was run on the system.
e location used during the last time Windows Service Pack Setup was run on the system.
prove handwriting recognition in future versions of Windows. The tool generates reports and transmits them to
prove handwriting recognition in future versions of Windows. The tool generates reports and transmits them to
nnot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note: The default is to a
icy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled
sable or do not configure this policy setting, users can add computers to a homegroup. However, data on a dom
ofile. If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also
from running programs that are started by the File Explorer process. It does not prevent users from running pro
other administrative tools, use the "Run only specified Windows applications" policy setting.
at a setting prevents the action. If you disable this policy setting or do not configure it, users can run Cmd.exe
rs from running programs that are started by the File Explorer process. It does not prevent users from running
er is displayed at user logon.
signed and unsigned gadgets will be extracted. The default is for Windows to extract both signed and unsigned
signed and unsigned gadgets will be extracted. The default is for Windows to extract both signed and unsigned
s to be turned on.
s to be turned on.
TP4
avigation pane in File Explorer. * OneDrive files arent kept in sync with the cloud. * Users cant automatically u
e able to open and save files on OneDrive using the OneDrive app and file picker, and Windows Store apps will s
be used to modify that restriction. If you enable this policy setting, certificates with the following attributes can
es on a smart card cannot be used to log on to a domain. Note: This policy setting only affects a user's ability to
you enable this policy setting, the integrated unblock feature will be available. If you disable or do not configu
le smart card signature key-based certificates will not be listed on the logon screen.
s setting only controls the displaying of the certificate on the client machine. If you enable this policy setting ce
eir user name or user name and domain will be displayed. If you disable or do not configure this policy setting,
at the time of logon. If you disable or do not configure this policy setting, the default message will be displaye
havior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to b
he card. This can introduce a significant performance decrease in certain situations. Please contact your smart
tion message will not be displayed when a smart card device driver is installed. Note: This policy setting is app
could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to fin
=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be display
certificates will not be made available to applications such as Outlook.
also be enabled: Turn on certificate propagation from smart card. If you disable this policy setting then root cer
you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed
y is a community recognized by the SNMP service, while a community is a group of hosts (servers, workstations,
ting terminal values and monitoring network events. The manager is located on the host computer on the netw
olicy setting allows you to configure the name of the hosts that receive trap messages for the community sent
onfigure this policy setting, Sound Recorder can be run.
onfigure this policy setting, Sound Recorder can be run.
ess. If you enable this policy setting, users receive a customized Access Denied message from the file servers
ese with properties defined on individual file servers by using File Classification Infrastructure, which is part of th
ndividual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manage
-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they shar
the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off <username> ite
earch box. If you do not configure this policy (default), there will not be a "Search the Internet" link on the star
n command to the Start menu policy has no effect.
ack to Shut Down. If you disable or do not configure this setting, the Start Menu power button will be set to Shu
mp Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. If you disable or d
s setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the u
led, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the task
ent shortcuts. The system empties the Recent Items menu on the Start menu, and Windows programs do not di
be shown when the user performs a search in the start menu search box.
setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associ
ure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches al
Pictures, Music, Computer, and Network. The new Start menu starts them directly. If you enable this setting, th
he size of Start in Settings.
tting, the default setting for the users device will be used, and the user can choose to change it.
and those that users have configured for full installation upon first use. If you disable this setting or do not confi
e notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if an
orting options. If you disable or don't configure this policy setting, the desktop apps won't be listed first when th
annot be moved or resized. If you enable this setting, it prevents the user from moving or resizing the taskbar. W
TP5
TP5
name. By default, this setting is always enabled. If you disable or do not configure it, items on the taskbar tha
not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile,
olicy setting, the context menus for the taskbar are available. This policy setting does not prevent users from us
this policy setting, the "All Programs" item remains on the simple Start menu.
the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start men
text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs go
in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.

lity to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which
gain access to the contents of the Documents folder. Note: To make changes to this policy setting effective, yo
es not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and
menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help.
homegroup link from the Start Menu.
olicy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet E
As a result, users cannot restore the Log Off <username> item to the Start Menu. If you disable or do not config
om Settings on the Start menu. Network Connections still appears in Control Panel and in File Explorer, but if us
ed Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
ch as Control.exe) from running. However, users can still start Control Panel items by using other methods, suc
em saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot
ntering the following into the Internet Explorer Address Bar: --- A UNC path: \\<server>\<share> ---Accessing lo
nu that appears when you right-click the Start menu. Also, the system does not respond when users press the A
rty protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
Remove user folder link from Start Menu" policy setting. If you disable or do not configure this policy setting, the
n the top section of the Start menu. Because the appearance of two folders with the same name might confuse
e list of installed apps. If you disable or dont configure this policy setting, the user can configure this setting.
"Run as different user" command from Start for any applications. Note: This setting does not prevent users from
ng, then users will be able to turn the QuickLaunch bar on and off.
ogo key. If you disable or don't configure this policy setting, the Start screen will always appear on the main dis
g, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch be
nfigure a device's Start layout to the desired look and feel. Once you are done, run the Export-StartLayout Power
nfigure a device's Start layout to the desired look and feel. Once you are done, run the Export-StartLayout Power
RTM
s. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus
uns. The system uses this information to customize Windows features, such as showing frequently used program
RTM
policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to
uch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, sym
uch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, sym
er text, symbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel will never appear next t
er text, symbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel will never appear next t
mbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel will never appear next to any text
mbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel will never appear next to any text
RTM
nly) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a.
the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. If yo
the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. If yo
is policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configur
is policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configur
RTM
ng what keys are tapped when entering a password. Touch Keyboard and Handwriting panel enables you to use
blet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to en
blet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to en
o not configure this policy, users will be able to use this feature to print to a Journal Note.
o not configure this policy, users will be able to use this feature to print to a Journal Note.
ping will occur.

ping will occur.
nfigure this policy, pen flicks and related features are available.
nfigure this policy, pen flicks and related features are available.
disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon
disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon
disable this policy, applications can be launched from a hardware button. If you do not configure this policy, ap
disable this policy, applications can be launched from a hardware button. If you do not configure this policy, ap
your system administrator." If you disable this policy, press and hold actions for buttons will be available. If yo
your system administrator." If you disable this policy, press and hold actions for buttons will be available. If yo
icy, user and OEM defined button actions will occur when the buttons are pressed.
icy, user and OEM defined button actions will occur when the buttons are pressed.
pen cursors will be shown unless the user disables them in Control Panel.
pen cursors will be shown unless the user disables them in Control Panel.
ty issues with toast notifications. If you disable or dont configure this policy setting, all notifications will appea
p Lists will continue to show. If you disable or do not configure this policy setting, users can pin files, folders, we
rams already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not
s can pin the Store app to the Taskbar.
y setting, users can show taskbars on more than one display.
documents and other tasks. If you enable this policy setting, the Start Menu and Taskbar only track the files tha
ting that is not prevented by another policy setting.
e able to add toolbars to the taskbar.
f the monitor unless prevented by another policy setting.
otification area. The user will be able to read notifications when they appear, but they wont be able to review a
m shortcuts stay on the Taskbar.
in the system notification area.
e users device will be used, and the user can choose to change it.
TP4
d task's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows u
d task's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows u
ties that appear in Detail view and in the task preview. This setting prevents users from viewing and changing
ties that appear in Detail view and in the task preview. This setting prevents users from viewing and changing
figuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration
figuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration
e "Start in" box that determine the program and path for a task. As a result, when users create a task, they mu
e "Start in" box that determine the program and path for a task. As a result, when users create a task, they mu
s a result, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into t
s a result, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into t
TP4
and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes prec
Tasks folder. Note: This setting appears in the Computer Configuration and User Configuration folders. If both s
Tasks folder. Note: This setting appears in the Computer Configuration and User Configuration folders. If both s
e for a 6to4 host. If you disable or do not configure this policy setting, the local host setting is used, and you ca
odically. If you disable or do not configure this policy setting, the local host setting is used.
exadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. If you disable or do not config
figuration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes.
ou will be able to configure IP-HTTPS with one of the following settings: Policy Default State: The IP-HTTPS interf
d. If you disable or do not configure this policy setting, the local host setting is used.
do not configure this policy setting, the local host setting is used. If you enable this policy setting, you can confi
an customize a UDP port for the Teredo client. If you disable or do not configure this policy setting, the local ho
s policy setting contains only one state: Policy Enabled State: If Default Qualified is enabled, Teredo will attemp
and UDP port mapping in the translation table of the Teredo client's NAT device. If you enable this policy setting
y setting, the local settings on the computer are used to determine the Teredo server name.
redo with one of the following settings: Default: The default state is "Client." Disabled: No Teredo interfaces ar
al host settings are used. If you enable this policy setting, Window Scaling Heuristics will be enabled and system
mputer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm wheth
mputer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm wheth
ate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settin
certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp
nnection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. U
ers can record audio by using an audio input device on the local computer, such as a built-in microphone. By de
USB devices over RDP to all users or only to users who are in the Administrators group on the computer. If you d
rrent session time (current session time = server base time + client time zone). If you disable or do not configu
disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Serv
By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote
TP4
ction is attempted for all clients running Remote Desktop Connection whenever their network connection is lost.
u select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more
g option to Always Attempt, Remote Desktop will always try to use H.264/AVC hardware encoding when availa
w, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode cons
ead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host
e load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Servic
load-balanced farm should use the same RD Connection Broker server. If you enable this policy setting, you mu
ng content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization H
ce could be set to one of the following options: 1. Let the system choose the experience for the network condit
ent connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. W
ted administrator is logged off, any data not previously saved is lost. If you enable this policy setting, logging o
rvices allows this client printer mapping. If you enable this policy setting, users cannot redirect print jobs from
e local computer. By default, Remote Desktop Services allows Clipboard redirection. If you enable this policy se
sktop Services session. By default, Remote Desktop Services allows this COM port redirection. If you enable this
<driveletter> on <computername>. You can use this policy setting to override this behavior. If you enable this
use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additio
administrators are able to make such changes. If you enable this policy setting the default security descriptors
vices allows LPT port redirection. If you enable this policy setting, users in a Remote Desktop Services session c
his settings, any password that previously existed in the RDP file will be deleted. If you disable this setting or l
ion and saves his settings, any password that previously existed in the RDP file will be deleted. If you disable th
card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card dev
SB devices. If you disable this policy setting, users can redirect their supported Plug and Play devices to the rem
s temporary folders when the user logs off. If you enable this policy setting, a user's per-session temporary fold
u can use this policy setting to override this behavior. If you enable this policy setting, the default printer is the
r for each active session that a user maintains on a remote computer. These temporary folders are created on t
t to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
emoteFX Codec.If you enable this policy setting, users' sessions on this server will only use the Windows Server
sions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time
sions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time
e Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection op
h RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that not
mote Desktop Session Host role service must be installed on the server. If the policy setting is enabled, the RD
By default, a license server issues an RDS CAL to any RD Session Host server that requests one. If you enable t
select High, the audio will be sent without any compression and with minimum latency. This requires a large am
and reduce server load. If you enable this policy setting, the color depth that you specify is the maximum color
enable this policy setting, you must specify a resolution width and height. The resolution specified will be the ma
ing them that the server is busy and to try again later. Restricting the number of sessions improves performanc
his policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Service
y setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. If you enable thi
pplications that use Silverlight or Windows Presentation Foundation. If you enable this policy setting, you must s
f your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduc
ppropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue
emote connection to an RD Session Host server. If saved credentials for the user are available on the client com
, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. If you
art menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Wind
abled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not a
emote connections must use the security method specified in this setting. The following security methods are av
policy setting, only client computers that support Network Level Authentication can connect to the RD Session H
ted state, the user automatically reconnects to that session at the next logon. If you disable this policy setting,
Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all
or TCP (default)" If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP t
a client and an RD Session Host server during RDP connections. If you enable this policy setting, you need to sp
to SSL encryption) is not recommended. This policy does not apply to SSL encryption. If you enable this policy s
ored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured
cy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server
d, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on
ce the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and
ssion. 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user'
ssion. 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user'
unt connecting to this RD Session Host server have an RDS Per User CAL. Per Device licensing mode requires th
es will automatically disconnect active but idle sessions after the specified amount of time. The user receives a
es will automatically disconnect active but idle sessions after the specified amount of time. The user receives a
connect active sessions after the specified amount of time. The user receives a warning two minutes before the
connect active sessions after the specified amount of time. The user receives a warning two minutes before the
ote Desktop Services session without logging off and ending the session. When a session is in a disconnected s
ote Desktop Services session without logging off and ending the session. When a session is in a disconnected s
e types to be associated with RemoteApp programs. The default connection URL must be configured in the form
ktop Services session. If you enable this policy setting, the fallback printer driver is enabled, and the default be
tart an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when th
TP5
e specified with this setting, by the server administrator, or by the user in configuring the client connection. Ena
e specified with this setting, by the server administrator, or by the user in configuring the client connection. Ena
plete. If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registrati
both TCP and UDP protocols.
his policy setting, RemoteApp programs published from this RD Session Host server will use these advanced gra
D Connection Broker server. If you enable this policy setting, a Remote Desktop Services client queries the RD C
" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Sessio
eason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host serv
eason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host serv
e this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default
on Host server will attempt automatic license server discovery. In the automatic license server discovery proces
Windows Aero requires additional system and bandwidth resources, allowing desktop composition for remote de
server can be started remotely by using the RemoteApp Manager on Windows Server 2008 R2 and Windows Ser
ate the current session time (current session time = server base time + client time zone). If you disable or do n
user profile, Remote Desktop Connection, or through Group Policy. If you enable this policy setting, the deskto
e local computer. By default, Remote Desktop Services allows Clipboard redirection. If you enable this policy se
r. Because font smoothing requires additional bandwidth resources, not allowing font smoothing for remote con
If you disable or do not configure this policy setting, the IP address of the RD Session Host server is used if a v
ent printers are redirected in Remote Desktop Services sessions.
ent printers are redirected in Remote Desktop Services sessions.
Remote Desktop Services session. If you disable this policy setting, wallpaper is displayed in a Remote Deskto
and network mask are used to select the network adapter used for the virtual IP addresses. If you disable or do
on Host server, but it is not logged off. If you enable this policy setting, when a user closes the last running Rem
on Host server, but it is not logged off. If you enable this policy setting, when a user closes the last running Rem
If you disable or do not configure this policy setting, Fair Share CPU Scheduling is turned on.
nstaller RDS Compatibility is turned off, and only one instance of the msiexec process can run at a time. If you
you must enter a list of programs to use virtual IP addresses. List each program on a separate line (do not enter
r in the farm with the fewest sessions. Redirection behavior for users with existing sessions is not affected. If th
ble or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files.
ou disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folde
policy setting, File Explorer displays only thumbnail images.
other touch-specific features. If you disable this setting, the user can produce input with touch, by using gesture
TP4
windows by touch. If you disable this setting, the user can pan windows by touch. If you do not configure this se
windows by touch. If you disable this setting, the user can pan windows by touch. If you do not configure this se
M owner authorization without requiring the user to enter the TPM owner password. You can choose to have the
mple, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. T
cal list. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list b
t list. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or thr
nding commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administra
RTM
vented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting h
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
1607
nd Windows 2000 Professional operating systems, the default file permissions for the newly generated profile a
computer to a local or remote directory. If you enable this policy setting, the system uses the Windows NT 4.0 d
ata transfer, the network's latency and connection speed are determined. This policy setting and related policy
ve of the computer they are using in case the server that stores the roaming profile is unavailable when the use
y delete on the next system restart all user profiles on the computer that have not been used within the specifie
ow to respond. If you enable this policy setting, the system does not detect slow connections or recognize any
ssional pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated
s not recommended to enable this policy by default as it may prevent users from getting an updated version of
or, preventing Windows from loggin on the user with a temporary profile. If you enable this policy setting, Wind
eeting room computer or on a computer in a remote office. To designate a user's primary computers, an admin
between the user's computer and the server that stores users' roaming user profiles. -- The system cannot acce
narrowest set of data that will address your needs. For example, if there is one application with data that should
d the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously d
f you enable this policy setting, you can: -- Set a maximum permitted user profile size. -- Determine whether t
t match. When a user logs off of the computer, the system unloads the user-specific section of the registry (HKE
ofile. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they h
he roaming profile is merged with the local profile. Similarly, when the user logs off the computer, the local cop
heir roaming profile server is detected. In operating systems earlier than Microsoft Windows Vista, a dialog box
s network. Note: Windows doesn't wait for the network if the physical network connection is not available on th
rname\Sharename\%USERNAME% to give each user an individual profile folder. If not specified, all users logging
etting does not stop the roaming user profile's registry file from being uploaded at user logoff. If "Run at set int
e Location list, choose the location for the home folder. If you choose On the network, enter the path to a file
u enable this policy setting, the network paths specified in this policy setting will be synchronized only by Offline
n use the advertising ID for experiences across apps.
ble to change this setting and the user's name and account picture will be shared with apps (not desktop apps)
his folder together define the system's response when roaming user profiles are slow to load. If you enable this
bled or not configured, fixed data drives formatted with the FAT file system can be unlocked on computers runn
is enabled or not configured, removable data drives formatted with the FAT file system can be unlocked on com
y setting, all new BitLocker startup PINs set will be enhanced PINs. Note: Not all computers may support enhan
enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use N
more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks. If you enable or do n
pecify the path that will be used as the default folder location when the user chooses the option to save the rec
you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating sys
ption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. Thi
ption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. Thi
ker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key
covery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can b
BitLocker-protected removable data drives. Before a data recovery agent can be used it must be added from the
ns can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The us
quire a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure thi
the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and wan
s policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate be
group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Comp
group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI fi
data to the drive. If you enable this policy setting, you can specify additional options that control whether BitL
riting of data to the drive. If you enable this policy setting, you can specify additional options that control wheth
ing of data to the drive. If you enable this policy setting, you can specify additional options that control whethe
xity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements"
For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexit
ve the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\
ng the "Require use of smart cards on fixed data drives" check box. Note: These settings are enforced when tu
cting the "Require use of smart cards on removable data drives" check box. Note: These settings are enforced w
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
ting, memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve r
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
set the local computer clock to synchronize time with NTP servers. If you disable or do not configure this policy
other computers.
RTM
RTM
RTM
RTM
network. If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provid
RTM
RTM
RTM
RTM
TP4
ou disable or do not configure this policy setting, backups can include both system or data volumes.
TP4
TP4
TP4
TP4
TP4
TP4
RTM
RTM
RTM
antispyware definitions are disabled. If you disable or do not configure this setting, the antimalware service wil
service will load as a low priority task.
do not configure this setting, definition updates will be downloaded from the configured download source.
on battery power.
to join Microsoft MAPS for this functionality to work. If you enable this setting or do not configure, the antimalw
RTM
RTM
RTM
RTM
RTM
cy will take priority over the local preference setting.
RTM
RTM
preference setting.
will take priority over the local preference setting.
preference setting.
he local preference setting.
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
1607
RTM
RTM
RTM
RTM
RTM
RTM
TP4
RTM
TP4
1607
TP4
TP4
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
RTM
gure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned
on set GUID to enable test definitions is defined as: {b54b6ac9-a737-498e-9120-6616ad3bf590}. The value i
sday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never If you enable this setting, th
(0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (def
Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) If you enable this setting, a sch
pecified. If you disable or do not configure this setting, checks for definition updates will occur at the default in
nable this setting, a quick scan will run at the interval specified. If you disable or do not configure this setting, a
gure this setting, archive files will be scanned to the default directory depth level.
ng, CPU utilization will not exceed the percentage specified. If you disable or do not configure this setting, CPU
fied will be scanned. If you disable or do not configure this setting, archive files will be scanned according to th
al time on the computer where the scan is executing. If you enable this setting, a daily quick scan will run at the
uter where the scan is executing. If you enable this setting, a scheduled full scan to complete remediation will r
l time on the computer where the scan is executing. If you enable this setting, a scheduled scan will run at the
the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. I
e remediation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = S
he remediation action that should be taken. Valid remediation action values are: 2 = Quarantine 3 = Remove
1607
alware detections. If you disable or do not configure this policy setting, Windows Defender will prompt users to
g, Windows Defender does not automatically take action on the detected threats, but prompts users to choose f
d for malware and other potentially unwanted software.
scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a
p scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans
etected by a definition, then that definition is "retired". If all definitions for a given protocal are retired then that
x, mime (Outlook Express), binhex (Mac). If you enable this setting, e-mail scanning will be enabled. If you disa
will be enabled. If you disable this setting, heuristics will be disabled.
ble this setting, a process scan will not be initiated when real-time protection is turned on.
ys. If you enable this setting, items will be removed from the scan history folder after the number of days spec
is the recommended state for this functionality. If you enable this setting, reparse point scanning will be enable
entry in at least one of the following locations in registry. For shell extensions that have been approved by the a
you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. If y
rom within the File Explorer), it might affect other items as well that are marked from this zone. For example, so
ng displayed. Note: Allowing the use of remote paths in file shortcut icons can expose users computers to secu
If you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the follow
user-defined properties, and properties stored in NTFS secondary streams.
user-defined properties, and properties stored in NTFS secondary streams.
the creation of the folder. You can specify a known folder using its known folder id or using its canonical name.
t displaying a confirmation dialog occurs.
l receive an error message if they tap or click the Options button or choose the Change folder and search option
ou disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recy
re not administrators try to install programs locally on their computers. This setting allows administrators who h
ew application has been installed that can handle the file type or protocol association that was invoked.
ent target path, then, by default, it searches for the target in the original path. If the shortcut has been copied t
ers of Windows programs. If you enable this policy setting, the Back button is removed from the standard Open
ded to developers of Windows programs. To see an example of the standard Open dialog box, start Wordpad an
me in the text box. This setting, and others in this folder, lets you remove new features added in Windows 200
e this policy setting, select a drive or combination of drives in the drop-down list. Note: This policy setting remo
ewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of thes
- (\\server\share) 3) FTP folders 4) web folders 5) Common Shell folders. The list of Common Shell Folders tha
UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according
UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according
e used by the Recycle Bin. Note: This setting is applied to all volumes.
shortcuts specified by the policy setting. If you disable or do not configure this policy setting, by default, the sy
ns. This policy setting also removes these icons from the Map Network Drive browser. If you disable or do not co
ssociated with the Map Network Drive option. This setting does not prevent users from viewing or connecting to
earch site will be searched with the text in the search box. To add an Internet search site, specify the URL of the
he path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary
Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or com
when you right-click the File Explorer or Network Locations icons. This setting does not prevent users from con
gure this policy setting, users are able to use the File Explorer CD burning features. Note: This policy setting doe
properties of the DFS shares available from their computer. This policy setting does not prevent users from usi
ue commands available on the shortcut menus.
the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resol
ns. Enabling this policy setting does not remove the Search button or affect any search features of Internet brow
l users that have access to the resource in question. If you disable or do not configure this setting, users will be
an choose not to have these items displayed. If you enable this policy setting, the Shared Documents folder is
ser with the search terms. If you do not configure this policy (default), there will be an "Internet" link when the u
re designed to enhance the user's experience but might be confusing or distracting to some users.
ed by users. Effects, such as animation, are designed to enhance the user's experience but might be confusing
is dialog box appears only when users are installing programs from local media. The "Install Program as Other U
he DISM documentation on TechNet. If this group policy is enabled and the client machine is domain-joined, the
you do not configure this policy setting, users will be able to choose whether they want hibernate to show throu
ock to show through the Power Options Control Panel.
onfigure this policy setting, users will be able to choose whether they want sleep to show through the Power Opt
this policy setting, users can choose how the ribbon appears when they open new windows.
this policy setting, users can choose how the ribbon appears when they open new windows.
ould enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read b
ble this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not s
rer will sort file names by increasing number value (for example, 3 < 22 < 111).
rer will sort file names by increasing number value (for example, 3 < 22 < 111).
ders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommende
ders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommende
l: * Disable all Arrangement views except for "By Folder" * Disable all Search filter suggestions other than "Dat
If you enable this setting, the Windows+X shortcut keys are unavailable. If you disable or do not configure thi
NT 4.0, and users cannot restore the new features. Enabling this policy will also turn off the preview pane and
erify that new and old locations point to the same network share. If both new and old locations point to the sam
s window appears.
s XP files to the cache until the cache size reaches the quota. If you enable this policy setting, enter the maxim
s File Protection to scan files more often. -- "Do not scan during startup," the default, scans files only during se
oot%\System32\Dllcache directory. Note: Do not put the cache on a network shared directory.
k its unsolicited messages. This policy setting overrides other policy settings that would block those messages.
rewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound
rewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound
or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Pa
or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Pa
(RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least
(RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least
ming messages are allowed. In the Windows Firewall component of Control Panel, the "Remote Desktop" check b
ming messages are allowed. In the Windows Firewall component of Control Panel, the "Remote Desktop" check b
Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are
Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are
omponent in Control Panel allows administrators to define a local port exceptions list. If you disable this policy s
omponent in Control Panel allows administrators to define a local port exceptions list. If you disable this policy s
ws Firewall component in Control Panel allows administrators to define a local program exceptions list. If you di
ws Firewall component in Control Panel allows administrators to define a local program exceptions list. If you di
must also specify whether to record information about incoming messages that the firewall blocks (drops) and
must also specify whether to record information about incoming messages that the firewall blocks (drops) and
e inbound port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting
e inbound port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting
e program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled,
e program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled,
d and administrators cannot clear it. You should also enable the "Windows Firewall: Protect all network connecti
d and administrators cannot clear it. You should also enable the "Windows Firewall: Protect all network connecti
s the display of these notifications. In the Windows Firewall component of Control Panel, the "Notify me when W
s the display of these notifications. In the Windows Firewall component of Control Panel, the "Notify me when W
do not configure this policy setting, and this computer sends a multicast or broadcast message to other compu
do not configure this policy setting, and this computer sends a multicast or broadcast message to other compu
Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who
Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who
1607
1607
ecure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secu
box on the Player tab in the Player is selected and is not available. If you disable this policy setting, a screen sa
settings are used. If the Custom proxy type is selected, the rest of the options on the Setting tab must be spec
of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ign
hat streaming media is buffered. - Default: default network buffering is used and the number of seconds that is
of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ign
policy is not configured or disabled, users can show or hide the anchor window when the Player is in skin mode b
the anchor window displays is not available. If you disable or do not configure this policy setting, users can sho
k tab appears and users can use it to configure network settings.
the "Prevent music file media information retrieval" policy setting is enabled. The default privacy settings are u
ess these settings have been hidden or disabled by Internet Explorer policies. If you disable or do not configure
rs to select privacy, file types, and other desktop options from being displayed when the Player is first started. S
ation for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on
you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically c
n to their desktops.
om Windows Media Player or from programs that depend on the Player's media sharing feature. If you disable o
, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet chec
ut for the Player to the Quick Launch bar.
configured are not be updated, and presets a user adds are not be displayed. If you disable or do not configure
yer is cleared and is not available. If you disable this policy setting, video smoothing occurs if necessary, and th
), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's compute
initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a us
s Messenger. Note: This policy setting is available under both Computer Configuration and User Configuration.
s Messenger. Note: This policy setting is available under both Computer Configuration and User Configuration.
olicy setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows M
olicy setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows M
text. If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.
WinRM service does not accept Basic authentication from a remote client.
, the WinRM service does not accept CredSSP authentication from a remote client.
TP transport over the default HTTP port. To allow WinRM service to receive requests over the network, configure
policy setting, the WinRM client sends or receives only encrypted messages over the network.
policy setting, the WinRM client sends or receives only encrypted messages over the network.
is using the Negotiate authentication and Kerberos is selected. If you disable or do not configure this policy set
WinRM service accepts Kerberos authentication from a remote client.
ntication.
licy setting, the WinRM service accepts Negotiate authentication from a remote client.
a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configurat
supplied channel binding token. If you disable or do not configure this policy setting, you can configure the ha
ation host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authe
en certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. A listener m
When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. A listen
re this policy setting, the default number is five users.

wait for the specified amount of time since the last received message from the client before terminating the op
mited by the available virtual memory. If you enable this policy setting, the remote operation is terminated whe
ure this policy setting, the limit is five processes per shell.
specified limit. If you disable or do not configure this policy setting, by default the limit is set to two remote she
retail catalog in the Windows Store app.

retail catalog in the Windows Store app.
matic download and installation of app updates is determined by a registry setting that the user can change usin
p updates is determined by a registry setting that the user can change using Settings in the Windows Store.
ch updates will not be installed immediately. Note: If the "Configure Automatic Updates" policy is disabled, this
-on user should receive update notifications. Non-administrative users will be able to install all optional, recomm
ate service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the lo
will proceed even if the PC has signed-in users. If you disable or do not configure this policy, Windows Update w
all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours. If the status
t select one of the four options in the Group Policy Setting: 2 = Notify before downloading and installing any up
s. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of up
egardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the comp
egardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the comp
able that functionality, and may cause connection to public services such as the Windows Store to stop working
llation when the user selects the Shut Down option in the Start menu. If you disable or do not configure this pol
llation when the user selects the Shut Down option in the Start menu. If you disable or do not configure this pol
1607
mputer. If the intranet Microsoft update service supports multiple target groups this policy can specify multiple
cally. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied,
stallation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the co
enu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor wil
ault interval is 10 minutes. Note: This policy applies only when Automatic Updates is configured to perform sche
ext started. If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled in
1607
1607
dates that apply to the computers on your network. To use this setting, you must set two servername values: th
1607
t configured Automatic Updates will continue to deliver important updates if it is already configured to do so.
ely managed environments in which you allow the end user access to the Microsoft Update service. If you enabl
ponents are ready to be installed, or prior to downloading, depending on their configuration. If you enable this s
Insider
Insider
the default timeout value is 3 minutes for workstations and 15 minutes for servers.
shutdown interface. If you disable or do not configure this policy setting, the system creates the named pipe r
rface program to a network share or to your system drive. Then, enable this setting, and type the name of the i
ate the SAS. If you set this policy setting to "Ease of Access applications," Ease of Access applications can simu
displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful
s expire. If you disable or do not configure this setting, users receive warnings before the logon hours expire, if
d or not configured, no popup will be displayed to the user.
d or not configured, no popup will be displayed to the user.
on hours. If you choose to log off a user, the user cannot log on again except during permitted logon hours. If y
utomatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically sign
date of map data is determined by a registry setting that the user can change using Windows Settings.
1607
pplications or GUI applications without visible top-level windows that block or cancel shutdown will not be autom
1607
1607
ws about by crowdsourcing networks that other people using Windows have connected to. "Connect to networks
Push Button pairing is preferred (if allowed by other policies).
ut not necessarily preferred).
nrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - F
lso prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will
d PC. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or
Active Directory Device Registration Overview. http://go.microsoft.com/fwlink/?LinkId=307136
users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting, a
ers will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting, a d
eo calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hour
1607
l application services to update tiles. If you enable this policy setting, applications and system features will not
ome background task deferred during the designated Quiet Hours time window. Users will not be able to chang
trator or user. No reboots or service restarts are required for this policy setting to take effect.
tem features individually to stop their ability to raise toast notifications. If you disable or do not configure this p
rator or user. No reboots or service restarts are required for this policy setting to take effect.
s connection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this conn
connection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this conn
onfigure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. N
vice responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes
e unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does no
methods to install programs.
, the Add/Remove Windows Components button is available to all users. This setting does not prevent users fro
rom using other tools and methods to delete or uninstall programs.
move program components. Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignor
New Programs page" setting is enabled, this setting is ignored.
ndows Installer. Typically, system administrators publish programs to notify users that the programs are availab
e this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This s
d or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to
Product ID and version number of the program. The dialog box also includes a hyperlink to support information
tting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use S
allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS
operty page from the context-menus, but does not affect previous compatibility settings applied to application
compatibility engine will boost system performance. However, this will degrade the compatibility of many popu
of how this policy is set. Disabling telemetry will take effect on any newly launched applications. To ensure that
rogram Compatibility Assistant is also disabled. If you disable or do not configure this policy setting, the Invent
policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility i
to turn on and off data collection. If you enable this policy setting, Steps Recorder will be disabled. If you disa
older applications. This option is useful for server administrators who require performance and are aware of com
veloper-signed Windows Store apps.
an administrator Temporary user profiles, which are created when an error prevents the correct profile from loa
ers will need to sign in with a Microsoft account.

ault desktop app for a file type; they can open files only in other Windows Store apps. If you disable or do not co
ault desktop app for a file type; they can open files only in other Windows Store apps. If you disable or do not co
efault desktop app for a URI scheme; they can open URIs only in other Windows Store apps. If you disable or do
efault desktop app for a URI scheme; they can open URIs only in other Windows Store apps. If you disable or do
an use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Ru
sing the file. Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted
ents with their zone information. If you disable this policy setting, Windows marks file attachments with their zo
Windows hides the check box and Unblock button. If you disable this policy setting, Windows shows the check bo
ore than one inclusion list). If you enable this policy setting, you can create a custom list of high-risk file types.
an one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. If you disa
isk inclusion list (where an extension is listed in more than one inclusion list). If you enable this policy setting, y
he file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being
er. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictiv
on the workstations and servers on which this policy setting is applied. If you disable or do not configure this po
without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autor
without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autor
P SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage device
P SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage device
cs. Note: Prior to Windows 10, not configuring this policy setting would have prevented domain users from usin
s policy setting, the Windows Biometric Service is unavailable, and users cannot use any biometric feature in Wi
dows-based computer and can elevate permissions with UAC using biometrics. If you disable this policy setting
able or do not configure this policy setting, a default value of 10 seconds is used for fast-user switch event timeo
es for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, B
Cache. Note: This policy setting does not affect the use of Windows Branch Cache by applications other than BI
from the origin server. However, the computer will still make files available to its peers. If you disable or do not
till download files from peers. If you disable or do not configure this policy setting, the computer will offer down
If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days wil
centage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 perce
y setting, you can set the maximum job download time to a specified number of seconds. If you disable or do no
day's hours. If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can
nd both are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of B
nfigure this policy setting, BITS will use the default user BITS job limit of 300 jobs. Note: This limit must be lowe
configure this policy setting, BITS will use the default BITS job limit of 300 jobs. Note: BITS jobs created by serv
of 200 for the maximum number of files a job can contain. Note: BITS Jobs created by services and the local ad
BITS will limit ranges to 500 ranges per file. Note: BITS Jobs created by services and the local administrator acc
wnload policy explicitly configured by the application that created the BITS job, but does apply to jobs that are c
u can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority
u can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work sch
on will reset this timeout. Consider increasing the timeout value if computers tend to stay offline for a long peri
mponent registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. Th
mponent registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. Th
in the previous session.
ngs. If you enable this setting, you can select specific items not to display on the Control Panel window and the
m Account picture Search results If users try to select a Control Panel item from the Properties item on a conte
ntrol.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable thi
Taskbar) settings.
lock screen using touch, the keyboard, or by dragging it with the mouse. Note: This setting only applies to Ent
d: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or th
f 2:1 with white text.
able or do not configure this setting, the users can select the visual style that they want to use by changing them
ver. If you enable this setting, type the name of the file that contains the screen saver, including the .scr file na
ting, the default theme will be applied at the first logon.
d protection setting. If you do not configure this setting, users can choose whether or not to set password prote
indows. If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is
You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. R
ported version of Windows, then those colors take precedence over this policy. If the "Force a specific Start bac
using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system
, a user may not apply a different visual style when changing themes.
een Saver" setting is disabled. - Neither the "Screen saver executable name" setting nor the Screen Saver dialo
nt Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. If you enable this policy
mited by any EAS settings or group policies that affect the maximum idle time before a device locks. In addition
nable this policy setting, the default logon domain is set to the specified domain, which might be different than
dentials (for example, to support biometric authentication). If you enable this policy, an administrator can spec
n set up and sign in with a convenience PIN. If you disable or don't configure this policy setting, a domain user
n to Windows). The policy becomes effective the next time the user signs on to a computer running Windows.
ot configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. N
the application). If you do not configure (by default) this policy setting, after proper mutual authentication, del
onfigure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is pe
he Windows credential manager). If you do not configure (by default) this policy setting, after proper mutual au
). If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of save
fy any server. Note: The "Deny delegating default credentials" policy setting can be set to one or more Service
ot specify any server. Note: The "Deny delegating fresh credentials" policy setting can be set to one or more Se
y setting does not specify any server. Note: The "Deny delegating saved credentials" policy setting can be set t
apps will not delegate credentials to remote computers. If you disable or do not configure this policy setting, re
text box. By default, the password reveal button is displayed after a user types a password in the password en
text box. By default, the password reveal button is displayed after a user types a password in the password en
cy setting, users will always be required to type a user name and password to elevate.
cure Desktop by means of the trusted path mechanism. If you disable or do not configure this policy setting, us
or their password is expiring.
keyboard using Ctrl+Alt+Del. Tip:To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and t
not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
e to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy preven
features on this build option in Settings.
will not look in the locally configured DCOM activation security check exemption list. If you do not configure this
ions" policy is enabled. DCOM server appids added to this policy must be listed in curly-brace format. For exam
ut the item is deleted each time the setting is refreshed. Note: Removing an item from the "Add" list for this set
ing "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Config
h, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified fi
s ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Compo
and GIF, for their desktop wallpaper.
shared folder.
s ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Comp
o see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name
but not tempt them to casually browse Active Directory.
mmon Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving
ber of objects returned" box to limit returns from an Active Directory search. If you disable this setting or do no
taskbar beside the Start button), and point to "Toolbars." Also, see the "Prohibit adjusting desktop toolbars" set
edit Web content or disable, lock, or synchronize Active Desktop components.

deleting items from their Active Desktop.
ell namespace, allowing them to present their users with a simpler desktop environment. If you enable this sett
he Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. Note: To make change
o not configure this policy setting, the Properties menu command is displayed.
hen log back on.

users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking
e\ShareName\SIPolicy.p7b), or a locally valid path (for example, C:\FolderName\SIPolicy.p7b). The local machine
Integrity This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabl
r, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desk
install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, u
is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unle
stedPublisher store. If you disable or do not configure this policy setting, only members of the Administrators g
n you enable this setting, use the drop-down box to specify the desired response. -- "Ignore" directs the system
ault title in a notification when a policy setting prevents device installation.

setting prevents device installation.
olicy setting, Windows does not create a system restore point when one would normally be created. If you disab
ting. If you disable or do not configure this policy setting, Windows is allowed to install or update the device dr
e this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices fro
st you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection
setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from inst
crosoft Windows Publisher certificate and drivers that are signed by other Authenticode certificates are prioritize
triction right will not take effect until the system is restarted.
ed check box beside the location name. If you disable or do not configure this setting, Windows searches the in
or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether
a device driver that requests additional software is installed.
nually search for updates. This setting is used to ensure that the best software will be found for the device, eve
no update is found will Windows then also search Windows Update. If you disable or do not configure this polic
ompted to search Windows Update. If you disable or do not configure this setting, and "Turn off Windows Updat
ompted to search Windows Update. If you disable or do not configure this setting, and "Turn off Windows Updat
s policy setting, the default value of 15 minutes applies. Note: The minimum value you can select is 15 minute
boots or service restarts are required for this policy setting to take effect: changes take effect immediately. This
icy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minim
e. The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a s
re this policy setting, the default behavior is to allow the hybrid hard disks to be in power save mode. Note: Th
on of the system by keeping the disks spun down while satisfying reads and writes from the cache. If you enab
onger periods to save power. Note that this can cause increased wear of the NV cache. If you do not configure
turned off by default, but administrators can turn it on. To prevent users from changing the setting while a sett
nnot make changes while the setting is in effect. If you do not configure this policy setting, the disk quota limit i
em disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators ca
n on the Quota tab so that administrators cannot change logging while a policy setting is in effect. If you do not
tting overrides new users settings for the disk quota limit and warning level on their volumes, and it disables th
This policy should not be set unless the DLT server is running on all domain controllers in the domain.
g dot. For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will
ample" and not for multi-label and fully qualified domain names.
e this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied
, the list of DNS servers is applied to all network connections used by computers that receive this policy setting
el name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft
NS registration to be enabled on a network connection, the connection-specific configuration must allow dynam
rotocols will be preferred over DNS responses if the local responses are from a network with a higher binding or
ry DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control pan
d when a user or application submits a query for a single-label domain name. The DNS client appends DNS suffi
tion settings. Devolution can be used when a user or application submits a query for a single-label domain nam
of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary
etting, click Enabled, and then select one of the following options from the drop-down list: Do not register: Com
rds are current and should not be automatically removed (scavenged) when a DNS server is configured to delete
ers. During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A reso
hat receive this policy setting. If you disable this policy setting, or if you do not configure this policy setting, com
WINS servers configured.
me resolution in scenarios in which conventional DNS name resolution is not possible. If you enable this policy se
setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first.
d by NetBT for all networks. If you disable this policy setting, or if you do not configure this policy setting, the D
cy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in
puters send dynamic updates to any zone that is authoritative for the resource records that the computer needs
ce a specific color for window frames that cannot be changed by users.
ce a specific color for window frames that cannot be changed by users.
ows+Tab keys, a visual version of the desktop is presented and items can be flipped through to select. Changin
ows+Tab keys, a visual version of the desktop is presented and items can be flipped through to select. Changin
with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that ca
with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that ca
d Glyph are included in the candidate list. This policy setting applies to Japanese Microsoft IME only. Note: Chan
IBM extended code 0x0008 // IBM extended code 0x0010 // Half width katakana code 0x0100 // EUDC(GAIJI) 0
panese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears
crosoft IME, Simplified Chinese Microsoft Pinyin, and Traditional Chinese New Phonetic.
enabling this policy setting is still used for conversion. If you disable or do not configure this policy setting, Ope
ded that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been
cy setting, the recent apps will be available by default, and the user can configure this setting.
ll, but not from that menu. If you disable or don't configure this policy setting, Command Prompt will be listed i
t configure this policy setting, Search, Share, Start, Devices, and Settings will be available by default, and the us
ly used apps will appear at the top.

hen files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts th
licy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed
ced Storage devices are usable on your computer.
port number on the destination server for transmission. If you disable or do not configure this policy setting, W
t Communication settings. Important: If the Turn off Windows Error Reporting policy setting is not configured, th
stored. The Maximum number of reports to store setting determines how many reports are stored before older
stored. The Maximum number of reports to store setting determines how many reports are stored before older
immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user i
immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user i
set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this e
set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this e
ations are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windo
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Comp
If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Comp
red. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no noti
ministrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
ministrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than o
or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than o
es, and the default consent setting determines only the consent level of any other error reports.
es, and the default consent setting determines only the consent level of any other error reports.
erated by applications in this list are not reported, even if the Default Application Reporting Settings policy settin
mes in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file nam
mes in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file nam
add or remove applications from the list of application file names in the Show Contents dialog box (example: n
Reporting settings in Control Panel are set to upload operating system errors. See also the Configure Error Rep
g on battery power, but checks for solutions and uploads report data normally. If you disable or do not configure
g on battery power, but checks for solutions and uploads report data normally. If you disable or do not configure
cost policy again if the network profile is changed.
cost policy again if the network profile is changed.
This setting applies across all subscriptions for the forwarder (source computer).
e collector>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thum
tting is enabled, new events are discarded and old events are retained. If you do not configure this policy settin
ols and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy settin
value can access the log. If you disable or do not configure this policy setting, only system software and admin
ols and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy settin
icy setting, only system software and administrators can write or clear this log, and any authenticated user can
og automatically when full" policy setting.

by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
crypt these encrypted messages, provided that you have access to the private key corresponding to the public
'ALT' key.
folders to the root of their Users Files folder in File Explorer. Note: Enabling this policy setting does not prevent
o Go Startup Options Control Panel item. If you disable this setting, booting to Windows To Go when a USB devic
ery of corrupted files will automatically start with no UI. Windows will log an administrator event when a system
pplication. The EID must be an internet domain belonging to the enterprise in standard international domain na
ed. Note: To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service .
administrators may select the types of symbolic links to be evaluated.

to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are cre
ly made available offline. All subfolders within the redirected folders are also made available offline. Note: This
offline. Note: This policy setting does not prevent files from being automatically cached if the network share is c
of copying the content to the new location, the cached content is renamed in the local cache and not copied to
ment software or a script to add primary computer attributes to the user's account in Active Directory Domain S
ment software or a script to add primary computer attributes to the user's account in Active Directory Domain S
ubfolders when redirecting the Start Menu or legacy My Documents folder. If you disable or not configure this p
ubfolders when redirecting the Start Menu or legacy My Documents folder. If you disable or not configure this p
ew Pane since the two cannot be displayed at the same time. If you disable, or do not configure this policy setti
are handled by the DPS. If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for reso
alled as part of the system image but are not used by any user on that system will be removed as part of a sche
mbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater th
licy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-use
licy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-use
gn-in page. If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled f
s. The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if
s. The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if
however, they will be unable to customize those choices. The user cannot customize their user locale with user
however, they will be unable to customize those choices. The user cannot customize their user locale with user
ge selected by the local administrator. If you disable or do not configure this policy setting, there is no restrictio
If you enable this policy setting, the user cannot see the Administrative options. If you disable or do not configu
nfigure this policy setting, the user sees the option for changing the user location (GeoID). Note: Even if a user
atically. If you disable or do not configure this policy setting, the user sees the option for changing the UI langua
t configure this policy setting, the user sees the regional formats options for changing and customizing the user
users from specifying a language different than the one used. To enable this policy setting in Windows Vista, u
icolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system loc
e the per-computer policy setting. The locale list is specified using language tags, separated by a semicolon (;).
e the per-computer policy setting. The locale list is specified using language tags, separated by a semicolon (;).
fferent than any of the system UI languages. If you disable or do not configure this policy setting, the user can s
this policy setting, the language selection defaults to the language selected by the user. If you disable or do no
d, then the user will be free to change the setting according to their preference. Note that the availability and f
rom the Internet Explorer browser history. The information that is stored includes word frequency and new word
rom the Internet Explorer browser history. The information that is stored includes word frequency and new word
user will be free to change the setting according to their preference. Note that the availability and function of
will be locked to not insert a space after selecting a text prediction. If the policy is Disabled or Not Configured, t
Disabled or Not Configured, then the user will be free to change the setting according to their preference. Note
. - Users do not receive their roaming profiles; they receive a local profile on the computer from the local fores
or: - If you originally created the GPO with, for example, an English system, the GPO contains English ADM files
onous manner. Client computers will not wait for the network to be fully initialized at startup and logon. Existing
rmal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth sp
an use the check boxes provided to change the options. If you disable or do not configure this policy setting, it h
vided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
ngs that the program implementing the folder redirection policy setting set when it was installed. If you enable
read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Polic
Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domai
ting the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you
ting the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you
f you enable this policy setting, you can use the check boxes provided to change the options. If you disable or d
ble this policy setting, you can use the check boxes provided to change the options. If you disable or do not con
before running logon scripts. If you disable this policy setting, Group Policy will run scripts immediately after lo
r do not configure this policy setting, it has no effect on the system. The "Do not apply during periodic backgrou
If you disable or do not configure this setting, it has no effect on the system. The "Allow processing across a slo
e the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Do not a
g overrides customized settings that the program implementing the software installation policy set when it was
gs apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Obje
ded to change the options. If you disable this setting or do not configure it, it has no effect on the system. The
oxes provided to change the options. If you disable this setting or do not configure it, it has no effect on the sys
ect links for use on the system. If you disable this setting or do not configure it, new Group Policy object links a
rs. If you enable or disable this policy setting, by default administrators can view RSoP data. Note: To view RSoP
rs. If you enable or disable this policy setting, by default administrators can view RSoP data. Note: To view RSoP
cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When G
entries in other subkeys. If you enable this policy setting, the "Show Policies Only" command is turned on, and
s up. It also applies at a specified refresh interval or when manually invoked by the user. Note: This policy settin
f this setting is Disabled or Not Configured, the default display name of New Group Policy object is used.
y 90 minutes, with a random offset of 0 to 30 minutes. If you enable this setting, you can specify an update rat
elect 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates
om offset of 0 to 30 minutes. If you enable this setting, you can specify an update rate from 0 to 64,800 minut
nfiguring this policy setting overrides any system-computed wait times. If you enable this policy setting, Group
ase, configuring this policy setting overrides any system-computed wait times. If you enable this policy setting,
ectory and the source files stored in the GPO. If the local files are newer, they are copied into the GPO. Changi
orking. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Se
system does not process and apply any Local GPOs. If you disable or do not configure this policy setting, Local
you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. N
o process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "
t configure this policy setting, by default event logging for this extension includes only warnings and errors, and
and to process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priorit
not configure this policy setting, by default event logging for this extension includes only warnings and errors,
n if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes:
his policy setting, by default event logging for this extension includes only warnings and errors, and tracing for t
process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "I
onfigure this policy setting, by default event logging for this extension includes only warnings and errors, and tra
nd processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background p
not configure this policy setting, by default event logging for this extension includes only warnings and errors, an
oup Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The "A
etting, by default event logging for this extension includes only warnings and errors, and tracing for this extensi
nnection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) a
r do not configure this policy setting, by default event logging for this extension includes only warnings and erro
if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1
policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this
en if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes
s policy setting, by default event logging for this extension includes only warnings and errors, and tracing for th
process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Id
his policy setting, by default event logging for this extension includes only warnings and errors, and tracing for t
pplied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By
for client computers. If you disable or do not configure this policy setting, by default event logging for this exte
ction, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are u
able or do not configure this policy setting, by default event logging for this extension includes only warnings a
essing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background processin
le or do not configure this policy setting, by default event logging for this extension includes only warnings and
be applied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged
do not configure this policy setting, by default event logging for this extension includes only warnings and erro
ork connection, to be applied during background processing, and to process even if the Group Policy objects (GP
is policy setting, by default event logging for this extension includes only warnings and errors, and tracing for th
rocessing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background proces
sable or do not configure this policy setting, by default event logging for this extension includes only warnings a
even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Not
his policy setting, by default event logging for this extension includes only warnings and errors, and tracing for
on, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are unch
able or do not configure this policy setting, by default event logging for this extension includes only warnings an
ven if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Note
this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for
s even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." N
ure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing
process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Id
nfigure this policy setting, by default event logging for this extension includes only warnings and errors, and tra
pplication snap-ins. Enabling this policy setting does not override policy settings that restrict the use of preferen
ou disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy se
policy setting, you permit use of the Control Panel Settings item and all preference extensions under Control Pa
y setting, you permit use of the Control Panel Settings item and all preference extensions under Control Panel S
sers)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of
" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-
u disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy set
ou disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy s
ble this policy setting, you prohibit use of the preference extension. If you do not configure this policy setting, y
Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list o
sable this policy setting, you prohibit use of the preference extension. If you do not configure this policy setting
sable this policy setting, you prohibit use of the preference extension. If you do not configure this policy setting
verrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this policy se
Settings (Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permit
s (Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list
If you disable this policy setting, you prohibit use of the preference extension. If you do not configure this polic
Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list o
ing this policy setting does not override policy settings that restrict the use of preference extensions. If you disa
" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-
verrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this policy s
isable this policy setting, you prohibit use of the preference extension. If you do not configure this policy settin
s (Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list
rides the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this policy setti
disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy setti
es the "Restrict users to the explicitly permitted list of snap-ins" policy setting. If you disable this policy setting
gs asynchronously, when logging on through Remote Desktop Services. If you disable or do not configure this p
n the specified folders and their subfolders. To restrict the commands to one or more folders, enable the policy
: You can also restrict users from running applications by using the Software Restriction Policy settings available
: You can also restrict users from running applications by using the Software Restriction Policy settings available
able is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML He
his policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elem
n on the Help Experience Improvement program feature from the Help and Support settings page.
ction to the Internet and have not disabled Windows Online from the Help and Support Options page.
enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed
ction are set such that their respective features can access the Internet. If you do not configure this policy settin
ction are set such that their respective features can access the Internet. If you do not configure this policy settin
e notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Dev
the Store" item in the Open With dialog is removed. If you disable or do not configure this policy setting, the us
the Store" item in the Open With dialog is removed. If you disable or do not configure this policy setting, the us
P and other products of companies and organizations that it considers trusted authorities. If you enable this pol
ers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download
ers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download
nformation about the event to Microsoft, and allows users to learn more about why that event occurred. If you e
u disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you kn
m the Help and Support Center "Set search options" page, and only Help content on the local computer is search
his policy setting, users can connect to Microsoft to download a list of ISPs for their area.
y setting, Windows does not download providers, and only the service providers that are cached in the local reg
y setting, Windows does not download providers, and only the service providers that are cached in the local reg
using the Web service to open an unhandled file association are removed. If you disable or do not configure th
using the Web service to open an unhandled file association are removed. If you disable or do not configure th
this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, use
this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, use
Note that registration is optional and involves submitting some personal information to Microsoft. However, Win
ownload content updates during searches. If you disable or do not configure this policy setting, Search Compan
n Windows folders. If you disable or do not configure this policy setting, the tasks are shown.
n Windows folders. If you disable or do not configure this policy setting, the tasks are shown.
nger does not collect usage information, and the user settings to enable the collection of usage information are
nger does not collect usage information, and the user settings to enable the collection of usage information are
salesperson will call, and you can continue working without interruption. It is simple and user-friendly. If you en
via the Internet or to a corporate file share. This policy setting overrides any user setting made from the Contr
s policy setting, NCSI does not run either of the two active tests. This may reduce the ability of NCSI, and of othe
Update is optional when installing a device. Also see "Turn off Windows Update device driver search prompt" in "
p Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. If
ge to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable
ys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes
ys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes
Accelerators that are provided through first use of the browser.
Accelerators that are provided through first use of the browser.
has Accelerators that are provided through first use of the browser.
has Accelerators that are provided through first use of the browser.
h defines whether add-ons not listed here are assumed to be denied. If you enable this policy setting, you can e
h defines whether add-ons not listed here are assumed to be denied. If you enable this policy setting, you can e
d in each zone for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #
d in each zone for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #
ement user preferences and policy settings. If you disable or do not configure this policy setting, all processes w
ement user preferences and policy settings. If you disable or do not configure this policy setting, all processes w
isable or do not configure this policy setting, binary behaviors are allowed for all processes.
isable or do not configure this policy setting, binary behaviors are allowed for all processes.
xplorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable thi
is used as an attack vector to load malicious HTML code. If you enable this policy setting, the Local Machine zo
is used as an attack vector to load malicious HTML code. If you enable this policy setting, the Local Machine zo
If you disable this policy setting, restricting content obtained through restricted protocols is prevented for all pro
If you disable this policy setting, restricting content obtained through restricted protocols is prevented for all pro
e Notification bar will be displayed for all processes. If you disable or do not configure this policy setting, the No
e Notification bar will be displayed for all processes. If you disable or do not configure this policy setting, the No
ed Zone sites.
ed Zone sites.
ny zone can be protected from zone elevation for all processes. If you disable or do not configure this policy set
ny zone can be protected from zone elevation for all processes. If you disable or do not configure this policy set
or all processes.
or all processes.
are not user initiated for all processes.
are not user initiated for all processes.
ou disable or do not configure this policy setting, scripted windows are not restricted.
ou disable or do not configure this policy setting, scripted windows are not restricted.
r protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar will appear to
ected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar
ected, even for protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar
configure this policy setting, script code on pages in the zone can run automatically.
configure this policy setting, users are queried to choose whether to allow script code on pages in the Local Mac
configure this policy setting, script code on pages in the zone is prevented from running.
licy are available. If you disable this policy setting, binary and script behaviors are not available unless applica
f you do not configure this policy setting, a script can perform a clipboard operation.
f you do not configure this policy setting, a script cannot perform a clipboard operation.
deleting browsing history on exit is turned off. If you do not configure this policy setting, it can be configured on
deleting browsing history on exit is turned off. If you do not configure this policy setting, it can be configured on
files or copying and pasting files from this zone. If you do not configure this policy setting, users can drag files o
files or copying and pasting files from this zone. If you do not configure this policy setting, users are queried to
this policy setting, files can be downloaded from the zone.

this policy setting, files are prevented from being downloaded from the zone.
e this policy setting, HTML fonts can be downloaded automatically.
e this policy setting, users are queried whether to allow HTML fonts to download.
etting, users will be prompted when non-Internet Explorer components would be installed. If you do not configu
etting, users will be prompted when non-Internet Explorer components would be installed. If you do not configu
ng, Web components such as fonts will be automatically installed as necessary. If you disable this policy setting
ng, Web components such as fonts will be automatically installed as necessary. If you disable this policy setting
ng desktop items from this zone. If you do not configure this policy setting, users are queried to choose whethe
ng desktop items from this zone. If you do not configure this policy setting, users can install desktop items from
ng desktop items from this zone. If you do not configure this policy setting, users are prevented from installing
display UI during shutdown (default behavior in Internet Explorer 9).
display UI during shutdown (default behavior in Internet Explorer 9).
n HTML5 media elements" setting on the Advanced tab in the Internet Options dialog box.
n HTML5 media elements" setting on the Advanced tab in the Internet Options dialog box.
Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for
er. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loadi
s prompted for loading XPS files. If you disable this policy setting, XPS files are not loaded inside Internet Explor
that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. If you
u disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addit
u disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addit
t see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
to the WebBrowser control is allowed only in the Local Machine and Intranet zones.
dows and windows that include the title and status bars cannot be run. This Internet Explorer security feature wi
ll files with an invalid signature. If you do not configure this policy, users can choose to run or install files with a
ll files with an invalid signature. If you do not configure this policy, users can choose to run or install files with a
cannot change this policy setting. The "Turn off image display" policy setting must be disabled if this policy sett
ou disable this policy setting, browser helper objects do not launch. If you do not configure this policy, Internet
ou disable this policy setting, browser helper objects do not launch. If you do not configure this policy, Internet
and video files. If you enable this policy setting, video and animation can be played through older media playe
ng, the user can choose whether websites can open new Internet Explorer Windows that have no status bar or A
database and caches on Website Data Settings will be unavailable to users. If you do not configure this policy se
database and caches on Website Data Settings will be unavailable to users. If you do not configure this policy se
bsite database and caches on Website Data Settings will be unavailable to users. If you do not configure this po
bsite database and caches on Website Data Settings will be unavailable to users. If you do not configure this po
List is enabled or inPrivate Browsing mode is used. For at least Internet Explorer 11: If you disable this policy se
List is enabled or inPrivate Browsing mode is used. For at least Internet Explorer 11: If you disable this policy se
tor-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click
. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification ba
. If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX cont
ee the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the
ects, or Explorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition. If you enab
ects, or Explorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition. If you enab
wnload new versions when they are available. If you disable this policy setting, Internet Explorer does not check
wnload new versions when they are available. If you disable this policy setting, Internet Explorer does not check
and enabled. If you disable this policy setting, the user is prompted when a script that is running in any process
and enabled. If you disable this policy setting, the user is prompted when a script that is running in any process
the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disable this policy setting,
the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disable this policy setting,
ot configure it, this control will not be designated as administrator-approved. To specify how administrator-appro
of Internet Explorer before Internet Explorer 8, the default connection limit for HTTP 1.1 was 2.
of Internet Explorer before Internet Explorer 8, the default connection limit for HTTP 1.1 was 2.
voked. If you disable this policy setting, Internet Explorer will not check server certificates to see if they have be
voked. If you disable this policy setting, Internet Explorer will not check server certificates to see if they have be
g them to user computers. If you disable this policy setting, Internet Explorer will not check the digital signature
g them to user computers. If you disable this policy setting, Internet Explorer will not check the digital signature
m. If you enable the Media Explorer Bar or do not configure it, users can show and hide the Media Explorer Bar.
ecify to enable or disable the blocking of attachments in options.
ctive text: Some command buttons have only text; some have icons and text. Show only icons: All command bu
ctive text: Some command buttons have only text; some have icons and text. Show only icons: All command bu
example, "MSIE 7.0").
example, "MSIE 7.0").
process" policy setting is enabled, the processes configured in this policy setting take precedence over that pol
process" policy setting is enabled, the processes configured in this policy setting take precedence over that pol
nied through Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage
nied through Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage
ll be available as an administrator approved control and can be run if the user specifies to run administrator-ap
the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages
the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages
ve Desktop items from Microsoft's Active Desktop Gallery, to their desktop. If you disable this policy or do not co
e this policy or do not configure it, users can add new offline content schedules. This policy is intended for orga
chronize, select a Web page, click the Properties button, and then click the Schedule tab. If you disable this poli
s. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Se
dministrator control which components the user installs.
ve Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy
sable the Advanced page" policy (located in \User Configuration\Administrative Templates\Windows Component
ng Internet Explorer Maintenance under Admin Templates using group policy editor. If you disable or do no con
ng Internet Explorer Maintenance under Admin Templates using group policy editor. If you disable or do no con
edules and contacts, if programs that perform these tasks are installed. This "Disable the Programs Page" policy
that have already been accepted. The "Disable the Content page" policy (located in \User Configuration\Admini
lor of Web pages. If you set the "Disable the General page" policy (located in \User Configuration\Administrative
xplorer\Internet Control Panel), you do not need to set this policy, because the "Disable the Connections page" p
xplorer\Internet Control Panel), you do not need to set this policy, because the "Disable the Connections page" p
When Internet Explorer performs this check, it prompts the user to specify which browser to use as the default.
policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet
er home page policies. If you disable or do not configure this policy setting, the Home page box is enabled and
b sites for languages in which the character set has been installed. If you set the "Disable the General page" po
you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows
newsgroups, and placing Internet calls, if programs that perform these tasks are installed. The "Disable the Pro
inistrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Conten
mplates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Ratings tab from In
configure this policy setting, the user can add secondary home pages. Note: If the Disable Changing Home Pag
configure this policy setting, the user can add secondary home pages. Note: If the Disable Changing Home Pag
configure it, users can change their cache settings. If you set the "Disable the General page" policy (located in \
onfigure it, users can view and subscribe to channels from the Channel bar interface.
ou enable this policy, the Customize option will be removed from the menu. If you disable this policy or do not
icy can be used in coordination with the "Disable customizing browser toolbar buttons" policy, which prevents u
nt has been updated since the last time the user synchronized with or visited the page. If you disable this policy
hronize, select a Web page, click the Properties button, and then click the Schedule tab. If you disable this polic
page, and then click the Properties button, no properties are displayed. Users do not receive an alert stating th
ning up for Internet services. This policy is intended for administrators who want to maintain a consistent brow
ws the user to export favorites, feeds and cookies to a file. If you enable this policy setting, the user will not be
ws the user to export favorites, feeds and cookies to a file. If you enable this policy setting, the user will not be
Connection Wizard. If you disable this policy or do not configure it, users can change their connection settings
ers can record information about when their channel pages are viewed by users who are working offline.
menu option" policy, which prevents users from opening the browser in a new window by clicking the File menu,
. This policy is intended to help the administrator maintain version control for Internet Explorer by preventing u
tended to help administrators ensure that users' computers are being updated uniformly across their organizati
ected but dimmed. To display the Make This Page Available Offline check box, users click the Tools menu, click Sy
ownload programs from their browsers.
isable this policy or do not configure it, users will be notified before their programs are updated. This policy is in
licy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because
licy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because
ab from the interface: "Disable Internet Connection Wizard" "Disable changing connection settings" "Prevent
ab from the interface: "Disable Internet Connection Wizard" "Disable changing connection settings" "Prevent
d in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy

d in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy
ms tab from the interface: "Disable changing Messaging settings" "Disable changing Calendar and Contact sett
ms tab from the interface: "Disable changing Messaging settings" "Disable changing Calendar and Contact sett
s\Windows Components\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet
use this policy removes the Security tab from the interface: "Security zones: Do not allow users to change polic
use this policy removes the Security tab from the interface: "Security zones: Do not allow users to change polic
o display the nonsecure items?) and nonsecure content can be displayed. If the drop-down box is set to Promp
rces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection a
rces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection a
e Reset Internet Explorer Settings.
e Reset Internet Explorer Settings.
can still manage the add-on through the Add-On Manager. If you disable or do not configure this policy setting
can still manage the add-on through the Add-On Manager. If you disable or do not configure this policy setting
s and developers will not be able to depend on the reveal password button being displayed in any web form or w
s and developers will not be able to depend on the reveal password button being displayed in any web form or w
uthentication" message when they connect to a Web site that has no certificate or only one certificate. If you do
rer will save encrypted pages containing secure (HTTPS) information to the cache. If you do not configure this p
rer will save encrypted pages containing secure (HTTPS) information to the cache. If you do not configure this p
t's safe to create an instance of the ActiveX control. If you don't configure this policy setting, Internet Explorer a
t's safe to create an instance of the ActiveX control. If you don't configure this policy setting, Internet Explorer w
e policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are qu
e policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users can do
e policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, signed contr
ble this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users can
ble this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users are
ble this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users are
emporary Internet Files folder when all browser windows are closed. If you disable this policy setting, Internet Ex
emporary Internet Files folder when all browser windows are closed. If you disable this policy setting, Internet Ex
ble, users cannot drag content from one domain to a different domain when both the source and destination are
le, users cannot drag content from one domain to a different domain when the source and destination are in the
cy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on
The menu bar contains menus that open lists of commands for printing, customizing Internet Explorer, copying
The menu bar contains menus that open lists of commands for printing, customizing Internet Explorer, copying
d value range is 3 through 30. If you enable this policy setting, the selected value is enforced. If you disable or
d value range is 3 through 30. If you enable this policy setting, the selected value is enforced. If you disable or
ed value range is 3 through 30. If you enable this policy setting, the selected value is enforced. If you disable o
ed value range is 3 through 30. If you enable this policy setting, the selected value is enforced. If you disable o
nd is not available.
en a new browser window from the File menu. Caution: This policy does not prevent users from opening a new
olicy does not prevent users from right-clicking a link on a Web page, and then clicking the Open or Open in New
kup language (HTML) files or as text files, but graphics, scripts, and other elements are not saved. To display th
e entire contents that are displayed or run from a Web Page, such as graphics, scripts, and linked files, but does
s from the Microsoft Internet Explorer Help file.
navailable. If you disable this policy or do not configure it, users can manage their Favorites list. Note: If you en
entity option will be removed from the File menu in Address Book. If you disable this policy or do not configure i
a an HTML form. If you disable this policy setting, path information is removed when the user is uploading a file
s are not used. Additionally, the user cannot activate the feature by using the Compatibility View Settings dialo
s are not used. Additionally, the user cannot activate the feature by using the Compatibility View Settings dialo
X controls marked safe for scripting option. If you enable this policy setting and select Prompt in the drop-down
es. If you disable or do not configure this policy setting, Internet Explorer 9 does not install binaries signed by M
es. If you disable or do not configure this policy setting, Internet Explorer 9 does not install binaries signed by M
net Explorer dialog.
, binary behaviors are allowed for the File Explorer and Internet Explorer processes. If you do not configure this
, binary behaviors are allowed for the File Explorer and Internet Explorer processes. If you do not configure this
where the Local Machine zone is used as an attack vector to load malicious HTML code. If you enable this polic
where the Local Machine zone is used as an attack vector to load malicious HTML code. If you enable this polic
configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
ocol will work for the File Explorer and Internet Explorer processes. If you do not configure this policy setting, th
ocol will work for the File Explorer and Internet Explorer processes. If you do not configure this policy setting, th
ses. For example, you can restrict active content from pages served over the http and https protocols by adding
ses. For example, you can restrict active content from pages served over the http and https protocols by adding
et Explorer processes. If you do not configure this policy setting, the Notification bar will be displayed for Intern
et Explorer processes. If you do not configure this policy setting, the Notification bar will be displayed for Intern
xplorer processes. If you do not configure this policy setting, an object reference is no longer accessible when n
xplorer processes. If you do not configure this policy setting, an object reference is no longer accessible when n
here is no security context. If you enable this policy setting, any zone can be protected from zone elevation by I
here is no security context. If you enable this policy setting, any zone can be protected from zone elevation by I
rence will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
rence will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
termines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
termines whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
xplorer and Internet Explorer processes. If you disable this policy setting, scripts can continue to create popup w
xplorer and Internet Explorer processes. If you disable this policy setting, scripts can continue to create popup w
for a zone, this sets the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active
you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lock
e (so would typically be in the Internet Zone). If you do not configure this policy setting, users choose whether t
e (so would typically be in the Internet Zone). If you do not configure this policy setting, users choose whether t
mapped into the Intranet Zone.
mapped into the Intranet Zone.
setting, users choose whether sites which bypass the proxy server are mapped into the Intranet Zone.
setting, users choose whether sites which bypass the proxy server are mapped into the Intranet Zone.
roved. Select the check boxes for the controls that you want to designate as administrator-approved. To specify
space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables a
nd download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevente
e Stop and Refresh buttons are next to the Address bar by default, and the user can choose to move them.
e Stop and Refresh buttons are next to the Address bar by default, and the user can choose to move them.
silently for the remainder of the session. Automatic logon only in Intranet zone to query users for user IDs and
from user to user.
proved, click Enabled, and then select the check box for the control: -- MCSiMenu - enables Web authors to cont
ure it, these controls will not be designated as administrator-approved. To specify how administrator-approved c
designated as administrator-approved. To specify how administrator-approved controls are handled for each se
r-approved controls are handled for each security zone, carry out the following steps: 1. In Group Policy, click U
he following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then cl
k boxes for the controls that you want to designate as administrator-approved. To specify how administrator-app
disable this policy setting, users cannot open windows and frames to access applications from different domains
ther domains. If you disable this policy setting, users cannot open other windows and frames from other domai
out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and th
t configure this policy setting, users can choose whether to be notified that Internet Explorer is not the default w
ed pictures, helping pages display more quickly. If you do not configure this policy setting, Internet Explorer wi
ed pictures, helping pages display more quickly. If you do not configure this policy setting, Internet Explorer wi
nt, helping pages display more quickly. If you enable this policy setting, Internet Explorer will play sounds found
nt, helping pages display more quickly. If you enable this policy setting, Internet Explorer will play sounds found
lay more quickly. If you do not configure this policy setting, Internet Explorer will play videos found in Web cont
lay more quickly. If you do not configure this policy setting, Internet Explorer will play videos found in Web cont
are allowed, so *.contoso.com is also valid. If you disable this or do not configure this policy setting, you will no
are allowed, so *.contoso.com is also valid. If you disable this or do not configure this policy setting, you will no
options for printing, customizing Internet Explorer, copying and pasting text, managing favorites, and accessin
d be disabled.
d be disabled.
utton on the Settings charm. If you disable or do not configure this policy setting, the user can access the Dele
utton on the Settings charm. If you disable or do not configure this policy setting, the user can access the Dele
e this policy setting, the Internet Explorer Help menu is available to the user. The user can also use the Comman
e this policy setting, the Internet Explorer Help menu is available to the user. The user can also use the Comman
the feed discovery button.
the feed discovery button.
this policy setting, the user can bypass SmartScreen Filter warnings.
this policy setting, the user can bypass SmartScreen Filter warnings.
ou disable or do not configure this policy setting, the user can manage pop-ups by changing the filter level. You
ou disable or do not configure this policy setting, the user can manage pop-ups by changing the filter level. You
ates to Internet Explorer and Internet Tools.
eated in this scenario. Open a new Internet Explorer window. If you disable or do not configure this policy set
eated in this scenario. Open a new Internet Explorer window. If you disable or do not configure this policy set
hift+Select. If you disable or do not configure this policy setting, the user can configure how new tabs are create
hift+Select. If you disable or do not configure this policy setting, the user can configure how new tabs are create
arch button. Display the results in the main window: When the user searches on the Address bar, the list of se
arch button. Display the results in the main window: When the user searches on the Address bar, the list of se
the user is directed to an external top result website determined by the search provider, if available. If you ena
the user is directed to an external top result website determined by the search provider, if available. If you ena
browsing. With at least Internet Explorer 11: This policy setting prevents users from deleting ActiveX Filtering
browsing. With at least Internet Explorer 11: This policy setting prevents users from deleting ActiveX Filtering
ks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enab
ks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enab
eserve download history when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy
eserve download history when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy
favorites site data when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy settin
favorites site data when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy settin
e clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting i
e clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting i
when the user clicks Delete. If you disable this policy setting, InPrivate Filtering data is deleted when the user c
when the user clicks Delete. If you disable this policy setting, InPrivate Filtering data is deleted when the user c
she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy settin
she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy settin
o delete or preserve temporary Internet files when he or she clicks Delete. If the "Prevent access to Delete Brow
o delete or preserve temporary Internet files when he or she clicks Delete. If the "Prevent access to Delete Brow
s policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delet
s policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delet
ync Engine to download an enclosure through the Feed property page. A developer can change the download s
ync Engine to download an enclosure through the Feed property page. A developer can change the download s
able this policy setting, Internet Explorer does not enumerate search providers for the Accelerators infrastructur
able this policy setting, Internet Explorer does not enumerate search providers for the Accelerators infrastructur
ernet Explorer process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
ernet Explorer process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
ft without prompting the user. If you disable or do not configure this policy setting, the user is prompted to deci
ft without prompting the user. If you disable or do not configure this policy setting, the user is prompted to deci
only local analysis, and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully en
only local analysis, and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully en
elp menu. If you do not configure this policy setting, the user can choose to participate in the CEIP.
elp menu. If you do not configure this policy setting, the user can choose to participate in the CEIP.
th Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display re
th Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display re
olicy setting, the user cannot specify the cipher strength update information URL. You must specify the cipher st
ou disable or do not configure this policy setting, the user can specify the download path for the code.
u disable or do not configure this policy setting, the user can specify the color of links already clicked.
u disable or do not configure this policy setting, the user can specify the color of links not yet clicked.
isable or do not configure this policy setting, the user can subscribe to a feed or Web Slice through the Subscrib
isable or do not configure this policy setting, the user can subscribe to a feed or Web Slice through the Subscrib
ession. If you disable this policy setting, toolbars and BHOs are loaded by default during an InPrivate Browsing s
ession. If you disable this policy setting, toolbars and BHOs are loaded by default during an InPrivate Browsing s
nternet files and cookies.
nternet files and cookies.
ss list. If you enable this policy setting and enter a Value of 1, the process entered will respect the add-on mana
ss list. If you enable this policy setting and enter a Value of 1, the process entered will respect the add-on mana
s policy setting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors
s policy setting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors
xplorer renames the file by saving it in the Internet Explorer cache and changing its extension. This policy settin
xplorer renames the file by saving it in the Internet Explorer cache and changing its extension. This policy settin
e zone is used as an attack vector to load malicious HTML code. If you enable this policy setting and enter a val
e zone is used as an attack vector to load malicious HTML code. If you enable this policy setting and enter a val
to more dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the V
to more dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the V
e MK protocol is allowed. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do no
e MK protocol is allowed. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do no
owed. If you enable this policy setting and enter a Value of 1, restricting content obtained through restricted pr
owed. If you enable this policy setting and enter a Value of 1, restricting content obtained through restricted pr
n bar is displayed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of
n bar is displayed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of
erences to objects are still accessible after navigation. The Value Name is the name of the executable. If a Value
erences to objects are still accessible after navigation. The Value Name is the name of the executable. If a Value
on if there is no security context. This policy setting allows administrators to define applications for which they
on if there is no security context. This policy setting allows administrators to define applications for which they
the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: us
the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: us
ame is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer process
ame is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer process
s security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, such wind
s security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, such wind
n the Security tab of the Internet Options dialog box. Filters are not rendered by default in this zone.
n the Security tab of the Internet Options dialog box. Filters are rendered by default in this zone.
enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any
enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any
own box, Internet Explorer will prompt the user to determine whether to execute unsigned managed component
x, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you
g. If you do not configure this policy setting, controls and plug-ins can run without user intervention.
g. If you do not configure this policy setting, controls and plug-ins are prevented from running.
do not configure this policy setting, script interaction can occur automatically without user intervention.
do not configure this policy setting, script interaction is prevented from occurring.
this policy setting, scripts can access applets automatically without user intervention.
this policy setting, scripts are prevented from accessing applets.
s can press F3 to search the Internet (from Internet Explorer) or the hard disk (from File Explorer). This policy is
y is designed to help administrators maintain consistent settings for searching across an organization.
it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settin
ne settings established by the administrator. Note: The "Disable the Security page" policy (located in \User Con
urity zone settings apply uniformly to the same computer and do not vary from user to user. Also, see the "Secu
names are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain nam
names are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain nam
is group policy sets the maximum file storage limit for domains that are trusted by users. When you set this pol
is group policy sets the maximum file storage limit for domains that are trusted by users. When you set this pol
n this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default a
n this policy setting. If you disable or do not configure this policy setting, Internet Explorer will use the default a
tabases and application caches.
tabases and application caches.
policy sets the maximum data storage limit for domains that are trusted by users. When you set this policy set
policy sets the maximum data storage limit for domains that are trusted by users. When you set this policy set
is policy setting, Internet Explorer will allow the creation of application caches whose individual manifest file ent
is policy setting, Internet Explorer will allow the creation of application caches whose individual manifest file ent
u provide the resource limit as a number. The default is 1000 resources. If you enable this policy setting, Interne
u provide the resource limit as a number. The default is 1000 resources. If you enable this policy setting, Interne
cy setting, you can set the maximum storage limit for all application caches. The default is 1 GB. If you disable
cy setting, you can set the maximum storage limit for all application caches. The default is 1 GB. If you disable
his policy setting, you can set the maximum storage limit for all indexed databases. The default is 4 GB. If you
his policy setting, you can set the maximum storage limit for all indexed databases. The default is 4 GB. If you
mple physical memory. The default setting creates the optimal number of tab processes based on the operating
mple physical memory. The default setting creates the optimal number of tab processes based on the operating
wing steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Secu
Content tab of the Internet Options dialog box.
Content tab of the Internet Options dialog box.
ars before the files open. If you disable this policy setting, these files do not open. If you do not configure this p
cted Sites zone. Security settings can be set for each of these zones through other policy settings, and their def
cted Sites zone. Security settings can be set for each of these zones through other policy settings, and their def
s to be notified of software updates by e-mail and software packages to be automatically downloaded to (but no
change this option to start with the home page. If you disable this policy setting, Internet Explorer starts a new
change this option to start with the home page. If you disable this policy setting, Internet Explorer starts a new
Wizard does not start automatically. The user can start the wizard manually. If you do not configure this policy
ueried to choose whether to allow information using HTML forms on pages in this zone to be submitted. If you d
that is searched for new information and downloaded. Caution: Although the Maximum Number of Offline Pages
disable this policy or do not configure it, users can change their Internet settings from the browser Tools menu.
g, .NET Framework Setup is turned off. The user cannot change this behavior. If you disable this policy setting,
the user for permission to load an ActiveX control, and Internet Explorer loads the control if it passes all other i
the user for permission to load an ActiveX control, and Internet Explorer loads the control if it passes all other i
ws the user to disable add-ons and configure the threshold. If you enable this policy setting, users are not notifi
ws the user to disable add-ons and configure the threshold. If you enable this policy setting, users are not notifi
If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on
If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on
on or off automatic image resizing.
ain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" 2. "hostname". For exa
ain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" 2. "hostname". For exa
Privacy tab.
Privacy tab.
learType rendering engine.
learType rendering engine.
iltering collection is turned on. If you do not configure this policy setting, InPrivate Filtering data collection can
iltering collection is turned on. If you do not configure this policy setting, InPrivate Filtering data collection can
ity View sites list.
ity View sites list.
you disable or do not configure this policy setting, Internet Explorer uses the user's setting for pop-up windows
you disable or do not configure this policy setting, Internet Explorer uses the user's setting for pop-up windows
on feature for add-on management will be functional.

on feature for add-on management will be functional.
tProcessDEPPolicy function to turn on Data Execution Prevention on platforms that support the function. This po
will be interpreted as a failed URL. If you disable this policy setting, Data URI support is turned on. If you do not
will be interpreted as a failed URL. If you disable this policy setting, Data URI support is turned on. If you do not
t how to correct the problem. The user cannot change this policy setting. If you disable this policy setting, when
n to use. The browser and server attempt to match each others list of supported protocols and versions, and th
n to use. The browser and server attempt to match each others list of supported protocols and versions, and th
etting, the first-run prompt is turned on in the corresponding zone. If you do not configure this policy setting, th
king the icon that represents the image and then clicking Show Picture. The "Allow the display of image downlo
toComplete for File Explorer is turned on. The user cannot turn it off. If you do not configure this policy setting,
tting, InPrivate Browsing can be turned on or off through the registry.
tting, InPrivate Browsing can be turned on or off through the registry.
ons, and InPrivate Filtering data is not collected. If you disable this policy setting, InPrivate Filtering is available
ons, and InPrivate Filtering data is not collected. If you disable this policy setting, InPrivate Filtering is available
ds websites and content in the background. If you don't configure this policy setting, users can turn this behavi
ds websites and content in the background. If you don't configure this policy setting, users can turn this behavi
are not on the filter's allow list are sent automatically to Microsoft without prompting the user. If you disable or
are not on the filter's allow list are sent automatically to Microsoft without prompting the user. If you disable or
e this policy setting, the user can turn on or off page transitions. This feature only applies to versions of Interne
configure this policy setting, users can turn this behavior on or off, using Internet Explorer settings. The default
configure this policy setting, users can turn this behavior on or off, using Internet Explorer settings. The default
ndows launched off screen will continue to be re-positioned onscreen. If you disable or do not configure this po
ndows launched off screen will continue to be re-positioned onscreen. If you disable or do not configure this po
not be available, and users will not see printers under the Devices charm. If you disable or do not configure thi
not be available, and users will not see printers under the Devices charm. If you disable or do not configure thi
users can also choose to allow this information to be shared with the Web site in the future without being prom
users can also choose to allow this information to be shared with the Web site in the future without being prom
ting. If you disable this policy setting, Internet Explorer allows sending the path portion of URLs as UTF-8. The u
ngs for URLs that are in the Intranet zone. 3) Always encode query strings. If you disable or don't configure thi
ngs for URLs that are in the Intranet zone. 3) Always encode query strings. If you disable or don't configure thi
d entry points appear on the user interface for Internet Explorer, and the user cannot turn them off. If you do n
d entry points appear on the user interface for Internet Explorer, and the user cannot turn them off. If you do n
he auto-complete for web-address setting. If you do not configure this policy setting, a user will have the freedo
he auto-complete for web-address setting. If you do not configure this policy setting, a user will have the freedo
e background. If you disable this policy setting, flip ahead with page prediction is turned on and the next webp
e background. If you disable this policy setting, flip ahead with page prediction is turned on and the next webp
ough a server. If you enable this policy setting, websites cannot request data across domains by using the WebS
ough a server. If you enable this policy setting, websites cannot request data across domains by using the WebS
domains by using the XDomainRequest object. If you disable or do not configure this policy setting, websites ca
domains by using the XDomainRequest object. If you disable or do not configure this policy setting, websites ca
eck. If you enable this policy setting, the toolbar upgrade tool does not check for incompatible toolbars. The us
eck. If you enable this policy setting, the toolbar upgrade tool does not check for incompatible toolbars. The us
essions, and Tracking Protection data is not collected. If you disable this policy setting, Tracking Protection is av
essions, and Tracking Protection data is not collected. If you disable this policy setting, Tracking Protection is av
ing, URL Suggestions will be turned on. Users will not be able to turn off URL Suggestions. If you do not configu
ing, URL Suggestions will be turned on. Users will not be able to turn off URL Suggestions. If you do not configu
Complete for providing relevant results in the Address bar. The user cannot change this setting. If you disable t
Complete for providing relevant results in the Address bar. The user cannot change this setting. If you disable t
running in Enhanced Protected Mode on 64-bit versions of Windows. If you disable this policy setting, Internet E
running in Enhanced Protected Mode on 64-bit versions of Windows. If you disable this policy setting, Internet E
re this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering
re this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering
wever they are configured. If this policy setting is not configured, the user can choose whether or not to automa
wever they are configured. If this policy setting is not configured, the user can choose whether or not to automa
. If you disable this policy setting, Internet Explorer is not started automatically to complete the signup process
s not authenticate feeds to servers by using the Basic authentication scheme in combination with a less secure
s not authenticate feeds to servers by using the Basic authentication scheme in combination with a less secure
owsing is turned on. If you disable this policy setting, Caret Browsing is turned off. If you do not configure this p
owsing is turned on. If you disable this policy setting, Caret Browsing is turned off. If you do not configure this p
ot configure this policy setting, the user can choose whether the certificate address mismatch warning appears
ot configure this policy setting, the user can choose whether the certificate address mismatch warning appears
rer features. The user cannot turn on logging. If you do not configure this policy setting, the user can change th
rer features. The user cannot turn on logging. If you do not configure this policy setting, the user can change th
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
ript injections.
enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. If you d
enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. If you d
user cannot turn it on. If you do not configure this policy setting, the user can turn on or turn off inline AutoCo
(with an additional string appended). Additionally, all Standards Mode webpages appear in Internet Explorer 7 S
(with an additional string appended). Additionally, all Standards Mode webpages appear in Internet Explorer 7 S
lorer. The user cannot change this behavior through the Compatibility View Settings dialog box. If you disable th
lorer. The user cannot change this behavior through the Compatibility View Settings dialog box. If you disable th
ar is turned off by default. The user can turn on or turn off the menu bar.
ar is turned off by default. The user can turn on or turn off the menu bar.
licy setting, a Notification bar notification does not appear when the user loads content from an intranet site tha
licy setting, a Notification bar notification does not appear when the user loads content from an intranet site tha
you disable this policy setting, the printing of background colors and images is turned off. The user cannot turn
rn on Protected Mode. If you do not configure this policy setting, the user can turn on or turn off Protected Mode
n off script debugging. If you disable this policy setting, script debugging is turned off. The user cannot turn on
n this zone for malicious content. Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter
icy setting, the entry points and functionality associated with this feature are turned off. If you do not configure
icy setting, the entry points and functionality associated with this feature are turned off. If you do not configure
If you disable this policy setting, the user is not shown script errors when a page does not appear properly bec
ic Detection, unless specified by the user.
ough proxy connections.

ough proxy connections.
16 x 16 pixels, and the user can make them bigger (20 x 20 pixels).
16 x 16 pixels, and the user can make them bigger (20 x 20 pixels).
windows are prevented from appearing.
t prevented from appearing.
he user can change this behavior on the Internet Explorer Tools menu: Click Internet Options, click the Advanced
he user can change this behavior on the Internet Explorer Tools menu: Click Internet Options, click the Advanced
, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve informatio
r without toolbars, which might be confusing for some beginning users.
age by right-clicking a Web page to open the shortcut menu, and then clicking View Source. To prevent users fro
mpt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. If y
t in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. If you
handwriting recognition error reporting tool or send error reports to Microsoft. If you disable this policy, Tablet PC
handwriting recognition error reporting tool or send error reports to Microsoft. If you disable this policy, Tablet PC
s policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
ndows Components also needs to be enabled. If you disable or do not configure this policy setting, the domain
ain compound authentication only when the account is explicitly configured. This policy should be applied to all
turn a referral ticket to the client for the appropriate domain. If you disable or do not configure this policy settin
ng logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This va
If you enable this policy setting and the resource domain requests compound authentication, devices that supp
te the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm na
V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in th
not guaranteed valid. If you disable or do not configure this policy setting, the Kerberos client enforces the revo
he client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and
ort claims and compound authentication for Dynamic Access Control and Kerberos armoring. If you disable or do
matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that t
as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities differ
token. If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally a
ver name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Conte
ontrollers to support this policy. If you enable this policy setting, the device's Active Directory account will be co
ns: Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer ac
er suites: AES_128_CCM How to modify this setting: Arrange the desired cipher suites in the edit box, one cip
hash publication settings are not applied to file servers. In the circumstance where file servers are domain mem
mon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached S
Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a
l options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option
ustom background.
als, which results in shorter logon times. Group Policy is applied in the background after the network becomes a
sages are displayed to the user during these processes. Note: This policy setting is ignored if the ""Remove Boo
s policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to
s policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to
or Windows Vista, Windows XP Professional, and Windows 2000 Professional. If you disable or do not configure
or Windows Vista, Windows XP Professional, and Windows 2000 Professional. If you disable or do not configure
olicy setting, the system runs the programs in the run-once list. This policy setting appears in the Computer Co
olicy setting, the system runs the programs in the run-once list. This policy setting appears in the Computer Co
o not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
able program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the
able program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the
w new tabs appears.
w new tabs appears.
you don't configure this setting, employees can choose whether to use Autofill to automatically fill in forms whi
you don't configure this setting, employees can choose whether to use Autofill to automatically fill in forms whi
for tracking info. If you don't configure this setting, employees can choose whether to send Do Not Track reque
for tracking info. If you don't configure this setting, employees can choose whether to send Do Not Track reque
ou disable or don't configure this setting, employees will see the Favorites that they set in the Favorites hub.
ou disable or don't configure this setting, employees will see the Favorites that they set in the Favorites hub.
isable or don't configure this setting, your default Home page is the webpage specified in App settings.
isable or don't configure this setting, your default Home page is the webpage specified in App settings.
ether to use Password Manager to save their passwords locally.
ether to use Password Manager to save their passwords locally.
oft Edge. If you don't configure this setting, employees can choose whether search suggestions appear in the A
oft Edge. If you don't configure this setting, employees can choose whether search suggestions appear in the A
es can't turn it on. If you don't configure this setting, employees can choose whether to use SmartScreen Filter
es can't turn it on. If you don't configure this setting, employees can choose whether to use SmartScreen Filter
crosoft Edge won't use the Enterprise Mode Site List XML file. In this case, employees might experience compati
crosoft Edge won't use the Enterprise Mode Site List XML file. In this case, employees might experience compati
nap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this setting. If this settin
ools that the files contain. This setting permits users to open MMC user-mode console files, such as those on the
p-in setting in the folder is disabled or not configured, the snap-in is prohibited. -- If you disable this setting or d
rror message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not co
the Group Policy tab is not displayed in those snap-ins. If this setting is not configured, the setting of the "Restr
bility Center is on by default.
bility Center is on by default.
fications and screen blanking, adjust speaker volume, and apply a custom background image. Note: Users will b
fications and screen blanking, adjust speaker volume, and apply a custom background image. Note: Users will b
ily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
lay will be applied to Automatic Maintenance. If you disable this policy setting, no random delay will be applied
make a wake request for the daily scheduled time, if required. If you disable or do not configure this policy set
do not configure this policy setting, MSDT is turned on by default. This policy setting takes effect only if the dia
nd the root cause of the problem. If you enable this policy setting for remote troubleshooting, MSDT prompts th
licy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. If
nt users from changing installation options typically reserved for system administrators, such as specifying the d
directories that their own permissions would not allow. This policy setting does not affect installations that run
sable or do not configure this policy setting, by default, only system administrators can apply patches during ins
lt, users can install from removable media when the installation runs in their own security context. If you disabl
nel. This profile setting lets users install programs that require access to directories that the user might not hav
nel. This profile setting lets users install programs that require access to directories that the user might not hav
dify the maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0, the
tified by the original GUID appears to be removed and the component as identified by the new GUID appears as
llation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute program
policy setting, users can install from removable media when the installation is running in their own security con
nstallations that run in the user's security context. If you disable or do not configure this policy setting, by defa
values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the
ows Installer based applications. If you disable or do not configure this policy setting, users without administrat
mputer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicab
aller cannot restore the computer to its original state if the installation does not complete. This policy setting is
aller cannot restore the computer to its original state if the installation does not complete. This policy setting is
s Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. -- The "Re
s a per-user install of an application, this hides a per-computer installation of that same product. If you enable t
g applies even when the installation is running in the user's security context. If you disable or do not configure
peat an installation in which the transform file was used, therefore, the user must be using the same computer o
in the order that you want Windows Installer to search: -- "n" represents the network; -- "m" represents med
as many or as few event types as you want. To disable logging, delete all of the letters from the box. If you dis
o not configure this policy setting, by default, the Windows Installer automatically creates a System Restore che
ettings on" option instructs Windows Installer to automatically generate log files for packages that include the M
and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Window
cation of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determin
G:myserver.corp.contoso.com or PING:2002:836b:1::1. Note We recommend that you use FQDNs instead of IPv
e typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You sho
ration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not re
tion before sending the message.
them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be
ou enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with t
a remote DC responds to the mailslot message. This policy setting is recommended to reduce the attack surfa
ot use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-sit
ments and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clie
ions. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC a
e or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share w
t to contact the first reachable host with the lowest priority number listed. To specify the Priority in the DC Loca
operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a t
is disabled or not configured, the SYSVOL share will grant shared read access to files on the share when exclus
cy setting, it is not applied to any DCs, and DCs use their local configuration.
he SRV records Target field and are all set to the same priority. The probability with which the DNS client random
dresses which may then be used to compute a matching site for the client. The allowable values for this setting
A <DnsDomainName> Ldap SRV _ldap._tcp.<DnsDomainName> LdapAtSite SRV _ldap._tcp.
network connections. If you disable this policy setting, DCs will not register DC Locator DNS resource records. I
commonly used as an optimal setting. If you specify zero for this policy setting, the default behavior occurs as
able storage should be specified. If you disable or do not configure this policy setting, the default behavior occu
he minimum value for this setting is 0. Warning: If the value for this setting is too large, a client will not attempt
0 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated
riodically reregister their records with DNS servers, even if their records data has not changed. If authoritative
ts site from Active Directory. If you do not configure this policy setting, it is not applied to any computers, and c
SRV records for those sites without a DC that are closest to it. The application directory partition DC Locator DN
s are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory s
cator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be se
d dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same
s specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabe
If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain contro
in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry i
DsGetDcName that have specified the DS_BACKGROUND_ONLY flag. If the value of this setting is less than the
al DC Discovery Retry Setting is reached. The default value for this setting is 60 minutes (60*60). The maximum
49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always
or to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher freque
rties dialog box is available to users. If you enable this setting, a Properties menu item appears when any user
plication Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. If you disable t
settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu it
sing the File menu. If you disable this setting, the Rename option is disabled for nonadministrators only. If you d
nd Network Configuration Operators can rename LAN connections Note: This setting does not apply to Administ
access connections is disabled for all users (including Administrators and Network Configuration Operators). Im
ws XP Professional do not have the ability to prohibit the use of features from Administrators. If you enable this
open the Local Area Connection Properties dialog box. Important: If the "Enable Network Connections settings fo
rk Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Ne
for all users (including administrators). Important: If the "Enable Network Connections settings for Administrat
ing), the Advanced Settings item is disabled for administrators. Important: If the "Enable Network Connections
: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will n
tem is disabled for all users (including administrators). Important: If the "Enable Network Connections settings
ponents in the Windows Components Wizard. Important: If the "Enable Network Connections settings for Admini
Connection Properties dialog box for a private connection is available to users. If you enable this setting (and e
d or not configured, this setting will not apply to administrators on post-Windows 2000 computers. If you disabl
tant: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting
ections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on
pply. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more ne
bled for all users (including administrators). Important: If the "Enable Network Connections settings for Adminis
S and WINS server information. Important: If the "Enable Network Connections settings for Administrators" is di
on that computer. If a computer is connected to a DNS domain network other than the one it was connected to
CS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Adv
dialog box are not available to users (including administrators). The Status option is disabled in the context me
gh the local default gateway. If you enable this policy setting, all traffic between a remote client computer runn
request with a valid IP address. By default, a notification is displayed providing the user with information on ho
owever, in most situations Windows Network Isolation will be able to correctly discover proxies. By default, any
ot configure this policy setting, Windows Network Isolation attempts to discover proxies and configures them as
Isolation attempts to automatically discover private network hosts. By default, the addresses configured with th
r do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy
ed as private. If you disable or do not configure this policy setting, Windows Network Isolation attempts to auto
rk offline" indicates that the computer can use local copies of network files while the server is inaccessible. --
rk offline" indicates that the computer can use local copies of network files while the server is inaccessible. --
ffline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless
offline use. Caution: Files are not synchronized before they are deleted. Any changes to local files since the last
c Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout S
onfigure the threshold value that will be used to determine a slow network connection. If this setting is disabled
working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughpu
tomatically stores a copy of the file on the user's computer. This setting does not limit the disk space available
been made available offline.
ynchronization will not run in the background on network folders when the user's network is roaming, near, or o
nd are not available to the user when offline. The cached files are not kept in sync with the version on the server
py on the local computer is affected, but the associated network copy is not. The user cannot unencrypt Offline
esponding to the events you want the system to log. The levels are cumulative; that is, each level includes the
esponding to the events you want the system to log. The levels are cumulative; that is, each level includes the
ayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline."
the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both se
the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both se
etting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete
etting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete
s setting automatically enables logon synchronization in Synchronization Manager. If this setting is disabled an
s setting automatically enables logon synchronization in Synchronization Manager. If this setting is disabled an
able or do not configuring this setting, files are not synchronized when the computer is suspended. Note: If the
able or do not configuring this setting, files are not synchronized when the computer is suspended. Note: If the
ng them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding t
ng them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding t
hronized at logon.
r. If set to 1, then this validation will not be performed and any password will be allowed. If set to 0, the validat
mputer cannot register PNRP names, and cannot help other computers perform PNRP lookups. If you disable or d
his setting provides the added flexibility of allowing your users to use their peer-to-peer applications at home as
e, and then enter a semicolon-delimited list of IPV6 addresses in the available field. If you enable this setting an
e, and then enter a semicolon-delimited list of DNS names or IPV6 addresses in the available field. If you enable
urned on.
her computers can find it when needed. If you enable this setting, PNRP will not use multicast for bootstrapping
other computers can find it when needed. If you enable this setting, PNRP will not use multicast for bootstrapp
other computers can find it when needed. If you enable this setting, PNRP will not use multicast for bootstrapp
exist between peers so that a node in the PNRP cloud can resolve names published by other nodes. PNRP create
er. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. NOT
er. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. NOT
ers to use special characters in their PIN.
M is non-functional or unavailable.
es. NOTE: Disabling this policy prevents the user of biometric gestures on the device for all account types.
ng keys or certificates for all users. If you disable this policy setting, the device does not provision Microsoft Pas
g the use of a phone as a companion device for desktop authentication. If you disable or do not configure this p
ty mode or get help online through a Microsoft website. If you disable this policy setting, the PCA does not dete
setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache
ble this policy setting, all clients use the version of BranchCache that you specify in "Select from the following v
figure client computers that are configured for hosted cache mode with the computer names of the hosted cache
refer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache
mputer cache age settings are not applied to client computers by this policy. In the circumstance where client co
content to other BranchCache distributed cache mode clients in the branch office. Policy configuration Select
office. In addition, when the hosted cache client obtains content from a content server, the client can upload th
the following: - Not Configured. With this selection, BranchCache client computer cache settings are not applie
Cache Servers Policy configuration Select one of the following: - Not Configured. With this selection, BranchCa
tected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS w
og when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution,
to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting a
log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution
ack by default.
s used to determine if Windows should automatically sleep.
s used to determine if Windows should automatically sleep.
sers control this setting.

d by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutd
ol this setting.
rforming a resume operation.
isable or do not configure this policy setting, users control this setting.
isable or do not configure this policy setting, users control this setting.
e50083), indicating the power plan to be active. If you disable or do not configure this policy setting, users can
en when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock
the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen s
the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen s
n to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configu
n to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configu
nfigure this policy setting, users control this setting.
nfigure this policy setting, users control this setting.
w Battery Notification Action" policy setting is configured to "No Action". If you disable or do not configure this p
ne is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy
ne is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy
onfigured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmd
onfigured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmd
xecution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equ
xecution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equ
lock Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, funct
lock Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, funct
nts directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time sta
nts directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time sta
scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy sett
scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy sett
y setting, it defaults to disabled.
y setting, it defaults to disabled.
isabled by default.
isabled by default.
his policy setting, users can see previous versions corresponding to backup copies as well as previous versions
his policy setting, users can see previous versions corresponding to backup copies as well as previous versions
user clicks the Restore button, Windows attempts to restore the file from the local disk. If you do not configure t
user clicks the Restore button, Windows attempts to restore the file from the local disk. If you do not configure t
revious version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file
revious version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file
on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. If
on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. If
nstalled, and printing support and this setting must be enabled. Note: This setting affects the server side of Int
will display the default number of printers of each type: Directory printers: 20 TCP/IP printers: 0 Web Services
of printers of each type: TCP/IP printers: 50 Web Services printers: 50 Bluetooth printers: 10 Shared printers: 5
e expense of increasing the load on the server. If you disable this policy setting on a client machine, the client it
or on a home or office network" option. When users click Browse, the system opens an Internet browser and nav
tton on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Ad
ers. The value you type here overrides the actual location of the computer conducting the search. Type the loca
enter an alternate Internet address, the default link will appear in the Printers folder. Note: Web pages links onl
searches for printers. It does not restrict user searches through Active Directory.
essional. If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-
or do not configure it, then all printer extensions that have been installed will be allowed to run.
etting, the print spooler will execute print drivers in the print spooler process. Notes: -Other system or driver p
iver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible drive
also be capable of isolating print drivers, depending on whether they are configured for it. If you enable or do
oint and print only.
oint and print only.
e print spooler uses the Driver Isolation compatibility flag value reported by the print driver. Notes: -Other sys
ackage point and print connection anytime a package point and print connection fails, including attempts that a
ackage point and print connection anytime a package point and print connection fails, including attempts that a
er is available on the client, a printer connection will be made. If a compatible print driver is not available on the
er is available on the client, a printer connection will be made. If a compatible print driver is not available on the
ity to computers. If you enable this setting, users can browse for printers by location without knowing the print
ey try, a message appears explaining that the setting prevents the action. However, this setting does not preve
e methods described above.
Active Directory is not available. If you do not configure this setting, shared printers are announced to browse
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
his setting or do not configure it, the domain controller prunes this computer's printers when the computer doe
ly publish shared printers in Active Directory. Note: This setting is ignored if the "Allow printers to be published"
ion interval. To disable verification, disable this setting, or enable this setting and select "Never" for the verifica
fault, the pruning service contacts computers every eight hours and allows two repeated contact attempts befo
mpted by higher priority threads. By default, the pruning thread runs at normal priority. However, you can adjus
ter still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the co
nterval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the defaul
from Active Directory when the computer that published them does not respond to contact requests. Computer
programs that the system administrator has explicitly made available to the user with a tool such as Windows In
" page will be available to all users. This setting does not prevent users from using other tools and methods to i
rograms Control Panel Features including Windows Features, Get Programs, or Windows Marketplace.
other locations. If this setting is disabled or not configured, the Set Program Access and Defaults button is avail
g does not prevent users from using other tools and methods to configure services or enable or disable program
g other methods. If this feature is disabled or is not configured, the "Get new programs from Windows Marketpl
strator also appear in the Programs Control Panel. If this setting is disabled or not configured, the Programs Con
vice type. If you disable this setting, the system uses the default DSCP value of 0. Important: If the DSCP value
ffort service type. If you disable this setting, the system uses the default DSCP value of 0. Important: If the DSC
portant: If the Layer-2 priority value for this service type is specified in the registry for a particular network adap
trolled Load service type. If you disable this setting, the system uses the default DSCP value of 24 (0x18). Imp
he Controlled Load service type. If you disable this setting, the system uses the default DSCP value of 0. Impo
value of 0. Important: If the Layer-2 priority value for this service type is specified in the registry for a particula
d service type. If you disable this setting, the system uses the default DSCP value of 40 (0x28). Important: If th
ranteed service type. If you disable this setting, the system uses the default DSCP value of 0. Important: If the
Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network a
his setting, you can limit the number of outstanding packets. If you disable this setting or do not configure it, th
of bandwidth the system can reserve. If you disable this setting or do not configure it, the system uses the def
twork Control service type. If you disable this setting, the system uses the default DSCP value of 48 (0x30). Im
the Network Control service type. If you disable this setting, the system uses the default DSCP value of 0. Imp
y value of 0. Important: If the Layer-2 priority value for this service type is specified in the registry for a particu
yer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this s
ervice type. If you disable this setting, the system uses the default DSCP value of 0. Important: If the DSCP val
ative service type. If you disable this setting, the system uses the default DSCP value of 0. Important: If the D
mportant: If the Layer-2 priority value for this service type is specified in the registry for a particular network ada
, the setting has no effect on the system. Important: If a timer resolution is specified in the registry for a particu
ility information. If you disable this policy setting, Reliability Monitor will not display system reliability informati
e event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and re
dition") appears on the "Advanced recovery methods" page of Recovery (in Control Panel) and will allow the use
ate Data feature is never activated. If you do not configure this policy setting, the default behavior for the Syste
s policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displaye
tent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. If you do not con
"Upload unplanned shutdown events" by default. Also see the "Configure Error Reporting" policy setting.
g this version (or later versions) of the operating system can connect to this computer. If you disable this policy
Assistance. If you do not configure this policy setting, users on this computer cannot get help from their corpor
omputer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging pr
ble this policy setting, the warning message you specify overrides the default message that is seen by the novic
Use 16-bit color (8-bit color in Windows Vista) -Turn off font smoothing (not supported in Windows Vista) -No fu
torage classes.
torage classes.
is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryptio
is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryptio
he access right does not take effect until the operating system is restarted.
he access right does not take effect until the operating system is restarted.
, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. If you enable
tions written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will en
to "Auto2" level. If you enable this policy setting, you can use the drop-down box to determine which systems m
es (APIs). If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error co
cted machine. This policy setting should never be applied to a domain controller. If you disable this policy settin
RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout. This policy setting is only applicable
gure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WIN
users. If you disable or do not configure this policy setting, the instructions are suppressed.
rs. If you disable or do not configure this policy setting, the instructions are suppressed.
If you disable or do not configure this policy setting, the instructions are suppressed.
for advanced users. If you disable or do not configure this policy setting, the instructions are suppressed. Note
ws 2000 does not display logon scripts written for Windows NT 4.0 and earlier. If you disable or do not configur
disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can ru
disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can ru
ot configure this policy setting, a startup cannot run until the previous script is complete. Note: Starting with Wi
startup and shutdown. For example, assume the following scenario: There are three GPOs (GPO A, GPO B, and
ume the following scenario: There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in
ume the following scenario: There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in
box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the se
lly signed packages.
run the troubleshooting tools from the Control Panel. Note that this setting also controls a user's ability to launc
e this policy setting, users who are connected to the Internet can access and search troubleshooting content th
ws will resolve some of these problems silently without requiring user input. If you disable this policy setting, Wi
rePoint Portal Server, your query should resemble the following: http://sitename/Search.aspx?k=$w If your int
The URL to the search service. Use $w in place of the query term for the search service URL. If your intranet sea
ure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Pa
configured through Control Panel, will be used. Note: By default, the Control Panel setting is set to treat words th
ages. If you disable or do not configure this policy setting, Windows will use automatic language detection only
e Group Policy under "User Configuration." To restrict a file system path from indexing, please specify the file sys
nder "User Configuration." To include a file system path for indexing, please specify the file system path to be in
be indexed.
orms a query in Search. If you don't configure this policy setting, a user can choose whether or not Search can p
eb over metered connections and web results will be displayed when a user performs a query in Search. If you d
e mailbox, ensure that for Microsoft Outlook 2007 no portions of the delegate mailbox are cached locally. The de
no effect on delegate mailboxes. To stop indexing of online and delegate mailboxes you must disable both policie
you disable this policy, then online mail items will be indexed at the speed that the Microsoft Exchange server
ed by default.
ed by default.
ot be visible. When the policy is disabled, both the Add and Remove locations options as well as any previously
ed or not shared on this computer, and automatically adds them to or removes them from the index.
in the Group Policy under "User Configuration." To restrict a file system path from indexing, please specify the fi
fault list of excluded file types. If you enable and then disable this policy, the user's original list is restored. If yo
e default for this policy setting.

oy a particular iFilter, make sure that this iFilter is on the allow list, either as a GUID such as {xxxxxxxx-xxxx-xx
en this policy is disabled or not configured, the preview pane shows automatically to the right of the Desktop Se
t configured, the default is small icon view.
sults. If you disable or don't configure this policy setting, users can specify the SafeSearch setting.
me Microsoft account info to personalize their search and other Microsoft experiences. -Anonymous info: Share
r's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Cente
ecified in the policy setting instead of the Configure Refresh Interval setting (in Windows Server 2008 and Win
to the server. If you do not configure this policy setting, the Initial Configuration Tasks window is displayed whe
e "Dont display this page at logon" option at the bottom of the Manage Your Server page, the page is not displa
server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 200
enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations
ble this setting, "sync your settings" is on by default and configurable by the user.
he "app settings" group is on by default and configurable by the user.
is on by default and configurable by the user.
cing is turned off by default but not disabled. If you do not set or disable this setting, syncing of the "browser" g
do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurab
etered connections is configurable by the user.
do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurab
swords" group is on by default and configurable by the user.
personalize" group is on by default and configurable by the user.
ayout" group is on by default and configurable by the user.
s them to Microsoft over a secure connection. If you enable this policy, Tablet PC users cannot choose to share
s them to Microsoft over a secure connection. If you enable this policy, Tablet PC users cannot choose to share
ault is to allow shared folders to be published when this setting is not configured.
is disabled. Note: The default is to allow shared folders to be published when this setting is not configured.
a on a domain-joined computer is not shared with the homegroup. This policy setting is not configured by defau
zard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB share
unning programs, such as Task Manager, which are started by the system process or by other processes. Also, i
Cmd.exe and batch files normally. Note: Do not prevent the computer from running batch files if the computer
m running programs such as Task Manager, which are started by the system process or by other processes. Also
d unsigned gadgets.
d unsigned gadgets.
matically upload photos and videos from the camera roll folder. If you disable or do not configure this policy set
apps will still be able to access OneDrive using the WinRT API. If you enable or do not configure this policy setti
ributes can also be used to log on with a smart card: - Certificates with no EKU - Certificates with an All Purpos
s ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as doc
ot configure this policy setting then the integrated unblock feature will not be available.
setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their ti
cy setting, an optional field that allows users to enter their user name or user name and domain will not be disp
e displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled.
mined to be the same if they are issued from the same template with the same major version and they are for
our smart card vendor to determine if your smart card and associated CSP supports the required behavior. If yo
ting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing proces
turer to find out whether you will be affected by this policy setting.
be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be d
en root certificates will not be propagated from the smart card.

be installed when a card is inserted in a Smart Card Reader. Note: This policy setting is applied only for smart ca
rkstations, hubs, and routers) that are administered together by SNMP. The SNMP service is a managed network
n the network. The manager's role is to poll the agents for certain requested information. If you enable this pol
unity sent by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to no
e servers on which this policy setting is applied. If you disable this policy setting, users see a standard Access D
s part of the File Server Resource Manager role service. If you enable this policy setting, the Classification tab is
ce Manager role service. If you enable this policy setting, you can select which list of properties is available for
, they share the memory space allocated to the VDM process and cannot run simultaneously. Enabling this sett
name> item from the Start Menu. If you disable this setting or do not configure it, users can use the Display Lo
on the start menu.
set to Shut Down by default, and the user can change this setting to another action.
disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Re
when the user logged off, including the history of previous notifications for each tile. This setting does not preve
to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The
s do not display shortcuts at the bottom of the File menu. In addition, the Jump Lists off of programs in the Start
ths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the targ
earches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then
setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard de
o not configure it, all Start menu shortcuts appear as black text. Note: Enabling this setting can make the Start
lbars (if any), and the system clock. If this setting is disabled or is not configured, the notification area is shown
st when the apps are sorted by category, and the user can configure this setting.
e taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar propertie
askbar that share the same program are grouped together. The users have the option to disable grouping if they
ndary tile, enter the customize mode and rearrange tiles within Start and Apps.
ers from using other methods to issue the commands that appear on these menus.
Start menu. The Power button is also removed from the Windows Security screen, which appears when you pre
ograms gone" on the Start menu, and "Where have my icons gone" in the notification area. If you disable this s
as which programs are accessible from the Start menu, desktop, and other locations. If you disable or do not c
ffective, you must log off and then log on. If you disable or do not configure this policy setting, he Documents ic
erties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start me
Internet Explorer. Windows Update, the online extension of Windows, offers software updates to keep a users
o not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. Th
r, but if users try to start it, a message appears explaining that a setting prevents the action. If you disable or d
thods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. If you disab
ers cannot turn the menu on. If you later disable the setting, so that the Recent Items menu appears in the Star
ccessing local drives: e.g., C: --- Accessing local folders: e.g., \temp> Also, users with extended keyboards wil
press the Application key (the key with the Windows logo)+ F. Note: Enabling this policy setting also prevents th
sults" link.
setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003.
ht confuse users, you can use this setting to hide user-specific folders. Note that this setting hides all user-spec
users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to i
e main display when the user presses the Windows logo key. Users will still be able to open Start on other displa
o switch between the Apps view and the Start screen. Also, the user will be able to configure this setting.
yout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you c
yout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you c
zed Menus" option so users do not try to change the setting while a setting is in effect. Note: Personalized menu
ed programs in the Start Menu. Also, see these related policy settings: "Remove frequent programs liist from th
option to configure System Restore or create a restore point through System Protection is also disabled. If you
er text, symbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel will not provide text pre
er text, symbols, numbers, or keyboard shortcuts. If you enable this policy, Input Panel will not provide text pre
pear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this
pear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this
o any text entry area when a user is using touch input. Users will not be able to configure this setting in the Inpu
o any text entry area when a user is using touch input. Users will not be able to configure this setting in the Inpu
anel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-scre
box. If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be
box. If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be
to configure this setting in the Input Panel Options dialog box. If you disable this policy, application auto comple
to configure this setting in the Input Panel Options dialog box. If you disable this policy, application auto comple
you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. If you
oard to enter text, symbols, numbers, or keyboard shortcuts. If you enable this policy and choose All from the
oard to enter text, symbols, numbers, or keyboard shortcuts. If you enable this policy and choose All from the
s tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this polic
s tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this polic
s policy, applications can be launched from a hardware button.
s policy, applications can be launched from a hardware button.
able. If you do not configure this policy, press and hold actions will be available.
able. If you do not configure this policy, press and hold actions will be available.
will appear as toast notifications. A reboot is required for this policy setting to take effect.
folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
he files that the user opens locally on this computer. Files that the user opens over the network from remote com
o review any notifications they miss. If you disable or do not configure this policy setting, Notification and Secu
et allows users to change task characteristics such as: the program the task runs, details of its schedule, idle tim
et allows users to change task characteristics such as: the program the task runs, details of its schedule, idle tim
changing characteristics such as the program the task runs, its schedule details, idle time and power managem
changing characteristics such as the program the task runs, its schedule details, idle time and power managem
nfiguration takes precedence over the setting in User Configuration.
nfiguration takes precedence over the setting in User Configuration.
k, they must select a program from the list in the Scheduled Task Wizard, which displays only the tasks that app
k, they must select a program from the list in the Scheduled Task Wizard, which displays only the tasks that app
gram into the Scheduled tasks folder. This setting does not prevent users from using other methods to create n
gram into the Scheduled tasks folder. This setting does not prevent users from using other methods to create n
takes precedence over the setting in User Configuration. Important: This setting does not prevent administrato
s. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in Us
s. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in Us
and you cannot specify a relay name for a 6to4 host.
not configure this policy setting, the local host setting is used. If you enable this policy setting, you can configu
d routes.
TTPS interface is used when there are no other connectivity options. Policy Enabled State: The IP-HTTPS interfac
u can configure ISATAP with one of the following settings: Policy Default State: If the ISATAP router name is reso
he local host setting is used.
will attempt qualification immediately and remain qualified if the qualification process succeeds.
licy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Te
erfaces are present on the host. Client: The Teredo interface is present only when the host is not on a network
and system will try to identify connectivity and throughput problems and take appropriate measures. If you dis
firm whether they want to connect. If you disable this policy setting, users cannot run unsigned .rdp files and .r
firm whether they want to connect. If you disable this policy setting, users cannot run unsigned .rdp files and .r
.rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without spe
default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client with
omputer. Users can also choose to not play the audio. Video playback can be configured by using the videoplayb
ne. By default, audio recording redirection is not allowed when connecting to a computer running Windows Ser
er. If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not availab
not configure this policy setting, the client computer does not redirect its time zone information and the session
sktop Services. The target computer will maintain any current connections, but will not accept any new incomin
he Remote Desktop Connection client. If you enable this policy setting, users cannot automatically log on to Re
ion is lost. If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to
uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this
hen available, be aware that, for Windows Server running Hyper-V with RemoteFX vGPU enabled, the policy has
mode consumes the lowest amount of network bandwidth of the quality modes. If you enable this policy setting
ssion Host server. If the client logs on to the same RD Session Host server again, a new session might be establi
main Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an
ng, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windo
ualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. Whe
work condition 2. Optimize for server scalability 3. Optimize for minimum bandwidth usage If you disable or do
server. Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the R
, logging off the connected administrator is not allowed. If you disable or do not configure this policy setting, lo
jobs from the remote computer to a local client printer in Remote Desktop Services sessions. If you disable this
s policy setting, users cannot redirect Clipboard data. If you disable this policy setting, Remote Desktop Service
enable this policy setting, users cannot redirect server data to the local COM port. If you disable this policy sett
enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipbo
are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop clie
descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors ar
s session cannot redirect server data to the local LPT port. If you disable this policy setting, LPT port redirection
setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection
u disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop C
t card devices on connection. Note: The client computer must be running at least Microsoft Windows 2000 Serv
to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connec
porary folders are retained when the user logs off from a session. If you disable this policy setting, temporary f
nter is the printer specified on the remote computer. If you disable this policy setting, the RD Session Host serv
eated on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid
y setting. You can enforce this policy setting or you can allow users to overwrite this setting. By default, when y
ws Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that onl
mits. Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set t
mits. Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set t
nection options for more information). Servers running Windows Server 2003 do not display wallpaper by defaul
d that notes the number of days until the licensing grace period for the RD Session Host server will expire. If yo
ed, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy set
ou enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license se
a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with min
mum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined b
be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services sess
erformance because fewer sessions are demanding system resources. By default, RD Session Host servers allow
op Services session. You can specify a number from 1 to 16. If you disable or do not configure this policy settin
enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabyte
you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You ca
also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compress
ry to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 20
client computer, the user will not be prompted to provide credentials. Note: If you enable this policy setting in
ox. If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut D
n the Windows Security dialog box on the client computer. If the status is set to Disabled or Not Configured, Win
does not allow unsecured communication with untrusted clients. If the status is set to Disabled, Remote Deskto
hods are available: * Negotiate: The Negotiate method enforces the most secure method that is supported by th
D Session Host server. To determine whether a client computer supports Network Level Authentication, start Re
cy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Ser
me that all traffic to this server originates from a low-speed connection. If you disable Continuous Network Dete
the RDP traffic will use UDP. If the UDP connection is not successful or if you select "Use only TCP," all of the RD
need to specify a certificate template name. Only certificates created by using the specified certificate template
his policy setting, all communications between clients and RD Session Host servers during remote connections m
onfigured to use the network share for user profiles. If you enable this policy setting, Remote Desktop Services
way server settings" option on the client. To allow users to overwrite this policy setting, select the "Allow users t
option on the client. Note: It is highly recommended that you also specify the authentication method by using t
name, and then select the drive letter to which you want the network share to be mapped. If you choose to kee
h the user's consent. 3. Full Control without user's permission: Allows the administrator to interact with the sess
h the user's consent. 3. Full Control without user's permission: Allows the administrator to interact with the sess
requires that each device connecting to this RD Session Host server have an RDS Per Device CAL. If you enable
eceives a warning two minutes before the session disconnects, which allows the user to press a key or move th
eceives a warning two minutes before the session disconnects, which allows the user to press a key or move th
before the Remote Desktop Services session disconnects, which allows the user to save open files and close pro
before the Remote Desktop Services session disconnects, which allows the user to save open files and close pro
nnected state, running programs are kept active even though the user is no longer actively connected. By defa
nnected state, running programs are kept active even though the user is no longer actively connected. By defa
in the form of http://contoso.com/rdweb/Feed/webfeed.aspx. If you enable this policy setting, the specified UR
default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client'
s when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint fi
ection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The S
ection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The S
p registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Hos
vanced graphics. If you disable this policy setting, RemoteApp programs published from this RD Session Host se
s the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD S
RD Session Host server use the same user profile. If you disable or do not configure this policy setting, mandat
n Host server that matches the client printer is used. If the RD Session Host server does not have a printer drive
n Host server that matches the client printer is used. If the RD Session Host server does not have a printer drive
he default adapter. If you do not configure this policy setting, Remote Desktop Services sessions on the RD Sess
ery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server
remote desktop sessions can reduce connection performance, particularly over slow links, and increase the loa
ndows Server 2008. If you are using Windows Server 2012, you can configure this in the Collection properties sh
ble or do not configure this policy setting, the client computer does not redirect its time zone information and th
he desktop is always displayed when a client connects to a remote computer. This policy setting overrides any i
s policy setting, users cannot redirect Clipboard data. If you disable this policy setting, Remote Desktop Service
emote connections can improve connection performance, particularly over slow links. By default, font smoothi
used if a virtual IP is not available.
ote Desktop Services session, depending on the client configuration. If you do not configure this policy setting,
sable or do not configure this policy setting, Remote Desktop IP Virtualization is turned off. A network adapter m
unning RemoteApp program associated with a session, the RemoteApp session will remain in a disconnected sta
unning RemoteApp program associated with a session, the RemoteApp session will remain in a disconnected sta
e. If you disable or do not configure this policy setting, Windows Installer RDS Compatibility is turned on, and
not enter any blank lines between programs). For example: explorer.exe mstsc.exe If you disable or do not co
ected. If the server is configured to use RD Connection Broker, users who have an existing session are redirected
work folders.
ng gestures, the touch pointer, and other-touch specific features. If you do not configure this setting, touch inp
gure this setting, Touch Panning is on by default. Note: Changes to this setting will not take effect until the user
gure this setting, Touch Panning is on by default. Note: Changes to this setting will not take effect until the user
to have the operating system store either the full TPM owner authorization value, the TPM administrative delega
Upgrade. To find the command number associated with each TPM command, run "tpm.msc" and navigate to the
efault list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On
msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-con
administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard us
s setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the spe
d profile are full control, or read and write access for the user, and no file access for the administrators group.
ws NT 4.0 definitions. %HOMESHARE% stores only the network share (such as \\server\share). %HOMEPATH% sto
ated policy settings in this folder together define the system's response when roaming user profiles are slow to l
en the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow
he specified number of days. If you disable or do not configure this policy setting, User Profile Service will not a
gnize any connections as being slow. As a result, the system does not respond to slow connections to user profil
generated profile are full control access for the user and no file access for the administrators group. No checks
version of their roaming user profile. If you enable this policy setting, Windows will not forcefully unload the use
tting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be
an administrator must use management software or a script to add primary computer attributes to the user's a
annot access users' server-based profiles when users log on or off. -- Users' local profiles are newer than their
hat should not be roamed then add only that application's specific folder under the AppData\Roaming folder rath
reviously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasin
whether the registry files are included in the calculation of the profile size. -- Determine whether users are not
gistry (HKEY_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is
ges they have made, is merged with the server copy of their profile. Using the setting, you can prevent users c
e local copy of their profile, including any changes, is merged with the server copy of the profile. Using this poli
ialog box will be shown to the user during logon if a slow network connection is detected. The user then is able
able on the computer (if the media is disconnected or the network adapter is not available). If you enable this p
ers logging onto this computer will use the same roaming profile folder as specified by this policy. You need to e
n at set interval" is chosen, then an interval must be set, with a value of 1-720 hours. Once set, Windows upload
h to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to
y by Offline Files during user logon and logoff, and will be taken offline while the user is logged on. If you disable
ktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be ab
enable this policy setting, the system waits for the remote copy of the roaming user profile to load, even when lo
uters running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their co
ed on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2,
port enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check
e and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer a
ble or do not configure this policy setting, BitLocker will use Secure Boot for platform integrity if the platform is
ave the recovery password in a folder. You can specify either a fully qualified path or include the target compute
erating system drives, and removable data drives individually. For fixed and operating system drives, we recomm
ailable. This policy is only applicable to computers running Windows 8 and later. If you enable this policy setting
ailable. This policy is only applicable to computers running Windows Server 2008, Windows Vista, Windows Serve
Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult
gent can be used it must be added from the Public Key Policies item in either the Group Policy Management Con
d from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Edi
ion. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 25
nfigure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits.
RL and want to revert to the default message, you must keep the policy enabled and select the "Use default reco
validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components
ith a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store
S or UEFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Co
ether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do
ntrol whether BitLocker software-based encryption is used instead of hardware-based encryption on computers
rol whether BitLocker software-based encryption is used instead of hardware-based encryption on computers th
uirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Po
complexity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Polici
figuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: Th
ed when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the p
enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any
improve restart performance but will increase the risk of exposing BitLocker secrets. If you disable or do not co
this policy setting, the local computer clock does not synchronize time with NTP servers.
ming provider Mobile Broadband networks.
service will be stopped when both antivirus and antispyware definitions are disabled. If the computer is restarte
e antimalware service will receive notifications to disable definitions. If you disable this setting, the antimalware
be scanned during quick scan and custom scan.
The value is not used and it is recommended that this be set to 0.

setting, the check for definition updates will occur at the frequency specified. If you disable or do not configure
Never (default) If you enable this setting, a scheduled full scan to complete remediation will run at the frequen
ting, a scheduled scan will run at the frequency specified. If you disable or do not configure this setting, a sche
default interval.
setting, a quick scan will run at a default time.
tting, CPU utilization will not exceed the default value.

rding to the default value.
l run at the time of day specified. If you disable or do not configure this setting, a daily quick scan will run at a
ation will run at the time of day specified. If you disable or do not configure this setting, a scheduled full scan t
run at the time of day specified. If you disable or do not configure this setting, a scheduled scan will run at a de
ccurring. If you enable this setting, the check for definition updates will occur at the time of day specified. If yo
igh 5 = Severe Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore
= Remove 6 = Ignore
t users to take actions on malware detections.

o choose from the actions available for each threat. If you disable or do not configure this policy setting, Windo
d scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled sca
uled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled
d then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer tha
If you disable or do not configure this setting, e-mail scanning will be disabled.
days specified. If you disable or do not configure this setting, items will be kept in the scan history folder for th
l be enabled. If you disable or do not configure this setting, reparse point scanning will be disabled.
ed by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_M
ectors. If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone
xample, some application-specific items such as MAPI (Messaging Application Programming Interface) items that
ers to security risks.
the following options: Require approval from an administrator before running downloaded unknown software
cal name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae
arch options command, and they will not be able to open Folder Options. If you disable or do not configure this
n the Recyele Bin.
ators who have logged on as regular users to install programs without logging off and logging on again using the
n copied to a different computer, the original path might lead to a network computer, including external resourc
dard Open dialog box. If you disable or do not configure this policy setting, the Back button is displayed for any
Wordpad and, on the File menu, click Open. Note: In Windows Vista, this policy setting applies only to applicatio
ndows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These polic
tting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by
res of these tools. This setting does not remove the Computer Management item from the Start menu (Start, Pr
Folders that may be specified: Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachm
according to the path defined. If you disable or do not configure this policy setting, no changes are made to the
according to the path defined. If you disable or do not configure this policy setting, no changes are made to the
ault, the system displays shortcuts to the 10 most recently opened documents."
r do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network
nnecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote c
URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.e
mpleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Se
ve or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting
s from connecting to another computer by typing the name of a shared folder in the Run dialog box. Note: This
setting does not prevent users from using third-party applications to create or modify CDs using a CD writer.
rs from using other methods to configure DFS. If you disable or do not configure this policy setting, the DFS tab
on to resolve problems with the device.

ternet browser windows, such as the Internet Explorer window. If you disable or do not configure this policy sett
sers will be able to access the security tab.
s folder is not displayed in the Web view or in My Computer. If you disable or do not configure this policy setting
when the user performs a search in the Explorer window.
confusing or distracting to some users. If you disable or do not configure this policy setting, users are allowed
as Other User" dialog box prompts the current user for the user name and password of an administrator. This se
joined, the file will be processed and default associations will be applied at logon time. If the group policy is no
how through the Power Options Control Panel.
Power Options Control Panel.
n be read by everyone.
t will not store Search Box entries into the registry for future references. If the user types a property, values tha
commended to leave this protocol in the protected mode to increase the security of Windows. If you enable this
commended to leave this protocol in the protected mode to increase the security of Windows. If you enable this
than "Date Modified" and "Size" * Disable view of file content snippets in Content mode when search results a
nfigure this setting, the Windows+X shortcut keys are available.
pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to chan
o the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted.
the maximum amount of disk space to be used (in MB). To indicate that the cache size is unlimited, select "4294
y during setup. -- "Scan during startup" also scans files each time you start Windows XP. This setting delays eac
messages. If you disable or do not configure this policy setting, Windows Firewall makes no exception for messag
outbound echo request messages sent by Ping running on this computer. If you enable this policy setting, you m
outbound echo request messages sent by Ping running on this computer. If you enable this policy setting, you m
Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it. If you disa
Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it. If you disa
th at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSA
th at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSA
p" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Firewall b
p" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Firewall b
ssages are allowed. In the Windows Firewall component of Control Panel, the "UPnP framework" check box is sel
ssages are allowed. In the Windows Firewall component of Control Panel, the "UPnP framework" check box is sel
his policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a loc
his policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a loc
. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrat
. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrat
rops) and information about successful incoming and outgoing connections. Windows Firewall does not provide
rops) and information about successful incoming and outgoing connections. Windows Firewall does not provide
icy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Sh
icy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Sh
o Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to
o Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to
k connections" policy setting; otherwise, administrators who log on locally can work around the "Windows Firew
k connections" policy setting; otherwise, administrators who log on locally can work around the "Windows Firew
me when Windows Firewall blocks a new program" check box is selected and administrators cannot clear it. If yo
me when Windows Firewall blocks a new program" check box is selected and administrators cannot clear it. If yo
her computers, Windows Firewall waits as long as three seconds for unicast responses from the other computers
her computers, Windows Firewall waits as long as three seconds for unicast responses from the other computers
ators who log on locally cannot start it. If you do not configure this policy setting, administrators can use the W
ators who log on locally cannot start it. If you do not configure this policy setting, administrators can use the W
nses. Secure content that is already licensed to the local computer will continue to play. Users are also able to p
a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver d
st be specified because no default settings are used for the proxy. The options are ignored if Autodetect or Brow
ons are ignored if Autodetect is selected. The Configure button on the Network tab in the Player is not available
nds that is specified is ignored. The "Use default buffering" and "Buffer" options on the Performance tab in the P
ons are ignored if Autodetect is selected. The Configure button on the Network tab in the Player is not available
kin mode by using the Player tab in the Player. When this policy is not configured and the Set and Lock Skin po
rs can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. If
tings are used for the options on the Privacy tab unless the user changed the settings previously. If you disable
configure this policy setting, users can configure the security settings on the Security tab.
t started. Some of the options can be configured by using other Windows Media Player group policies. If you dis
box and on the Privacy tab in the Player are not selected and are not available. If you disable or do not configur
matically check box is not available. If you do not configure this policy setting, users can change the setting for
u disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on
ernet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selec
configure this policy setting, the Player automatically retrieves radio station presets from the Internet.
ary, and the Use Video Smoothing check box is selected and is not available. If you do not configure this policy
's computer. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by usin
ected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Playe
guration. If both are present, the Computer Configuration version of this policy setting takes precedence.
guration. If both are present, the Computer Configuration version of this policy setting takes precedence.
Windows Messenger from that point on, Windows Messenger will be loaded. The user can also configure this beh
Windows Messenger from that point on, Windows Messenger will be loaded. The user can also configure this beh
entication.
, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP). If you disab
policy setting, the WinRM client uses the Kerberos authentication directly.
configuration value will be erased from the credential store on this computer. If you disable or do not configure
ure the hardening level locally on each computer. If HardeningLevel is set to Strict, any request not containing
ed to authenticate the identity of the host. If you disable or do not configure this policy setting and the WinRM c
listener might be automatically created on port 80 to ensure backward compatibility.
6. A listener might be automatically created on port 443 to ensure backward compatibility.
ting the open shell. If you do not configure or disable this policy setting, the default value of 900000 or 15 min
nated when a new allocation exceeds the specified quota. If you disable or do not configure this policy setting,
emote shells per user.
hange using Settings in the Windows Store.
abled, this policy has no effect.

al, recommended, and important content for which they received a notification. Users will not see a User Accou
e of the local computer. If you disable or do not configure this policy setting, updates from an intranet Microsof
s Update will not alter its restart behavior. If the "No auto-restart with logged on users for scheduled automatic
the status is set to Enabled, Windows will check for available updates at the specified interval. If the status is s
ing any updates. When Windows finds updates that apply to this computer, users will be notified that updates
tions of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
t the computer to do?' list. If you disable or do not configure this policy setting, the 'Install Updates and Shut D
t the computer to do?' list. If you disable or do not configure this policy setting, the 'Install Updates and Shut D
op working. Note: This policy applies only when this PC is configured to connect to an intranet update service u
ure this policy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows di
ure this policy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows di
y multiple group names separated by semicolons. Otherwise, a single group must be specified. If the status is s
e applied, then Windows Update will use the Windows Power management features to automatically wake the s
tart the computer. Be aware that the computer needs to be restarted for the updates to take effect. If the statu
out nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from a
rform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has
heduled installation. If the status is set to Not Configured, a missed scheduled installation will occur one minut
values: the server from which the Automatic Updates client detects and downloads updates, and the server to
you enable this policy setting, a notification message will appear on the user's computer when featured softwa
nable this setting, it prohibits Windows from searching for updates. If you disable or do not configure it, Window
med pipe remote shutdown interface.

me of the interface program, including the file name extension, in the Shell name text box. If the interface progr
s can simulate the SAS. If you set this policy setting to "Services and Ease of Access applications," both services
successful logon attempted with that user name, and the number of unsuccessful logons since the last successf
s expire, if actions have been set to occur when the logon hours expire. Note: If you configure this setting, you
hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system w
atically signed-in and the session is automatically locked with all the lock screen apps configured for that user. I
ot be automatically terminated during shutdown. If you disable or do not configure this setting, these applicatio
o networks shared by my contacts" enables Windows to automatically connect to networks that the user's conta
traints. - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certai
olders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\A
scovery, or the specific URL of the file server that stores the affected users' data. The "Force automatic setup" o
setting, a default value will be used, which administrators and users will be able to modify.
etting, a default value will be used, which administrators and users will be able to modify.
Quiet Hours settings. If you do not configure this policy setting, voice and video calls will be allowed during Quie
es will not be able receive notifications from the network from WNS or via notification polling APIs. If you enable
e to change this or any other Quiet Hours settings. If you do not configure this policy setting, Quiet Hours are
gure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. No re
of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variab
f this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variabl
als before installation. Note: Wild card characters cannot be used when specifying the host URLs.
ver certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but yo
ars. This setting does not prevent users from using other methods to configure services. Note: When "Set up s
oes not prevent users from using other tools and methods to configure services or add or remove program comp
bled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in Use
the programs are available, to recommend their use, or to enable users to install them without having to search
lable to all users. This setting does not prevent users from using other tools and methods to change program a
e Programs is available to all users. When enabled, this setting takes precedence over the other settings in this
nk to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disab
define a category, use Software Installation. If you disable this setting or do not configure it, all programs (Cate
ched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall reso
s applied to application using this interface.
mpatibility of many popular legacy applications, and will not block known incompatible applications from install
plications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.
policy setting, the Inventory Collector will be turned on. Note: This policy setting has no effect if the Customer E
to known compatibility issues when running applications. Turning off the PCA can be useful for system administ
be disabled. If you disable or do not configure this policy setting, Steps Recorder will be enabled.
nce and are aware of compatibility of the applications they are using. If you disable or do not configure this poli
e correct profile from loading User profiles for the Guest account and members of the Guests group If you enab
f you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop ap
f you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop ap
pps. If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desk
pps. If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desk
the static Content URI Rules.

and is from the restricted or Internet zone, Windows prompts the user before accessing the file. Low Risk: If the
attachments with their zone information. If you do not configure this policy setting, Windows marks file attachm
dows shows the check box and Unblock button. If you do not configure this policy setting, Windows hides the ch
st of high-risk file types. If you disable this policy setting, Windows uses its built-in list of file types that pose a
ose a low risk. If you disable this policy setting, Windows uses its default trust logic. If you do not configure this
able this policy setting, you can specify file types which pose a moderate risk. If you disable this policy setting,
nt is blocked from being opened. If you disable this policy setting, Windows does not call the registered antiviru
ooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the
r do not configure this policy setting, the process's command line information will not be included in Audit Proce
t the user whether autorun command is to be run. The autorun command is represented as a handler in the Aut
t the user whether autorun command is to be run. The autorun command is represented as a handler in the Aut
USB mass storage devices. If you enable this policy setting, Autoplay is disabled on CD-ROM and removable me
USB mass storage devices. If you enable this policy setting, Autoplay is disabled on CD-ROM and removable me
d domain users from using biometrics to log on.

y biometric feature in Windows. Note: Users who log on using biometrics should create a password recovery dis
isable this policy setting, biometrics cannot be used by any users to log on to a local Windows-based computer.
t-user switch event timeouts.
ve the requested files, BITS downloads them from the origin server. If you enable this policy setting, BITS down
pplications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no eff
. If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jo
computer will offer downloaded and cached files to its peers. Note: This setting has no effect if the "Allow BITS
d for the past 90 days will be removed from the peer cache. Note: This policy setting has no effect if the "Allow
n 1 percent and 80 percent. If you disable or do not configure this policy setting, the default size of the BITS pe
s. If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be
specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits
the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. If you
: This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" po
BITS jobs created by services and the local administrator account do not count toward this limit.
services and the local administrator account do not count toward this limit.
he local administrator account do not count toward this limit.
s apply to jobs that are created by specifying only a priority. For example, you can specify that background jobs
ample, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the net
hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS bac
tay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concer
s found, downloads it. The resulting searches might make some programs start or run slowly. If you disable or d
s found, downloads it. The resulting searches might make some programs start or run slowly. If you disable or d
rol Panel window and the Start screen. To hide a Control Panel item, enable this policy setting and click Show to
roperties item on a context menu, a message appears explaining that a setting prevents the action.
rol Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the S
etting only applies to Enterprise, Education, and Server SKUs.

able name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to
to use by changing themes (if the Personalization Control Panel is available). Note: If this setting is enabled an
, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory,
not to set password protection on each screen saver. To ensure that a computer will be password protected, ena
or Color Scheme dialog is available in the Personalization or Display Control Panel. For systems prior to Windows
the desktop wallpaper. Refer to KB article: Q327998 for more information. Also, see the "Allow only bitmapped
Force a specific Start background" policy is also set on a supported version of Windows, then that background ta
viously set or the system default.
or the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid exis
If you enable this policy setting, the default user account picture will display for all users on the system with no
device locks. In addition, if a password is required when a screensaver turns on, the screensaver timeout will lim
might be different than the domain to which the computer is joined. If you disable or do not configure this pol
an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credenti
y setting, a domain user can't set up and use a convenience PIN. Note that the user's domain password will be
puter running Windows. If you disable or do not configure (by default) this policy setting, delegation of default c
mitted to any machine. Note: The "Allow delegating default credentials with NTLM-only server authentication" p
utual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on an
of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you
g, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session H
ation, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TE
t to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user creden
be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user cr
olicy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to
ure this policy setting, restricted mode is not enforced and participating apps can delegate credentials to remot
word in the password entry text box. To display the password, click the password reveal button. The policy app
word in the password entry text box. To display the password, click the password reveal button. The policy app
ure this policy setting, users will enter Windows credentials within the users desktop session, potentially allowin
ss Ctrl+Alt+Delete, and then click Lock this computer.

they press Ctrl+Alt+Del.
ning that a policy prevents the action. If you disable or do not configure this policy setting, users can access Tas
you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Defin
y-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or impro
the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not r
wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings.
orp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot spec
mplates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policie
emplates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these po
ory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such
revent users from saving data to the Desktop.
able this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately
ng desktop toolbars" setting.
t. If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree p
g. Note: To make changes to this setting effective, you must log off from and log back on to Windows 2000 Profe
from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file. If using a si
grity. When this is enabled kernel mode memory protections are enforced and the Code Integrity validation pat
client to the remote desktop server. If you disable or do not configure this policy setting, members of the Admin
s in the list you create, unless another policy setting specifically prevents that installation (for example, the "Pre
the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent ins
s of the Administrators group are allowed to install new device drivers on the system.
gnore" directs the system to proceed with the installation even if it includes unsigned files. -- "Warn" notifies t
y be created. If you disable or do not configure this policy setting, Windows creates a system restore point as it
or update the device driver for any device that is not described by the "Prevent installation of devices that mat
the specified devices from a remote desktop client to the remote desktop server. If you disable or do not confi
etting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If y
ws is prevented from installing removable devices and existing removable devices cannot have their drivers upd
certificates are prioritized equally during the driver selection process. Selection is based on other criteria, such
Windows searches the installation location, floppy drives, and CD-ROM drives. Note: To prevent searching Wind
log box controls whether Windows retrieves device metadata from the Internet.
ound for the device, even if the network is temporarily available. If the setting for searching only if needed is s
o not configure this policy setting, members of the Administrators group can determine the server used in the s
"Turn off Windows Update device driver searching" is disabled or not configured, the administrator will be promp
"Turn off Windows Update device driver searching" is disabled or not configured, the administrator will be promp
u can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 m
effect immediately. This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled
up and recovery to minimize potential data loss. If you disable this policy, S.M.A.R.T. faults are still detected an
ely. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure th
er save mode. Note: This policy setting is applicable only if the NV cache feature is on.
m the cache. If you enable this policy setting, the system will not manage the NV cache and will not enable NV c
If you do not configure this policy setting, the default behavior of the system is observed and frequently writte
g the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quo
ng, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is o
tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy
s in effect. If you do not configure this policy setting, no event is recorded, but administrators can use the Quot
olumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volu
s in the domain.
ery for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to th
e local or DHCP supplied connection specific DNS suffix, if configured.

eceive this policy setting. If you disable this policy setting, or if you do not configure this policy setting, comput
d to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a s
ation must allow dynamic DNS registration, and this policy setting must not be disabled. If you disable this poli
with a higher binding order. If you disable this policy setting, or if you do not configure this policy setting, then
g the System control panel. You can use this policy setting to prevent users, including local administrators, from
client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append prim
single-label domain name. The DNS client appends DNS suffixes to the single-label, unqualified domain name b
ycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. If you e
st: Do not register: Computers will not attempt to register PTR resource records. Register: Computers will atte
er is configured to delete stale records. Warning: If record scavenging is enabled on the zone, the value of this
namic Updates, an A resource record might exist that associates the client's host name with an IP address differe
re this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds
you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer
across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR
this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks
evel that you specify in this policy setting. If you disable this policy setting, or if you do not configure this polic
hat the computer needs to update, except the root zone. If you disable this policy setting, or if you do not confi
rough to select. Changing this policy setting requires a logoff for it to be applied.
rough to select. Changing this policy setting requires a logoff for it to be applied.
or window frames that cannot be changed by users.

or window frames that cannot be changed by users.
soft IME only. Note: Changes to this setting will not take effect until the user logs off.
0x0100 // EUDC(GAIJI) 0x0200 // S-JIS unmapped area 0x0400 // Unicode char 0x0800 // surrogate char 0x10
is enabled, and it clears self-tuned words from the custom dictionary. This policy setting is applied to Japanese
re this policy setting, Open Extended Dictionary can be added and used by default. This policy setting is applied
boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this
nd Prompt will be listed in the menu by default, and users can configure this setting.
ble by default, and the user can configure this setting.
File Explorer encrypts those files automatically.

root hubs will be allowed.
ure this policy setting, Windows Error Reporting sends error reports to Microsoft.
tting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. If yo
s are stored before older reports are automatically deleted. If you disable or do not configure this policy setting,
s are stored before older reports are automatically deleted. If you disable or do not configure this policy setting,
he queue until the user is prompted to send the reports, or until the user sends problem reports by using the So
he queue until the user is prompted to send the reports, or until the user sends problem reports by using the So
ata to Microsoft for this event type. - 1 (Always ask before sending data): Windows prompts the user for consen
ata to Microsoft for this event type. - 1 (Always ask before sending data): Windows prompts the user for consen
Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the
ng policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Managem

ng policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Managem
but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive u
cedence.
cedence.
s not upload more than one CAB file for a report that contains data about the same event types.
s not upload more than one CAB file for a report that contains data about the same event types.
r reports.
r reports.
ting Settings policy setting is configured to report all application errors. If you enable this policy setting, you ca
nclude the .exe file name extension. To remove an application from the list, click the name, and then press DEL
nclude the .exe file name extension. To remove an application from the list, click the name, and then press DEL
s dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that a
o the Configure Error Reporting policy setting.
isable or do not configure this policy setting, WER checks for solutions while a computer is running on battery p
isable or do not configure this policy setting, WER checks for solutions while a computer is running on battery p
onds>,IssuerCA=<Thumb print of the client authentication certificate>. When using the HTTP protocol, use port
onfigure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and
ss (legacy)" policy setting to enforce this change across all tools and APIs.
tem software and administrators can read or clear this log. Note: If you enable this policy setting, some tools a
ss (legacy)" policy setting to enforce this change across all tools and APIs.
y authenticated user can read events from it. Note: If you enable this policy setting, some tools and APIs may ig
responding to the public key that they were encrypted with. If you disable or do not configure this policy setting
setting does not prevent the user from being able to add new items such as files and folders to their actual file s
To Go when a USB device is connected will not be enabled unless a user configures the option manually in the
tor event when a system restart is required. This behavior is recommended for headless operation. Troubleshoo
international domain name format. Example value: Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arh
Copy (VSS) Service .
r not short names are created on a given volume. If you disable short name creation on all data volumes then s
ailable offline. Note: This policy setting does not prevent files from being automatically cached if the network sh
d if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always ava
cache and not copied to the new location. To use this policy setting, you must move or restore the server conte
ctive Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of t
ctive Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of t
le or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use
le or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use
configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. This is the d
lt Tolerant Heap for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario e
emoved as part of a scheduled clean up task.

0. All numbers greater than the specified value are interpreted as being preceded by 19. For example, the defa
ons are based on per-user policy settings. To set this policy setting on a per-user basis, make sure that the per-c
ons are based on per-user policy settings. To set this policy setting on a per-user basis, make sure that the per-c
input methods enabled for their user account on the sign-in page.
a custom locale, even if this policy setting is not configured. If you enable this policy setting, the user cannot s
a custom locale, even if this policy setting is not configured. If you enable this policy setting, the user cannot s
heir user locale with user overrides. If this policy setting is disabled or not configured, then the user can custom
heir user locale with user overrides. If this policy setting is disabled or not configured, then the user can custom
ing, there is no restriction of a specific language used for the Windows menus and dialogs.
disable or do not configure this policy setting, the user can see the Administrative options. Note: Even if a user
ID). Note: Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can
r changing the UI language. Note: Even if a user can see the option to change the UI language, other policy set
and customizing the user locale.
tting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy set
d restrict the system locale to English (United States) and English (Canada). If you enable this policy setting, ad
rated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict t
rated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict t
cy setting, the user can specify which UI language is used.
r. If you disable or do not configure this policy setting, there is no restriction on which language users should us
hat the availability and function of this setting is dependent on supported languages being enabled.
frequency and new words not already known to the handwriting recognition engines (for example, proper name
frequency and new words not already known to the handwriting recognition engines (for example, proper name
ailability and function of this setting is dependent on supported languages being enabled.
bled or Not Configured, then the user will be free to change the setting according to their preference. Note tha
to their preference. Note that the availability and function of this setting is dependent on supported languages
puter from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
ontains English ADM files. - If you later edit the GPO from a different-language system, you get the English ADM
artup and logon. Existing users will be logged on using cached credentials, which will result in shorter logon tim
ction. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy sett
re this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" o
no effect on the system. The "Allow processing across a slow network connection" option updates the policies e
installed. If you enable this policy setting, you can use the check boxes provided to change the options. If you
speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to downloa
es changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Se
gs in this folder lets you override the programs' specified responses to slow links. If you enable this setting, you
gs in this folder lets you override the programs' specified responses to slow links. If you enable this setting, you
ptions. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processin
you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across
ripts immediately after logon. If you do not configure this policy setting, Group Policy will wait five minutes bef
during periodic background processing" option prevents the system from updating affected policies in the back
w processing across a slow network connection" option updates the policies even when the update is being tran
e system. The "Do not apply during periodic background processing" option prevents the system from updating
n policy set when it was installed. If you enable this policy setting, you can use the check boxes provided to cha
puter's Group Policy Objects determine which set of Group Policy Objects applies. If you enable this setting, you
ffect on the system. The "Allow processing across a slow network connection" option updates the policies even
has no effect on the system. The "Allow processing across a slow network connection" option updates the poli
roup Policy object links are created in the enabled state. If you do not want them to be effective until they are c
data. Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Consol
data. Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Consol
e the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to
mmand is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only tru
r. Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of compu
cy object is used.
an specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to up
wever, because updates might interfere with users' work and increase network traffic, very short update interva
e from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy ev
this policy setting, Group Policy will use this administratively configured maximum wait time and override any d
enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace c
ed into the GPO. Changing the status of this setting to Enabled will keep any source files from copying to the GP
l for computers" and "Set Group Policy refresh interval for users" policy settings. Note: If you make changes to
this policy setting, Local GPOs continue to be applied. Note: For computers joined to a domain, it is strongly re
P logging is always on. Note: To view the RSoP information logged on a client computer, you can use the RSoP s
nd processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updat
warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perfor
ground processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option u
nly warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To pe
priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates preference
d errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing for
d processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option update
rnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform t
By default, background processing priority is "Idle." Notes: 1. The "Allow processing across a slow network conn
y warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perfo
"Idle." Notes: 1. The "Allow processing across a slow network connection" option updates preference items eve
d tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing for items in th
p Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The "Allow
es only warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To
riority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates preference i
rrors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing for it
g priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates preferenc
errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing for i
processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates
d errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing for
POs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The "Allow processing acro
vent logging for this extension includes only warnings and errors, and tracing for this extension is turned off. N
icy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The "Allow pr
ncludes only warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration trac
lt, background processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection"
ludes only warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing
ts (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The "Allow processing
s only warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To
Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The
errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing for
efault, background processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connecti
includes only warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tra
ing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates prefere
d errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing fo
objects (GPOs) are unchanged. By default, background processing priority is "Idle." Notes: 1. The "Allow proce
ncludes only warnings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration traci
ng priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates preferen
nd errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracing fo
ssing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates prefe
s and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform tracin
processing priority is "Idle." Notes: 1. The "Allow processing across a slow network connection" option update
nings and errors, and tracing for this extension is turned off. Notes: 1. User Configuration tracing: To perform t
estrict the use of preference extensions. If you disable this policy setting, you prohibit use of Applications snap-
ot configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict use
ensions under Control Panel Settings for Computer Configuration. Enabling this policy setting overrides the "Res
ns under Control Panel Settings for User Configuration. Enabling this policy setting overrides the "Restrict users
xplicitly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the prefer
tly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the preference
configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict user
ot configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict use
ure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the
explicitly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the prefe
nfigure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to
you disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy
rs to the explicitly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of
e explicitly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the pr
o not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict
explicitly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the prefe
ce extensions. If you disable this policy setting, you prohibit use of the Preferences tab. If you do not configure
ly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the preference
you disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy
e explicitly permitted list of snap-ins" policy setting. If you disable this policy setting, you prohibit use of the pre
u disable this policy setting, you prohibit use of the preference extension. If you do not configure this policy set
configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users
isable this policy setting, you prohibit use of the preference extension. If you do not configure this policy settin
or do not configure this policy setting, Windows Server applies user Group Policy settings synchronously. Note:
olders, enable the policy setting and enter the desired folders in the text box on the Settings tab of the Policy Pr
Policy settings available in Computer Configuration\Security Settings. Note: This policy setting is available un
Policy settings available in Computer Configuration\Security Settings. Note: This policy setting is available un
shutting down HTML Help Executable. If you disable or do not configure this policy setting, DEP is turned on fo
content with active elements).
tings page.
Options page.
are automatically probed for WISPR protocol support. If you disable this policy setting, WLAN hotspots are not pr
onfigure this policy setting, all of the the policy settings in the "Internet Communication settings" section are se
onfigure this policy setting, all of the the policy settings in the "Internet Communication settings" section are se
etting also prevents Device Manager from automatically installing driver updates from the Windows Update we
this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With d
this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With d
es. If you enable this policy setting, when you are presented with a certificate issued by an untrusted root autho
ing, users can download print drivers over HTTP.
ing, users can download print drivers over HTTP.
event occurred. If you enable this policy setting, event description hyperlinks are not activated and the text "M
and displays "Did you know?" content. You might want to enable this policy setting for users who do not have In
local computer is searched. If you disable or do not configure this policy setting, the Knowledge Base is search
e cached in the local registry are displayed. If you disable or do not configure this policy setting, a list of provid
e cached in the local registry are displayed. If you disable or do not configure this policy setting, a list of provid
le or do not configure this policy setting, the user is allowed to use the Web service.
le or do not configure this policy setting, the user is allowed to use the Web service.
re this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing
re this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing
o Microsoft. However, Windows Product Activation is required but does not involve submitting any personal infor
setting, Search Companion downloads content updates unless the user is using Classic Search. Note: Internet
of usage information are not shown. If you disable this policy setting, Windows Messenger collects anonymous u
of usage information are not shown. If you disable this policy setting, Windows Messenger collects anonymous u
d user-friendly. If you enable this policy setting, all users are opted out of the Windows Customer Experience Im
ing made from the Control Panel for error reporting. Also see the "Configure Error Reporting", "Display Error No
bility of NCSI, and of other components that use NCSI, to determine Internet access. If you disable or do not con
driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompte
alled on the computer. If you disable or do not configure this policy setting, IIS can be installed, as well as all the
n the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to a
et Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For inform
et Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For inform
policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that y
policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that y
ors must be entered in #package#behavior notation, e.g., #default#vml. If you disable this policy setting, no b
ors must be entered in #package#behavior notation, e.g., #default#vml. If you disable this policy setting, no b
y setting, all processes will not respect add-on management user preferences or policy settings.
y setting, all processes will not respect add-on management user preferences or policy settings.
ension. If you enable this policy setting, Consistent Mime Handling is enabled for all processes. If you disable o
ension. If you enable this policy setting, Consistent Mime Handling is enabled for all processes. If you disable o
ng, the Local Machine zone security applies to all local files and content processed by any process other than In
ng, the Local Machine zone security applies to all local files and content processed by any process other than In
ols is prevented for all processes other than File Explorer or Internet Explorer. If you do not configure this policy
ols is prevented for all processes other than File Explorer or Internet Explorer. If you do not configure this policy
his policy setting, the Notification bar will not be displayed for all processes other than Internet Explorer or thos
his policy setting, the Notification bar will not be displayed for all processes other than Internet Explorer or thos
t configure this policy setting, processes other than Internet Explorer or those listed in the Process List receive n
t configure this policy setting, processes other than Internet Explorer or those listed in the Process List receive n
cation bar will appear to allow control over questionable content accessed over any restricted protocols; conten
box, the Notification bar will appear to allow control over questionable content accessed over any restricted pro
box, the Notification bar will appear to allow control over questionable content accessed over any restricted pro
n pages in the Local Machine zone to run.


available unless applications have implemented a custom security manager. If you do not configure this policy
g, it can be configured on the General tab in Internet Options. If the "Prevent access to Delete Browsing History"
g, it can be configured on the General tab in Internet Options. If the "Prevent access to Delete Browsing History"
ng, users can drag files or copy and paste files from this zone automatically.
ng, users are queried to choose whether to drag or copy files from this zone.
ed. If you do not configure this policy setting, non-Internet Explorer components will be automatically installed
ed. If you do not configure this policy setting, non-Internet Explorer components will be automatically installed
disable this policy setting, users will be prompted when Web Components such as fonts would be downloaded. I
disable this policy setting, users will be prompted when Web Components such as fonts would be downloaded. I
queried to choose whether to install desktop items from this zone.
nstall desktop items from this zone automatically.
prevented from installing desktop items from this zone.
the user is prompted for loading XBAPs. If you disable this policy setting, XBAPs are not loaded inside Internet
ser is prompted for loading XAML files. If you disable this policy setting, XAML files are not loaded inside Interne
ed inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setting, th
nother Web page. If you do not configure this policy setting, a user's browser that loads a page containing an ac
the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. If yo
the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. If yo
plorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature c
o run or install files with an invalid signature.

o run or install files with an invalid signature.
isabled if this policy setting is enabled. If you disable this policy setting, placeholders will not appear for graphi
gure this policy, Internet Explorer automatically launches any browser helper objects that are installed on the u
gure this policy, Internet Explorer automatically launches any browser helper objects that are installed on the u
hrough older media players in specified zones. If you disable this policy setting, video and animation cannot be
t have no status bar or Address bar.
ot configure this policy setting, websites will be able to store application caches on client computers. Allow webs
ot configure this policy setting, websites will be able to store application caches on client computers. Allow webs
u do not configure this policy setting, websites will be able to store an indexed database on client computers. Al
u do not configure this policy setting, websites will be able to store an indexed database on client computers. Al
you disable this policy setting, Internet Explorer only sends the Do Not Track header if inPrivate Browsing mode
you disable this policy setting, Internet Explorer only sends the Do Not Track header if inPrivate Browsing mode
1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Do
using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
antiates an ActiveX control they do not have installed.
fication bar to allow the file download prompt.

is definition. If you enable this policy setting, newly installed add-ons are automatically activated in the browse
is definition. If you enable this policy setting, newly installed add-ons are automatically activated in the browse
t Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them
t Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them
is running in any process on the computer attempts to perform a Clipboard operation. If you do not configure th
is running in any process on the computer attempts to perform a Clipboard operation. If you do not configure th
sable this policy setting, the user is prompted when a script that is running in the Internet Explorer process attem
sable this policy setting, the user is prompted when a script that is running in the Internet Explorer process attem
how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Gr
tes to see if they have been revoked. If you do not configure this policy setting, Internet Explorer will not check
tes to see if they have been revoked. If you do not configure this policy setting, Internet Explorer will not check
heck the digital signatures of executable programs or display their identities before downloading them to user c
heck the digital signatures of executable programs or display their identities before downloading them to user c
the Media Explorer Bar. Administrators also have the ability to turn the auto-play feature on or off. This setting
ly icons: All command buttons have only icons. If you disable or do not configure this policy setting, the comma
ly icons: All command buttons have only icons. If you disable or do not configure this policy setting, the comma
precedence over that policy setting. If you enable this policy setting and enter a value of 1, prompts are bypass
precedence over that policy setting. If you enable this policy setting and enter a value of 1, prompts are bypass
net Explorer to manage add-ons not listed within the 'Add-on List' policy setting. This policy setting effectively r
net Explorer to manage add-ons not listed within the 'Add-on List' policy setting. This policy setting effectively r
s to run administrator-approved Active-X controls and plug-ins under security zones. If you disable this policy or
er tracks views of pages in the History List. Users can not delete browsing history. If you disable or do not config
er tracks views of pages in the History List. Users can not delete browsing history. If you disable or do not config
le this policy or do not configure it, users can add channels to the Channel bar or to their desktop. Note: Most c
olicy is intended for organizations that are concerned about server load for downloading content. The "Hide Fav
b. If you disable this policy, then Web pages can be updated on the schedules specified on the Schedule tab. T
ents Tab and click the Settings button.
ot need to set this policy, because the "Disable the General page" policy removes the General tab from the inte
es\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because t
you disable or do no configure this policy setting, the user will have the freedom to automatically configure thes
you disable or do no configure this policy setting, the user will have the freedom to automatically configure thes
he Programs Page" policy (located in \User Configuration\Administrative Templates\Windows Components\Intern
ser Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), whic
nfiguration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not
the Connections page" policy removes the Connections tab from the interface.
the Connections page" policy removes the Connections tab from the interface.
ser to use as the default. This policy is intended for organizations that do not want users to determine which br
nternet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General pa
page box is enabled and users can choose their own home page.
ble the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Int
ative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this polic
ed. The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows
hich removes the Content tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is e
s the Ratings tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this p
able Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
able Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\In
ble this policy or do not configure it, users can customize which buttons appear on the Internet Explorer and File
policy, which prevents users from adding or removing toolbars from Internet Explorer.
If you disable this policy or do not configure it, content will not be prevented from being downloaded. The "Dis
. If you disable this policy or do not configure it, users can add, remove, and edit schedules for Web sites and g
eceive an alert stating that the command is unavailable. If you disable this policy or do not configure it, users c
aintain a consistent browser across an organization.
ting, the user will not be able to use the Import/Export Settings wizard. If you disable or do not configure this p
ting, the user will not be able to use the Import/Export Settings wizard. If you disable or do not configure this p
heir connection settings by running the Internet Connection Wizard. Note: This policy overlaps with the "Disable
re working offline.
y clicking the File menu, pointing to New, and then clicking Window. Note: When users click the Open in New W
Explorer by preventing users from being notified about new versions of the browser.
ly across their organization. Note: This policy does not prevent users from removing active content from the de
k the Tools menu, click Synchronize, and then click the Properties button. If you disable this policy or do not con
updated. This policy is intended for administrators who want to use Software Distribution Channels to update th
ernet Explorer\), because this policy removes the Advanced tab from the interface.
ernet Explorer\), because this policy removes the Advanced tab from the interface.
ction settings" "Prevent changing proxy settings" "Disable changing Automatic Configuration settings"
ction settings" "Prevent changing proxy settings" "Disable changing Automatic Configuration settings"
rer\), because this policy removes the General tab from the interface: "Disable changing home page settings" "
rer\), because this policy removes the General tab from the interface: "Disable changing home page settings" "
alendar and Contact settings" "Disable the Reset Web Settings feature" "Disable changing default browser che
alendar and Contact settings" "Disable the Reset Web Settings feature" "Disable changing default browser che
ograms tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy
ow users to change policies" "Security zones: Do not allow users to add/delete sites"
ow users to change policies" "Security zones: Do not allow users to add/delete sites"
down box is set to Prompt, the user will receive the security information message on the Web pages that contain
es additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For
es additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For
nfigure this policy setting, the appropriate controls in the Add-On Manager will be available to the user.
nfigure this policy setting, the appropriate controls in the Add-On Manager will be available to the user.
yed in any web form or web application. If you disable or do not configure this policy setting, the reveal passwo
yed in any web form or web application. If you disable or do not configure this policy setting, the reveal passwo
one certificate. If you do not configure this policy setting, Internet Explorer prompts users with a Client Authen
one certificate. If you do not configure this policy setting, Internet Explorer does not prompt users with a "Clien
ou do not configure this policy, Internet Explorer will save encrypted pages containing secure (HTTPS) informatio
ou do not configure this policy, Internet Explorer will save encrypted pages containing secure (HTTPS) informatio
etting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of
etting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of th
icy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code sign
icy setting, users can download signed controls without user intervention.
icy setting, signed controls cannot be downloaded.
policy setting, users cannot run unsigned controls.
policy setting, users can run unsigned controls without user intervention.
policy setting, users can run unsigned controls without user intervention.
policy setting, users are queried to choose whether to allow the unsigned control to run.
policy setting, users are queried to choose whether to allow the unsigned control to run.
policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when br
policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when br
urce and destination are in different windows. Users cannot change this setting. In Internet Explorer 10, if you
and destination are in the same window. Users cannot change this setting in the Internet Options dialog. In Inte
eature will be turned on in this zone, as dictated by the feature control setting for the process. If you do not co
nternet Explorer, copying and pasting text, managing favorites, and accessing Help. The Command bar enables
nternet Explorer, copying and pasting text, managing favorites, and accessing Help. The Command bar enables
forced. If you disable or do not configure this policy setting, the user can establish the InPrivate Filtering thresh
forced. If you disable or do not configure this policy setting, the user can establish the InPrivate Filtering thresh
nforced. If you disable or do not configure this policy setting, the user can establish the Tracking Protection thre
nforced. If you disable or do not configure this policy setting, the user can establish the Tracking Protection thre
sers from opening a new browser window by right-clicking, and then clicking the Open in New Window command
the Open or Open in New Window command. To prevent users from opening Web pages by using the shortcut m
not saved. To display the Save Web Page dialog box, users click the File menu, and then click the Save As comm
and linked files, but does not prevent users from saving the text of a Web page. Caution: If you enable this polic
rites list. Note: If you enable this policy, users also cannot click Synchronize on the Tools menu (in Internet Exp
licy or do not configure it, users can set up and change identities.
e user is uploading a file via an HTML form. If you do not configure this policy setting, the user can choose whe
bility View Settings dialog box. If you do not configure this policy setting, the Microsoft-provided website lists ar
bility View Settings dialog box. If you do not configure this policy setting, the Microsoft-provided website lists ar
Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or sc
stall binaries signed by MD2 and MD4 signing technologies.
stall binaries signed by MD2 and MD4 signing technologies.
you do not configure this policy setting, binary behaviors are prevented for the File Explorer and Internet Explore
you do not configure this policy setting, binary behaviors are prevented for the File Explorer and Internet Explore
ension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. If
ension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. If
e. If you enable this policy setting, the Local Machine zone security applies to all local files and content process
e. If you enable this policy setting, the Local Machine zone security applies to all local files and content process
ore dangerous file type.
ore dangerous file type.
ure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted
ure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted
https protocols by adding the value names http and https. If you disable this policy setting, restricting content o
https protocols by adding the value names http and https. If you disable this policy setting, restricting content o
ll be displayed for Internet Explorer Processes.
ll be displayed for Internet Explorer Processes.
onger accessible when navigating within or across domains for Internet Explorer processes.
onger accessible when navigating within or across domains for Internet Explorer processes.
from zone elevation by Internet Explorer processes. If you disable this policy setting, no zone receives such pro
from zone elevation by Internet Explorer processes. If you disable this policy setting, no zone receives such pro
et Explorer processes.
et Explorer processes.
xplorer processes.
xplorer processes.
ontinue to create popup windows and windows that obfuscate other windows. If you do not configure this policy
ontinue to create popup windows and windows that obfuscate other windows. If you do not configure this policy
Disable for "Allow active content over restricted protocols to access my computer." If you disable or do not confi
Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in th
g, users choose whether to force local sites into the Intranet Zone.
g, users choose whether to force local sites into the Intranet Zone.
e Intranet Zone.
e Intranet Zone.
ator-approved. To specify how administrator-approved controls are handled for each security zone, carry out the
O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If yo
tting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zo
ose to move them.

ose to move them.
ry users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for
bles Web authors to control the placement and appearance of Windows pop-up menus on Web pages -- Popup M
administrator-approved controls are handled for each security zone, carry out the following steps: 1. In Group P
s are handled for each security zone, carry out the following steps: 1. In Group Policy, click User Configuration,
1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Doub
Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Curre
fy how administrator-approved controls are handled for each security zone, carry out the following steps: 1. In
s from different domains. If you do not configure this policy setting, users can open windows and frames from o
rames from other domains or access applications from different domains. If you do not configure this policy set
orer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the C
plorer is not the default web browser through the Tell me if Internet Explorer is not the default web browser chec
ing, Internet Explorer will play animated pictures found in Web content.
ing, Internet Explorer will play animated pictures found in Web content.
er will play sounds found in Web content.
er will play sounds found in Web content.
videos found in Web content.
videos found in Web content.
policy setting, you will not be able to provide a default Pop-up Blocker exception list. Note: You can disable user
policy setting, you will not be able to provide a default Pop-up Blocker exception list. Note: You can disable user
g favorites, and accessing Help. If you enable this policy setting, the menu bar is above the navigation bar. The
user can access the Delete Browsing History dialog box. Starting with Windows 8, users can click the Delete Brow
user can access the Delete Browsing History dialog box. Starting with Windows 8, users can click the Delete Brow
can also use the Command bar and F1 to access Help.

can also use the Command bar and F1 to access Help.
nging the filter level. You may also want to enable the "Prevent managing pop-up exception list" and "Turn off p
nging the filter level. You may also want to enable the "Prevent managing pop-up exception list" and "Turn off p
configure this policy setting, the user can configure how windows open when he or she clicks links from other a
configure this policy setting, the user can configure how windows open when he or she clicks links from other a
how new tabs are created by default.
how new tabs are created by default.
Address bar, the list of search results is displayed in the main window. If you disable or do not configure this po
Address bar, the list of search results is displayed in the main window. If you disable or do not configure this po
r, if available. If you enable this policy setting, you can choose where to direct the user after a search on the Ad
r, if available. If you enable this policy setting, you can choose where to direct the user after a search on the Ad
eleting ActiveX Filtering data, Tracking Protection data, and Do Not Track exceptions stored for visited websites.
eleting ActiveX Filtering data, Tracking Protection data, and Do Not Track exceptions stored for visited websites.
this policy setting is enabled by default.
this policy setting is enabled by default.
Browsing History" policy setting is enabled, this policy setting is enabled by default.
Browsing History" policy setting is enabled, this policy setting is enabled by default.
sing History" policy setting is enabled, this policy setting has no effect.
sing History" policy setting is enabled, this policy setting has no effect.
bled, this policy setting is enabled by default.
bled, this policy setting is enabled by default.
deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to
deleted when the user clicks Delete. If you do not configure this policy setting, the user can choose whether to
enabled, this policy setting is enabled by default.
enabled, this policy setting is enabled by default.
ent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
ent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
en he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this poli
en he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this poli
n change the download setting through the Feed APIs.
n change the download setting through the Feed APIs.
ccelerators infrastructure. If Accelerators are turned on, users can install search providers as Accelerators to inc
ccelerators infrastructure. If Accelerators are turned on, users can install search providers as Accelerators to inc
list" policy setting.
list" policy setting.
user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.
t. If the feature is fully enabled, all website addresses that are not on the filter's allow list are sent automatically
t. If the feature is fully enabled, all website addresses that are not on the filter's allow list are sent automatically
in the CEIP.
in the CEIP.
home page will display regardless of which option is chosen. If you disable or do not configure this policy settin
home page will display regardless of which option is chosen. If you disable or do not configure this policy settin
must specify the cipher strength update information URL. If you disable or do not configure this policy setting, th
h for the code.

already clicked.
ot yet clicked.
lice through the Subscribe button in Internet Explorer and delete a feed or Web Slice through the feed list contro
lice through the Subscribe button in Internet Explorer and delete a feed or Web Slice through the feed list contro
g an InPrivate Browsing session. If you do not configure this policy setting, it can be configured on the Privacy t
g an InPrivate Browsing session. If you do not configure this policy setting, it can be configured on the Privacy t
respect the add-on management user preferences and policy settings. If you enter a Value of 0, the add-on man
respect the add-on management user preferences and policy settings. If you enter a Value of 0, the add-on man
lue of 0 binary behaviors are allowed. The Value Name is the name of the executable. If a Value Name is empty
lue of 0 binary behaviors are allowed. The Value Name is the name of the executable. If a Value Name is empty
ension. This policy setting allows administrators to define applications for which they want this security feature
ension. This policy setting allows administrators to define applications for which they want this security feature
y setting and enter a value of 1, Local Machine Zone security applies. If you enter a value of 0, Local Machine Z
y setting and enter a value of 1, Local Machine Zone security applies. If you enter a value of 0, Local Machine Z
e Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer proc
e Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer proc
setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Pro
setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Pro
ned through restricted protocols is allowed. If you enter a Value of 0, restricting content obtained through restric
ned through restricted protocols is allowed. If you enter a Value of 0, restricting content obtained through restric
ue Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is
ue Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is
he executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter th
he executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter th
plications for which they want this security feature to be prevented or allowed. If you enable this policy setting
plications for which they want this security feature to be prevented or allowed. If you enable this policy setting
r processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the
r processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the
nternet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE
nternet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE
er a Value of 1, such windows may not be opened. If you enter a Value of 0, windows have none of these restrict
er a Value of 1, such windows may not be opened. If you enter a Value of 0, windows have none of these restrict
in this zone.
in this zone.
his zone.
his zone.
in this zone.
in this zone.
in this zone.
in this zone.
his zone.
his zone.
in this zone.
in this zone.
in this zone.
in this zone.
his zone.
his zone.
in this zone.
in this zone.
his zone.
his zone.
or her computer, and any default providers installed do not appear (including providers installed from other appl
or her computer, and any default providers installed do not appear (including providers installed from other appl
ed managed components. If you disable this policy setting, Internet Explorer will not execute unsigned manage
ged components. If you disable this policy setting, Internet Explorer will not execute signed managed compone
r intervention.
r intervention.
r intervention.
r intervention.
r intervention.
r intervention.
r intervention.
r intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
user intervention.
Explorer). This policy is intended for situations in which administrators do not want users to explore the Interne
n organization.
es zones, and alter settings for the Local Intranet zone. This policy prevents users from changing site managem
icy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Co
user. Also, see the "Security zones: Do not allow users to change policies" policy.
. 2) Unicode domain names are converted to IDN format only for addresses that are in the Intranet zone. 3) Un
. 2) Unicode domain names are converted to IDN format only for addresses that are in the Intranet zone. 3) Un
rs. When you set this policy setting, you provide the cache limit, in MB. The default is 50 MB. If you enable this
rs. When you set this policy setting, you provide the cache limit, in MB. The default is 50 MB. If you enable this
orer will use the default application cache expiration time limit for all application caches. The default is 30 days.
orer will use the default application cache expiration time limit for all application caches. The default is 30 days.
en you set this policy setting, you provide the cache limit, in MB. The default is 500 MB. If you enable this policy
en you set this policy setting, you provide the cache limit, in MB. The default is 500 MB. If you enable this policy
dividual manifest file entries are less than or equal to the size set in this policy setting. If you disable or do not
dividual manifest file entries are less than or equal to the size set in this policy setting. If you disable or do not
his policy setting, Internet Explorer will allow the creation of application caches whose manifest file contains the
his policy setting, Internet Explorer will allow the creation of application caches whose manifest file contains the
t is 1 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum s
t is 1 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default maximum s
e default is 4 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default max
e default is 4 GB. If you disable or do not configure this policy setting, Internet Explorer will use the default max
s based on the operating system and amount of physical memory. We recommend the default setting. The seco
s based on the operating system and amount of physical memory. We recommend the default setting. The seco
ance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Secu
ou do not configure this policy setting, the user can configure how the computer handles these files. By default,
cy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low templa
cy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low templa
y downloaded to (but not installed on) users' computers. High safety to prevent users from being notified of so
rnet Explorer starts a new browsing session with the home page. Users cannot change this option to start with t
rnet Explorer starts a new browsing session with the home page. Users cannot change this option to start with t
not configure this policy setting, the user can decide whether the Internet Connection Wizard should start autom
to be submitted. If you disable this policy setting, information using HTML forms on pages in this zone is preven
m Number of Offline Pages option determines how many levels of a Web site are searched for new information, it
he browser Tools menu. Caution: This policy does not prevent users from viewing and changing Internet setting
sable this policy setting, .NET Framework Setup is turned on. The user cannot change this behavior. If you do no
trol if it passes all other internal security checks. If you disable or do not configure this policy setting, the Active
trol if it passes all other internal security checks. If you disable or do not configure this policy setting, the Active
tting, users are not notified when the average time to load all the user's enabled add-ons exceeds the threshold
tting, users are not notified when the average time to load all the user's enabled add-ons exceeds the threshold
Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settin
Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settin
" 2. "hostname". For example, if you want to include http://example, use "example" 3. "file:///path/filename.htm
" 2. "hostname". For example, if you want to include http://example, use "example" 3. "file:///path/filename.htm
ring data collection can be turned on or off on the Privacy tab in Internet Options.
ring data collection can be turned on or off on the Privacy tab in Internet Options.
ing for pop-up windows in tabbed browsing.

ing for pop-up windows in tabbed browsing.
port the function. This policy setting has no effect if Windows has been configured to enable Data Execution Pre
turned on. If you do not configure this policy setting, Data URI support can be turned on or off through the reg
turned on. If you do not configure this policy setting, Data URI support can be turned on or off through the reg
this policy setting, when there is a problem connecting with an Internet server, the user sees a detailed descrip
cols and versions, and they select the most preferred match. If you enable this policy setting, the browser nego
cols and versions, and they select the most preferred match. If you enable this policy setting, the browser nego
ure this policy setting, the first-run prompt is turned off by default.
ure this policy setting, the first-run prompt is turned on by default.
display of image download placeholders" policy setting must be disabled if this policy setting is enabled. If you
figure this policy setting, a user will have the freedom to turn on or off Inline AutoComplete for File Explorer.
ate Filtering is available for use. If you do not configure this policy setting, it can be configured through the reg
ate Filtering is available for use. If you do not configure this policy setting, it can be configured through the reg
sers can turn this behavior on or off, using Internet Explorer settings. This feature is turned on by default
sers can turn this behavior on or off, using Internet Explorer settings. This feature is turned on by default
e user. If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on t
e user. If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on t
ies to versions of Internet Explorer up to and including Internet Explorer 8.
rer settings. The default is on.

rer settings. The default is on.
do not configure this policy setting, the popup management feature will be functional.
do not configure this policy setting, the popup management feature will be functional.
le or do not configure this policy setting, the Print menu in Internet Explorer will be available. Starting with Wind
le or do not configure this policy setting, the Print menu in Internet Explorer will be available. Starting with Wind
uture without being prompted. If you do not configure this policy setting, a user will have the freedom to accept
uture without being prompted. If you do not configure this policy setting, a user will have the freedom to accept
n of URLs as UTF-8. The user cannot change this policy setting. If you do not configure this policy setting, the us
ble or don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer Advanced
ble or don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer Advanced
urn them off. If you do not configure this policy setting, the user can turn on or turn off tabbed browsing.
urn them off. If you do not configure this policy setting, the user can turn on or turn off tabbed browsing.
user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off.
user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off.
ed on and the next webpage is loaded into the background. If you don't configure this setting, users can turn th
ed on and the next webpage is loaded into the background. If you don't configure this setting, users can turn th
mains by using the WebSocket object. If you disable or do not configure this policy setting, websites can reques
mains by using the WebSocket object. If you disable or do not configure this policy setting, websites can reques
olicy setting, websites can request data across domains by using the XDomainRequest object.
olicy setting, websites can request data across domains by using the XDomainRequest object.
mpatible toolbars. The user is not prompted, and incompatible toolbars run unless previously disabled through p
mpatible toolbars. The user is not prompted, and incompatible toolbars run unless previously disabled through p
Tracking Protection is available for use. If you do not configure this policy setting, it can be configured through
Tracking Protection is available for use. If you do not configure this policy setting, it can be configured through
ns. If you do not configure this policy setting, URL Suggestions will be turned on. Users will be able to turn on o
ns. If you do not configure this policy setting, URL Suggestions will be turned on. Users will be able to turn on o
s setting. If you disable this policy setting, Internet Explorer uses Windows Search AutoComplete to provide rele
s setting. If you disable this policy setting, Internet Explorer uses Windows Search AutoComplete to provide rele
policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on
policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on
an turn ActiveX Filtering on or off.

an turn ActiveX Filtering on or off.
whether or not to automatically detect the intranet through the intranet settings dialog in Control Panel.
whether or not to automatically detect the intranet through the intranet settings dialog in Control Panel.
plete the signup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior. I
nation with a less secure HTTP connection. A developer cannot change this policy setting through the Feed APIs
nation with a less secure HTTP connection. A developer cannot change this policy setting through the Feed APIs
ou do not configure this policy setting, Caret Browsing support can be turned on or off through the registry.
ou do not configure this policy setting, Caret Browsing support can be turned on or off through the registry.
smatch warning appears (by using the Advanced page in the Internet Control panel).
smatch warning appears (by using the Advanced page in the Internet Control panel).
g, the user can change the logging settings.
g, the user can change the logging settings.
Protected Mode. If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that ha
Protected Mode. If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that ha
or turn off inline AutoComplete. By default, inline AutoComplete is turned off for Windows Vista, Windows 7, Int
r in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages
r in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages
log box. If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with a
log box. If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with a
from an intranet site that is being treated as though it is in the Internet zone. If this policy setting is not config
from an intranet site that is being treated as though it is in the Internet zone. If this policy setting is not config
ff. The user cannot turn it on. If you do not configure this policy setting, the user can turn on or turn off the prin
or turn off Protected Mode.
The user cannot turn on script debugging. If you do not configure this policy setting, the user can turn on or tu
ls whether Phishing Filter scans pages in this zone for malicious content.
ff. If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
ff. If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
not appear properly because of problems with its scripting. The user cannot change this policy setting. If you d
ptions, click the Advanced tab, and then under International, select the "Use UTF-8 for mailto links" check box.
ptions, click the Advanced tab, and then under International, select the "Use UTF-8 for mailto links" check box.
annot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page s
urce. To prevent users from viewing the HTML source of a Web page from the shortcut menu, set the "Turn off Sh
on is about to occur. If you disable this policy setting, the possibly harmful navigations are prevented. The Inte
is about to occur. If you disable this policy setting, the possibly harmful navigations are prevented. The Interne
able this policy, Tablet PC users can report handwriting recognition errors to Microsoft. If you do not configure t
able this policy, Tablet PC users can report handwriting recognition errors to Microsoft. If you do not configure t
his policy in the domain. If you disable or do not configure this policy setting, the domain controller does not su
licy setting, the domain controller does not provide information about previous logons unless the "Display inform
y should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you
onfigure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to r
seful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SS
ation, devices that support compound authentication always send a compound authentication request. If you d
column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the ap
Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value co
s client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not esta
ication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. Note: Th
ring. If you disable or do not configure this policy setting, the client devices will not request claims, provide info
eros client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth
unning as identities different from LocalSystem or NetworkService might fail to authenticate. If you disable or d
ed value, or the locally allowed maximum value, whichever is smaller. If you disable or do not configure this po
pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column
rectory account will be configured for compound authentication by the following options: Never: Compound aut
not support computer account authentication using certificates then authentication with password will be attem
s in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher
servers are domain members but you do not want to enable BranchCache on all file servers, you can specify N
mer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authenticat
ace that's connected to a managed network. On the other hand, if a network interface is connected to an unman
n while in domain" option to allow the Responder to operate on a network interface that's connected to a manag
r the network becomes available. Note that because this is a background refresh, extensions such as Software
ored if the ""Remove Boot/Shutdown/Logon/Logoff status messages"" policy setting is enabled.
is setting applies only to Windows 2000 Professional. It does not affect the ""Configure Your Server on a Window
is setting applies only to Windows 2000 Professional. It does not affect the ""Configure Your Server on a Window
able or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list
able or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list
ears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the po
ears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the po
the three locations.
pe the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path
pe the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path
matically fill in forms while using Microsoft Edge.
matically fill in forms while using Microsoft Edge.
send Do Not Track requests to websites asking for tracking info.

send Do Not Track requests to websites asking for tracking info.
t in the Favorites hub.
t in the Favorites hub.
in App settings.
in App settings.
ggestions appear in the Address bar of Microsoft Edge.

ggestions appear in the Address bar of Microsoft Edge.
o use SmartScreen Filter.
o use SmartScreen Filter.
ight experience compatibility problems while using legacy apps.
ight experience compatibility problems while using legacy apps.
e this setting. If this setting is not configured (or disabled), this snap-in is prohibited. -- If "Restrict users to the e
les, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 fam
u disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit.
s policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" se
the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab
mage. Note: Users will be able to customize their system settings for presentations in Windows Mobility Center
mage. Note: Users will be able to customize their system settings for presentations in Windows Mobility Center
ontrol Panel will apply.
dom delay will be applied to Automatic Maintenance.
configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance
akes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or service restar
ooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. I
the support provider. If you do not configure this policy setting, MSDT support mode is enabled by default. No
such as specifying the directory to which files are installed. If Windows Installer detects that an installation pac
ect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source
apply patches during installations with elevated privileges, such as installations offered on the desktop or displa
ity context. If you disable or do not configure this policy setting, by default, users can install programs from rem
at the user might not have permission to view or change, including directories on highly restricted computers. If
at the user might not have permission to view or change, including directories on highly restricted computers. If
line cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing
the new GUID appears as a new component. (2) Add a new feature to the top or middle of an existing feature tr
ools to distribute programs to their employees. However, because this policy setting can pose a security risk, it
in their own security context, but only system administrators can use removable media when an installation is
his policy setting, by default, users who are not system administrators cannot apply patches to installations that
tion is possible. If so, the patch will be applied using a minimal set of processing.
sers without administrative privileges can install non-administrator updates.
that is no longer applicable to the product. If you disable or do not configure this policy setting, a user can remo
ete. This policy setting is designed to reduce the amount of temporary disk space required to install programs.
ete. This policy setting is designed to reduce the amount of temporary disk space required to install programs.
hen possible. -- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the leg
product. If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user app
able or do not configure this policy setting, the Browse button is enabled when an installation is running in the u
ing the same computer or be connected to the original or identical media to reinstall, remove, or repair the inst
; -- "m" represents media; -- "u" represents URL, or the Internet. To exclude a file source, omit or delete the
s from the box. If you disable or do not configure this policy setting, Windows Installer logs the default event ty
tes a System Restore checkpoint each time an application is installed, so that users can restore their computer t
kages that include the MsiLogging property. -- The "Logging via package settings off" option turns off the autom
000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. -- The "For no
en corruption is determined and will suggest the application that should be re-installed. This behavior is recomm
use FQDNs instead of IPv6 addresses wherever possible. Important At least one of the entries must be a PING:
e intranet tunnel. You should configure one endpoint for each tunnel. Each entry consists of the text PING: follo
Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across th
ndows NT 4.0 will not be able to establish a connection to this domain controller. If you enable this policy setti
o verify a password with the PDC emulator if the DC fails to validate the password. If you disable this policy sett
o reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environm
C. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-spec
introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt
can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this p
ss to files on the share when exclusive access is requested and the caller has only read permission. By default,
he Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of valu
DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upw
n the share when exclusive access is requested and the caller has only read permission. By default, the SYSVO
h the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the
le values for this setting result in the following behaviors: 0 - DCs will never perform address lookups. 1 - DCs
Site SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName> Pdc SRV _ldap._tcp.pdc._msdcs.<Dn
DNS resource records. If you do not configure this policy setting, it is not applied to any DCs, and DCs use thei
efault behavior occurs as described above. If you disable this policy setting or do not configure it, the default be
he default behavior occurs as indicated above.
, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small,
mum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infini
hanged. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistrati
to any computers, and computers use their local configuration.
y partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon
DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure
r site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two site
here no DC for the same domain, or no Global Catalog for the same forest, exists. If you disable this policy settin
less the AllowSingleLabelDnsDomain policy setting is enabled. If you enable this policy setting, when the Allow
to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS n
mum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0
s setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePer
es (60*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for t
this setting is to always refresh (0).
g DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on
appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the co
nnection. If you disable this setting (and enable the "Enable Network Connections settings for Administrators" s
able and Disable menu items are disabled for all users (including administrators). Important: If the "Enable Netw
ministrators only. If you do not configure the setting, only Administrators and Network Configuration Operators
oes not apply to Administrators. Note: When the "Ability to rename LAN connections or remote access connectio
figuration Operators). Important: If the "Enable Network Connections settings for Administrators" is disabled or
ators. If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have t
k Connections settings for Administrators" is disabled or not configured, this setting will not apply to administra
ardless of the "Enable Network Connections settings for Administrators" setting. Important: If the "Enable Netwo
settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-
le Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to a
figured, this setting will not apply to administrators on post-Windows 2000 computers. If you disable this settin
ork Connections settings for Administrators" is disabled or not configured, this setting will not apply to administr
tions settings for Administrators" is disabled or not configured, this setting will not apply to administrators on p
enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Prope
computers. If you disable this setting or do not configure it, the Connect and Disconnect options for remote acc
t configured, this setting will not apply to administrators on post-Windows 2000 computers. If you disable this s
pply to administrators on post-Windows 2000 computers. If you disable this setting or do not configure it, the Pr
o connect two or more network segements together. This connection appears in the Network Connections folder
ions settings for Administrators" is disabled or not configured, this setting will not apply to administrators on po
for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2
one it was connected to when the setting was refreshed, this setting does not apply. The Internet Connection F
on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is remov
sabled in the context menu for the connection and on the File menu in the Network Connections folder. Users ca
ote client computer running DirectAccess and the Internet is routed through the internal network. If you disable
r with information on how the problem can be resolved. If you enable this policy setting, this condition will not
proxies. By default, any proxies configured with this setting are merged with proxies that are auto-discovered. T
and configures them as Internet nodes. This setting should NOT be used to configure Internet proxies. Examp
resses configured with this policy setting are merged with the hosts that are declared as private through automa
ally discover your proxy server addresses. For more information see: http://go.microsoft.com/fwlink/p/?LinkId=2
solation attempts to automatically discover your private network hosts in the domain corporate environment.
erver is inaccessible. -- "Never go offline" indicates that network files are not available while the server is inacc
erver is inaccessible. -- "Never go offline" indicates that network files are not available while the server is inacc
Windows Server, unless changed by the user. Note: Changes to this policy setting do not take effect until the a
o local files since the last synchronization are lost.
settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is dis
If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a n
f the network throughput between the client and the server is below (slower than) the Throughput threshold pa
the disk space available for files that user's make available offline manually. If you enable this setting, you can
ork is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as speci
the version on the server, and the most current version from the server is always available for subsequent read
annot unencrypt Offline Files through the user interface. If you disable this policy setting, all files in the Offline
, each level includes the events in all preceding levels. "0" records an error when the offline storage cache is co
, each level includes the events in all preceding levels. "0" records an error when the offline storage cache is co
made available offline." This setting is designed to protect files that cannot be separated, such as database com
uration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the
uration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the
s that files are complete, but does not ensure that they are current. If you do not configure this setting, the sys
s that files are complete, but does not ensure that they are current. If you do not configure this setting, the sys
his setting is disabled and Synchronization Manager is configured for logon synchronization, the system perform
his setting is disabled and Synchronization Manager is configured for logon synchronization, the system perform
suspended. Note: If the computer is suspended by closing the display on a portable computer, files are not syn
suspended. Note: If the computer is suspended by closing the display on a portable computer, files are not syn
vents users from hiding them. If this setting is not configured, reminder balloons are displayed by default when
vents users from hiding them. If this setting is not configured, reminder balloons are displayed by default when
d. If set to 0, the validation will be performed.

okups. If you disable or do not configure this policy setting, this computer can publish PNRP names and help oth
applications at home as well. Here are the four ways in which you can use this setting to control the seed serve
ou enable this setting and you dont enter any address, no seed server will be used. If this setting is not configu
ilable field. If you enable this setting and you dont enter any address, no seed server will be used. If this settin
ulticast for bootstrapping. Specifying this registry key will break scenarios where there is no seed server for boo
multicast for bootstrapping. Specifying this registry key will break scenarios where there is no seed server for b
multicast for bootstrapping. Specifying this registry key will break scenarios where there is no seed server for b
other nodes. PNRP creates a global cloud if the computer has a global IPv6 address, but creates a site-local clou
than or equal to 4. NOTE: If the above specified conditions for the minimum PIN length are not met, default va
than or equal to 4. NOTE: If the above specified conditions for the minimum PIN length are not met, default va
or all account types.

ot provision Microsoft Passport for Work for any user.
or do not configure this policy setting, Remote Passport will be disabled, preventing the use of a phone as a com
g, the PCA does not detect compatibility issues for applications and drivers. If you do not configure this policy s
ns, clients do not cache content until the network latency reaches the specified value; when network latency is
lect from the following versions." If you do not configure this setting, all clients will use the version of BranchCa
ames of the hosted cache servers in the branch office. If you enable this policy setting and specify valid compu
figuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to th
umstance where client computers are domain members but you do not want to configure a BranchCache client c
cy configuration Select one of the following: - Not Configured. With this selection, BranchCache settings are no
, the client can upload the content to the hosted cache server for access by other hosted cache clients at the br
e settings are not applied to client computers by this policy. In the circumstance where client computers are do
h this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance whe
nd resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted re
shooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user
ection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and
leshooting and resolution, the DPS will detect Windows System Responsiveness problems and indicate to the us
) or InitiateSystemShutdown(). If you enable this policy setting, the computer system safely shuts down and re
policy setting, users can see and change this setting.
e "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
nt enabling lock screen slide show" policy setting can be used to disable the slide show feature.
nt enabling lock screen slide show" policy setting can be used to disable the slide show feature.
g. If the user has configured a slide show to run on the lock screen when the machine is locked, this can preven
g. If the user has configured a slide show to run on the lock screen when the machine is locked, this can preven
or do not configure this policy setting, users can control this setting.
creen slide show" policy setting can be used to disable the slide show feature.
creen slide show" policy setting can be used to disable the slide show feature.
of the Update-Help cmdlet. Note: This policy setting exists under both Computer Configuration and User Config
of the Update-Help cmdlet. Note: This policy setting exists under both Computer Configuration and User Config
etting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If t
etting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If t
mand, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of e
mand, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of e
puter name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each W
puter name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each W
ow all scripts" policy setting allows all scripts to run. If you disable this policy setting, no scripts are allowed to r
ow all scripts" policy setting allows all scripts to run. If you disable this policy setting, no scripts are allowed to r
ell as previous versions corresponding to on-disk restore points. If you do not configure this policy setting, it is
ell as previous versions corresponding to on-disk restore points. If you do not configure this policy setting, it is
If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previo
If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previo
tempts to restore the file from the backup media. If you do not configure this policy setting, it is disabled by de
tempts to restore the file from the backup media. If you do not configure this policy setting, it is disabled by de
le from the file share. If you do not configure this policy setting, it is disabled by default. The Restore button is
le from the file share. If you do not configure this policy setting, it is disabled by default. The Restore button is
ects the server side of Internet printing only. It does not prevent the print client on the computer from printing a
printers: 0 Web Services printers: 0 Bluetooth printers: 10 Shared printers: 0 In order to view available Web S
ers: 10 Shared printers: 50 If you would like to not display printers of a certain type, enable this policy and set
ent machine, the client itself will process print jobs into printer device commands. These commands will then be
Internet browser and navigates to the specified URL address to display the available printers. This setting make
"Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choos
he search. Type the location of the user's computer. When users search for printers, the system uses the specifi
ote: Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the s
the installation of kernel-mode printer drivers will be blocked. If you enable this setting, installation of a printer
ed to run.
Other system or driver policy settings may alter the process in which a print driver is executed. -This policy set
o find a compatible driver, then the Point and Print connection will fail. This policy setting is not configured by d
r it. If you enable or do not configure this policy setting, then applications that are configured to support driver
river. Notes: -Other system or driver policy settings may alter the process in which a print driver is executed. -
ncluding attempts that are blocked by this policy. Administrators may need to set both policies to block all print
ncluding attempts that are blocked by this policy. Administrators may need to set both policies to block all print
er is not available on the client, no connection will be made. -You can configure Windows Vista clients so that se
er is not available on the client, no connection will be made. -You can configure Windows Vista clients so that se
without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse but
is setting does not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent user
re announced to browse master servers only when Active Directory is not available. Note: A client license is use
the Active Directory".

when the computer does not respond. If you disable this setting, the domain controller does not prune this com
printers to be published" setting is disabled.
ct "Never" for the verification interval.
ed contact attempts before deleting printers from Active Directory. If you enable this setting, you can change th
However, you can adjust the priority to improve the performance of this service. Note: This setting is used only
ry) printer objects the computer has published. By default, the pruning service contacts computers every eight
mpt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time inter
tact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when
a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their avail
er tools and methods to install or uninstall programs.
s Marketplace.
d Defaults button is available to all users. This setting does not prevent users from using other tools and metho
nable or disable program components.
s from Windows Marketplace" task link will be available to all users. Note: If the "Hide Programs control Panel"
gured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available
portant: If the DSCP value for this service type is specified in the registry for a particular network adapter, this se
0. Important: If the DSCP value for this service type is specified in the registry for a particular network adapter
particular network adapter, this setting is ignored when configuring that network adapter.
value of 24 (0x18). Important: If the DSCP value for this service type is specified in the registry for a particular
t DSCP value of 0. Important: If the DSCP value for this service type is specified in the registry for a particular n
he registry for a particular network adapter, this setting is ignored when configuring that network adapter.
0 (0x28). Important: If the DSCP value for this service type is specified in the registry for a particular network ad
ue of 0. Important: If the DSCP value for this service type is specified in the registry for a particular network ada
for a particular network adapter, this setting is ignored when configuring that network adapter.
g or do not configure it, then the setting has no effect on the system. Important: If the maximum number of out
the system uses the default value of 80 percent of the connection. Important: If a bandwidth limit is set for a p
P value of 48 (0x30). Important: If the DSCP value for this service type is specified in the registry for a particula
ult DSCP value of 0. Important: If the DSCP value for this service type is specified in the registry for a particular
the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
ar network adapter, this setting is ignored when configuring that network adapter.
mportant: If the DSCP value for this service type is specified in the registry for a particular network adapter, this
of 0. Important: If the DSCP value for this service type is specified in the registry for a particular network adapt
a particular network adapter, this setting is ignored when configuring that network adapter.
the registry for a particular network adapter, then this setting is ignored when configuring that network adapte
stem reliability information, and WMI-capable applications will be unable to access reliability information from th
n, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to th
el) and will allow the user to restore the computer to the original state or from a user-created system image. Thi
ult behavior for the System State Data feature occurs. Note: By default, the System State Data feature is alway
Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for su
corded. If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the
ng" policy setting.
If you disable this policy setting, computers running this version and a previous version of the operating system
get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you enable t
use instant messaging programs to allow connections to this computer. If you do not configure this policy settin
that is seen by the novice. If you disable this policy setting, the user sees the default warning message. If you
n Windows Vista) -No full window drag -Turn off background If you enable this policy setting, bandwidth optim
BitLocker Drive Encryption\Removable Data Drives."
BitLocker Drive Encryption\Removable Data Drives."
NT4 Server. If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for cal
t use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained de
termine which systems maintain RPC state information. -- "None" indicates that the system does not maintain
de to indicate an error condition. If you do not configure this policy setting, it remains disabled. It will only gen
u disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and th
etting is only applicable when the RPC Client, the RPC Server and the RPC HTTP Proxy are all running Windows
scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
ns are suppressed. Note: Starting with Windows Vista operating system, scripts that are configured to run asyn
isable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 an
synchronized and can run simultaneously. This policy setting appears in the Computer Configuration and User
synchronized and can run simultaneously. This policy setting appears in the Computer Configuration and User
e. Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no
POs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following
icy setting is enabled in GPO A. GPO B and GPO C include the following user logon scripts: GPO B: B.cmd, B.ps1
icy setting is enabled in GPO A. GPO B and GPO C include the following user logon scripts: GPO B: B.cmd, B.ps1
system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no mat
s a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
oubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel
ble this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basi
h.aspx?k=$w If your intranet search service is Windows SharePoint Services (WSS), the query should resemble
URL. If your intranet search service is SharePoint Portal Server, your query should resemble the following: http
By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disab
ng is set to treat words that differ only because of diacritics as the same word.
language detection only when it can determine the language of a document with high confidence.
please specify the file system path to be indexed under the "Computer Configuration" Group Policy.
file system path to be indexed under the "Computer Configuration" Group Policy.
ether or not Search can perform queries on the web, and if the web results are displayed in Search.
query in Search. If you don't configure this policy setting, a user can choose whether or not Search can perform
re cached locally. The default behavior for Search is to not index online delegate mailboxes. Disabling this policy
must disable both policies.
crosoft Exchange server can support. If you set this policy to not configured, then online mail items will be index
s well as any previously specified user locations will be visible.

om the index.
xing, please specify the file system path to be indexed under the "Computer Configuration" Group Policy. If you
ginal list is restored. If you want to specify an initial default list of excluded file types that users can change late
ch as {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} (include the braces) or a ProgID such as VisFilter.CFilter.1. If yo

e right of the Desktop Search results, and your users can choose the location of the preview pane
arch setting.
-Anonymous info: Share usage information but don't share search history, Microsoft account info or specific loca
ns nor the Security Center status section are displayed. Note that Security Center can only be turned off for com
ows Server 2008 and Windows Server 2008 R2), or the Refresh the data shown in Server Manager every [x] [m
window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do n
ge, the page is not displayed.
and Windows Server 2008 R2) or Do not start Server Manager automatically at logon (Windows Server 2012) o
t box. Multiple locations can be specified when each path is separated by a semicolon. The network location ca
yncing of the "browser" group is on by default and configurable by the user.

by default and configurable by the user.
y default and configurable by the user.
cannot choose to share writing samples from the handwriting recognition personalization tool with Microsoft. If
cannot choose to share writing samples from the handwriting recognition personalization tool with Microsoft. If
ng is not configured.
s not configured by default. You must restart the computer for this policy setting to take effect.
used to create SMB shares on folders. If you disable or don't configure this policy setting, users can share files o
other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not pre
atch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote
by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not p
configure this policy setting, apps and features can work with OneDrive file storage.
onfigure this policy setting, users with a connected account will save documents to OneDrive by default.
ficates with an All Purpose EKU - Certificates with a Client Authentication EKU If you disable or do not configure
applications, such as document signing, are not affected by this policy setting. Note: If you use an ECDSA key t
an invalid time or their time validity has expired. If you disable or do not configure this policy setting, certificate
d domain will not be displayed.
e is enabled.
version and they are for the same user (determined by their UPN). If there are two or more of the "same" certi
e required behavior. If you enable this setting, then Windows will attempt to read all certificates from the smart
bs (WHQL) testing process.
re subject name will be displayed. This setting controls the appearance of that subject name and might need to
applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
ce is a managed network node that receives SNMP packets from the network. If you enable this policy setting, t
on. If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers
ws the SNMP agent to notify management systems asynchronously. If you enable this policy setting, the SNMP s
s see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy s
g, the Classification tab is displayed. If you disable or do not configure this policy setting, the Classification tab i
roperties is available for classification on the affected computers. If you disable or do not configure this policy s
ously. Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit
rs can use the Display Logoff item to add and remove the Log Off item. This setting affects the Start menu only
en a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. No
his setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting
m the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the
of programs in the Start Menu and Taskbar do not show lists of recently or frequently used files, folders, or web
ystem then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensiv
artition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a
displays the standard desktop icons. If you disable this setting, the Start menu only displays in the new style,
tting can make the Start menu slow to open.

notification area is shown in the user's taskbar. Note: Enabling this setting overrides the "Turn off notification ar
able in Taskbar properties. If you disable this setting or do not configure it, the user can configure the taskbar p
o disable grouping if they choose.
ch appears when you press CTRL+ALT+DELETE. If you disable or do not configure this policy setting, the Power
area. If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the n
If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu.
setting, he Documents icon is available from the Start menu. Also, see the "Remove Documents icon on the de
and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display
pdates to keep a users system up-to-date. The Windows Update Product Catalog determines any system files,
move the Log Off item. This policy setting affects the Start menu only. It does not affect the Log Off item on the W
action. If you disable or do not configure this policy setting, Network Connections is available from the Start Me
tart System. If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and
menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was
extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the ke
y setting also prevents the user from using the F3 key. In File Explorer, the Search item still appears on the Stan
rver 2003.
etting hides all user-specific folders, not just those associated with redirected folders. If you enable this setting,
mplists in the taskbar to issue the "Run as different user" command.
open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure
figure this setting.
esenting the layout you configured. Once the XML file is generated and moved to the desired file path, type the
esenting the layout you configured. Once the XML file is generated and moved to the desired file path, type the
Note: Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system d
nt programs liist from the Start Menu" and "Turn off personalized menus". This policy setting does not prevent
n is also disabled. If you disable or do not configure this policy setting, users can perform System Restore and c
will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel O
will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel O
be able to configure this setting in the Input Panel Options dialog box. If you disable this policy, Input Panel will
be able to configure this setting in the Input Panel Options dialog box. If you disable this policy, Input Panel will
re this setting in the Input Panel Options dialog box. If you disable this policy, Input Panel will appear next to te
re this setting in the Input Panel Options dialog box. If you disable this policy, Input Panel will appear next to te
handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. If you enable this
screen. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not confi
screen. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not confi
, application auto complete lists will appear next to Input Panel in applications where the functionality is availab
, application auto complete lists will appear next to Input Panel in applications where the functionality is availab
eyboard shortcuts. If you enable this policy and choose Low from the drop-down box, password security is set
and choose All from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will no
and choose All from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will no
. Conceptually this policy is a subset of the Disable pen flicks policy. If you disable or do not configure this polic
. Conceptually this policy is a subset of the Disable pen flicks policy. If you disable or do not configure this polic
present in this menu.
d to the Taskbar.
network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network
ng, Notification and Security and Maintenance will be displayed on the taskbar. A reboot is required for this poli
s of its schedule, idle time and power management settings, and its security context. Beginning users will ofte
s of its schedule, idle time and power management settings, and its security context. Beginning users will ofte
me and power management settings, and its security context. Note: This setting appears in the Computer Confi
me and power management settings, and its security context. Note: This setting appears in the Computer Confi
s only the tasks that appear on the Start menu and its submenus. Once a task is created, users cannot change t
s only the tasks that appear on the Start menu and its submenus. Once a task is created, users cannot change t
her methods to create new tasks, and it does not prevent users from deleting tasks. Note: This setting appears
her methods to create new tasks, and it does not prevent users from deleting tasks. Note: This setting appears
not prevent administrators of a computer from using At.exe to create new tasks or prevent administrators from
ce over the setting in User Configuration. Important: This setting does not prevent administrators of a compute
ce over the setting in User Configuration. Important: This setting does not prevent administrators of a compute
y setting, you can configure 6to4 with one of the following settings: Policy Default State: 6to4 is enabled if the h
te: The IP-HTTPS interface is always present, even if the host has other connectivity options. Policy Disabled St
ATAP router name is resolved successfully, the host will have ISATAP configured with a link-local address and an
ucceeds.
he port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermitt
host is not on a network that includes a domain controller. Enterprise Client: The Teredo interface is always pres
ate measures. If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not
unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RD
unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RD
[RDC] client without specifying an .rdp file). If you enable or do not configure this policy setting, users can run
nection [RDC] client without specifying an .rdp file). If you enable or do not configure this policy setting, users c
d by using the videoplayback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enab
ter running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a co
B devices are not available for RDP redirection by using any user account. For this change to take effect, you mu
ormation and the session time zone is the same as the server time zone. Note: Time zone redirection is possible
accept any new incoming connections. If you do not configure this policy setting, Remote Desktop Services use
utomatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connectio
ed. If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. How
network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a thir
U enabled, the policy has to be set on the Hyper-V host machine. If you set the encoding option to Attempt on
enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism
session might be established (if the RD Session Host server is configured to allow multiple sessions), and the or
Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. If you enable
n name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker serve
tions and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by
sage If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically ba
ssion Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the
ure this policy setting, logging off the connected administrator is allowed. Note: The console session is also kno
sions. If you disable this policy setting, users can redirect print jobs with client printer mapping. If you do not c
Remote Desktop Services always allows Clipboard redirection. If you do not configure this policy setting, Clipbo
u disable this policy setting, Remote Desktop Services always allows COM port redirection. If you do not config
vices sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, W
the Remote Desktop client will use hardware accelerated decoding if supported hardware is available.
e security descriptors are read-only. If you disable or do not configure this policy setting, server administrators
ting, LPT port redirection is always allowed. If you do not configure this policy setting, LPT port redirection is no
Desktop Connection
using Remote Desktop Connection.
osoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined t
Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
licy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies other
the RD Session Host server automatically maps the client default printer and sets it as the default printer upon
named with the sessionid. If you enable this policy setting, per-session temporary folders are not created. Instea
tting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users c
n client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not co
e the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but
e the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but
play wallpaper by default to Remote Desktop Services sessions. If the status is set to Enabled, wallpaper never
st server will expire. If you enable this policy setting, these notifications will not be displayed on the RD Session
ker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Config
se server, the license server will only respond to RDS CAL requests from RD Session Host servers whose compu
ompression and with minimum latency as determined by the codec that is being used. If you select Dynamic, th
onnection is determined by the color support available on the client computer. If you select Client Compatible, th
e Desktop Services session. If you disable or do not configure this policy setting, the maximum resolution that
ession Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for A
nfigure this policy setting, the number of monitors that can be used to display a Remote Desktop Services sess
aximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how of
Services sessions. You can select either Rich multimedia or Text. If you disable or do not configure this policy se
mount of image compression that is performed). If you have a higher than average bandwidth network, you can
nning Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a term
ble this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user i
rom the list in the Shut Down Windows dialog box. Note: This policy setting affects only the Shut Down Window
ed or Not Configured, Windows Security remains in the Settings menu.
Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communica
d that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authent
Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner
ing Remote Desktop Services. If you do not configure this policy setting, this policy setting is not specified at t
Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying
se only TCP," all of the RDP traffic will use TCP. If you disable or do not configure this policy setting, RDP will cho
cified certificate template will be considered when a certificate to authenticate the RD Session Host server is au
ing remote connections must use the encryption method specified in this setting. By default, the encryption lev
emote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are conta
select the "Allow users to change this setting" check box. When you do this, users can specify an alternate auth
cation method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an au
ed. If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "D
to interact with the session, without the user's consent. 4. View Session with user's permission: Allows the adm
to interact with the session, without the user's consent. 4. View Session with user's permission: Allows the adm
evice CAL. If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by
o press a key or move the mouse to keep the session active. If you have a console session, idle session time lim
o press a key or move the mouse to keep the session active. If you have a console session, idle session time lim
e open files and close programs. If you have a console session, active session time limits do not apply. If you dis
e open files and close programs. If you have a console session, active session time limits do not apply. If you dis
vely connected. By default, these disconnected sessions are maintained for an unlimited time on the server. If
vely connected. By default, these disconnected sessions are maintained for an unlimited time on the server. If
setting, the specified URL is configured as the default connection URL for the user and replaces any existing con
e is not found, the client's printer is not available. You can choose to change this default behavior. The available
en click the Thumbprint field. If you disable or do not configure this policy setting, no publisher is treated as a t
ministrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the progra
ministrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the progra
mote Desktop Session Host servers. If you disable or do not configure this policy setting, the Start screen is show
m this RD Session Host server will not use these advanced graphics. You may want to choose this option if you d
he IP address of the RD Session Host server where their session exists. To use this redirection method, client com
is policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host ser
not have a printer driver that matches the client printer, the client printer is not available for the Remote Desk
not have a printer driver that matches the client printer, the client printer is not available for the Remote Desk
sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all othe
contact a license server in the following order: 1. Remote Desktop license servers that are published in Active
nks, and increase the load on the remote computer. If you enable this policy setting, desktop composition will b
e Collection properties sheet by using Server Manager. By default, only programs in the RemoteApp Programs l
zone information and the session time zone is the same as the server time zone. Note: Time zone redirection i
cy setting overrides any initial program policy settings. If you disable or do not configure this policy setting, an
Remote Desktop Services always allows Clipboard redirection. If you do not configure this policy setting, Clipbo
By default, font smoothing is allowed for remote connections. You can configure font smoothing on the Experie
figure this policy setting, Windows Vista displays wallpaper to remote clients connecting through Remote Deskto
off. A network adapter must be configured for Remote Desktop IP Virtualization to work.
ain in a disconnected state until the time limit that you specify is reached. When the time limit specified is reac
ain in a disconnected state until the time limit that you specify is reached. When the time limit specified is reac
tibility is turned on, and multiple per user application installation requests are queued and handled by the msie
f you disable or do not configure this policy setting, Remote Desktop IP Virtualization is turned off.
ng session are redirected to the RD Session Host server where their session exists. If you disable this policy set
re this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs
take effect until the user logs off.

take effect until the user logs off.
PM administrative delegation blob plus the TPM user delegation blob, or none. If you enable this policy setting,
msc" and navigate to the "Command Management" section. If you disable or do not configure this policy setting
nd making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outs
PM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of
ws the speed standard users can send commands requiring authorization to the TPM. An authorization failure oc
because it slows the speed standard users can send commands requiring authorization to the TPM. An authoriz
e administrators group. By configuring this policy setting, you can alter this behavior. If you enable this policy s
hare). %HOMEPATH% stores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\h
user profiles are slow to load. If you enable this policy setting, you can change how long Windows waits for a re
ming user profile is slow to load. If you enable this policy setting, any local copies of the user's roaming profile a
r Profile Service will not automatically delete any profiles on the next system restart.
connections to user profiles, and it ignores the policy settings that tell the system how to respond to a slow conn
trators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Se
forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user
ff if their profile cannot be loaded. If you disable this policy setting or do not configure it, Windows logs on the u
attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires th
les are newer than their server-based profiles. If you enable this policy setting, you can override the amount of
Data\Roaming folder rather than all of the AppData\Roaming folder to the exclusion list. By default, the Appdat
policy at logon increasing logon time. You can use this policy setting to change this behavior. If you enable this
ne whether users are notified when the profile exceeds the permitted maximum size. -- Specify a customized m
her program or service is reading or editing the registry, the system cannot unload it. The system tries repeated
you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. If
e profile. Using this policy setting, you can prevent changes made to a roaming profile on a particular compute
ed. The user then is able to choose to download the remote copy of the user profile. In Microsoft Windows Vista,
able). If you enable this policy setting, Windows waits for the network to become available up to the maximum
this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to acce
nce set, Windows uploads the profile's registry file at the specified interval after the user logs on. For example,
choose the drive letter to assign to the file share. If you choose On the local computer, enter a local path (for
logged on. If you disable or do not configure this policy setting, the paths specified in this policy setting will be
capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. "Always off" - users will not be able to
file to load, even when loading is slow. If you disable this policy setting or do not configure it, when a remote p
XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-prot
or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to Bi
s perform a system check during BitLocker setup. If you disable or do not configure this policy setting, enhance
ter, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Ne
tegrity if the platform is capable of Secure Boot-based integrity validation. If you disable this policy setting, Bit
lude the target computer's environment variables in the path. If the path is not valid, the BitLocker setup wizard
ystem drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CB
enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLock
ows Vista, Windows Server 2008 R2, or Windows 7. If you enable this policy setting you will be able to choose a
oup Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more inform
Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deploymen
he Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for
ash drive containing a 256-bit recovery key. If you enable this policy setting, you can configure the options that
nd 20 digits.
lect the "Use default recovery message and URL" option. If you select the "Use custom recovery message" opti
any of these components change while BitLocker protection is in effect, the TPM will not release the encryption k
ware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure T
alues into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for BIO
on on computers that do not support hardware-based encryption and whether you want to restrict the encryptio
ncryption on computers that do not support hardware-based encryption and whether you want to restrict the en
cryption on computers that do not support hardware-based encryption and whether you want to restrict the enc
unt Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocke
y Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turn
e also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. Bit
a drive with any of the protectors available on the drive. If you disable this policy setting, users are not allowe
nlocking a drive with any of the protectors available on the drive. If you disable this policy setting, users are not
you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the comp
the computer is restarted, the service will be started if it is set to Automatic startup. After the service has starte
setting, the antimalware service will not receive notifications to disable definitions.
sable or do not configure this setting, the check for definition updates will occur at a default frequency.
n will run at the frequency specified. If you disable or do not configure this setting, a scheduled full scan to com
gure this setting, a scheduled scan will run at a default frequency.
quick scan will run at a default time.
g, a scheduled full scan to complete remediation will run at a default time.
uled scan will run at a default time.
me of day specified. If you disable or do not configure this setting, the check for definition updates will occur at
his policy setting, Windows Defender automatically takes action on all detected threats after a nonconfigurable
here is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure this
If there is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure
ance. On a computer that is up-to-date with all the latest security updates, network protection will have no imp
scan history folder for the default number of days.

be disabled.
entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. For sh

arch queries in this zone using Search Connectors. If you do not configure this policy setting, users can perform
arch queries in this zone using Search Connectors. If you do not configure this policy setting, users cannot perfo
ming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the
oaded unknown software Give user a warning before running downloaded unknown software Turn off Smart
{440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. Note: Disabling a known folder can introduce app
or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon.
gging on again using their administrator credentials. Many programs can be installed only by an administrator.
ncluding external resources, such as an Internet server. If you enable this policy setting, Windows only searches
utton is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start N
applies only to applications that are using the Windows XP common dialog box style. This policy setting does no
0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers
her methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the R
the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from
cently Changed, Attachments and Saved Searches. If you disable or do not configure this setting the default list
changes are made to the location of the default Library definition files.
changes are made to the location of the default Library definition files.
ppear in lists of network resources in File Explorer and Network Locations. This policy setting does not prevent u
m connecting to remote computers by other commonly used methods, such as by typing the share name in the R
or example, http://www.example.com/results.aspx?q={searchTerms}). You can add up to five additional links to
hConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location cont
ries, disable this setting or select the "Do not restrict drives" option from the drop-down list. Note: The icons rep
n dialog box. Note: This setting was documented incorrectly on the Explain tab in Group Policy for Windows 20
Ds using a CD writer.
olicy setting, the DFS tab is available.
configure this policy setting, the Search button is available from the File Explorer toolbar. This policy setting do
nfigure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when
tting, users are allowed to turn on or off these minor system animations using the "Use transition effects for me
an administrator. This setting allows administrators who have logged on as regular users to install programs wi
If the group policy is not configured, disabled, or the client machine is not domain-joined, no default associatio
pes a property, values that match this property will be shown but no data will be saved in the registry or re-show
ndows. If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. I
ndows. If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. I
de when search results are returned * Disable ability to stack in the Context menu and Column headers * Exclu
the users ability to change these options. If you disable or not configure this policy, the default File Explorer be
emporary file is deleted. If you disable or do not configure this policy setting, Folder Redirection does not crea
s unlimited, select "4294967295" as the maximum amount of disk space. If you disable this policy setting or do
P. This setting delays each startup. If you disable or do not configure this policy setting, by default, files are sca
no exception for messages sent by computers that authenticate using IPsec. If you enable this policy setting an
this policy setting, you must specify which ICMP message types Windows Firewall allows this computer to send
this policy setting, you must specify which ICMP message types Windows Firewall allows this computer to send
annot clear it. If you disable this policy setting, Windows Firewall blocks these ports, which prevents this compu
annot clear it. If you disable this policy setting, Windows Firewall blocks these ports, which prevents this compu
ws SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open a
ws SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open a
tting, Windows Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests.
tting, Windows Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests.
mework" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Fire
mework" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Fire
nistrators to define a local port exceptions list. However, local administrators will still be allowed to create firew
nistrators to define a local port exceptions list. However, local administrators will still be allowed to create firew
es not allow administrators to define a local program exceptions list. However, local administrators will still be
es not allow administrators to define a local program exceptions list. However, local administrators will still be
irewall does not provide an option to log successful incoming messages. If you are configuring the log file name
irewall does not provide an option to log successful incoming messages. If you are configuring the log file name
e the syntax, click the Show button. In the Show Contents dialog box type a definition string that uses the synta
e the syntax, click the Show button. In the Show Contents dialog box type a definition string that uses the synta
asks Windows Firewall to open, even if that port is blocked by another policy setting, such as the "Windows Fire
asks Windows Firewall to open, even if that port is blocked by another policy setting, such as the "Windows Fire
ound the "Windows Firewall: Do not allow exceptions" policy setting by turning off the firewall. If you disable thi
ound the "Windows Firewall: Do not allow exceptions" policy setting by turning off the firewall. If you disable thi
tors cannot clear it. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting
tors cannot clear it. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting
rom the other computers and then blocks all later responses. Note: This policy setting has no effect if the unica
rom the other computers and then blocks all later responses. Note: This policy setting has no effect if the unica
nistrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off, unless th
nistrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off, unless th
y. Users are also able to protect music that they copy from a CD and play this protected content on their comput
The Allow screen saver during playback check box is cleared and is not available. If you do not configure this po
red if Autodetect or Browser is selected. The Configure button on the Network tab in the Player is not available
he Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also
Performance tab in the Player are not available. If you disable or do not configure this policy setting, users can
he Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also
the Set and Lock Skin policy is enabled, some options in the anchor window are not available.
ayer tab in the Player. If you do not configure this policy setting, and the "Set and lock skin" policy setting is en
previously. If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can con
group policies. If you disable or do not configure this policy setting, the dialog boxes are displayed when the us
disable or do not configure this policy setting, users can change the setting of the Retrieve media information fo
n change the setting for the Download codecs automatically check box.
n turn media sharing on or off.

the Player are not selected and are not available. If you disable or do not configure this policy setting, users ca
om the Internet.
not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use
the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin bo
cify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that
takes precedence.
takes precedence.
an also configure this behavior on the Preferences tab on the Tools menu in the Windows Messenger user interfa
an also configure this behavior on the Preferences tab on the Tools menu in the Windows Messenger user interfa
ort for HTTP). If you disable or do not configure this policy setting, the WinRM service will not respond to reques
sable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword co
y request not containing a valid channel binding token is rejected. If HardeningLevel is set to Relaxed (default v
setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts
ue of 900000 or 15 min will be used.

figure this policy setting, the value 150 is used by default.
will not see a User Account Control window and do not need elevated permissions to install these updates, exce
rom an intranet Microsoft update service location must be signed by Microsoft. Note: Updates from a service ot
for scheduled automatic updates installations" policy is enabled, then this policy has no effect.
nterval. If the status is set to Disabled or Not Configured, Windows will check for available updates at the defau
be notified that updates are ready to be downloaded. After going to Windows Update, users can download and in
s no effect.
stall Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates a
stall Updates and Shut Down' option will be the default option in the Shut Down Windows dialog box if updates a
ntranet update service using the "Specify intranet Microsoft update service location" policy.
e Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Sta
e Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Sta
ecified. If the status is set to Disabled or Not Configured, no target group information will be sent to the intrane
automatically wake the system up to install the updates. Windows update will also wake the system up and ins
o take effect. If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the c
ts Device Manager from automatically installing driver updates from the Windows Update Web site. If enabled y
s disabled, this policy has no effect. This policy has no effect on Windows RT
tion will occur one minute after the computer is next started. Note: This policy applies only when Automatic Up
dates, and the server to which updated workstations upload statistics. You can set both values to be the same s
er when featured software is available. The user can click the notification to open the Windows Update Applicat
not configure it, Windows searches for updates and automatically downloads them. Note: Windows Update is a
ox. If the interface program file is not located in a folder specified in the Path environment variable for your sys
plications," both services and Ease of Access applications can simulate the SAS. If you disable or do not configu
ns since the last successful logon by that user. This message must be acknowledged by the user before the user
nfigure this setting, you might want to examine and appropriately configure the Set action to take when logon
this setting, the system will perform the action you specify when the users logon hours expire. If you disable o
onfigured for that user. If you disable this policy setting, the device does not store the user's credentials for aut
setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows c
orks that the user's contacts have shared with them, and enables users on this device to share networks with th
constraints up to a certain data limit. - Variable: This connection is costed on a per byte basis. If this policy sett
g in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folde
Force automatic setup" option specifies that Work Folders should be set up automatically without prompting use
ill be allowed during Quiet Hours by default. Adminstrators and users will be able to modify this setting.
olling APIs. If you enable this policy setting, notifications can still be raised by applications running on the mac
setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user.
ministrator or user. No reboots or service restarts are required for this policy setting to take effect.
rtain data limit. - Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is n
rtain data limit. - Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is n
host URLs.
a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore.
es. Note: When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts
or remove program components. However, this setting blocks user access to the Windows Component Wizard.
ll" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is e
without having to search for installation files. If you enable this setting, users cannot tell which programs have
ods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults i
the other settings in this folder. This setting does not prevent users from using other tools and methods to insta
s Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. Note: Not all
ure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this se
ch faster, but overall resource usage on the system is increased. If the status is set to Enabled, the MS-DOS sub
applications from installing. (For Instance: This may result in a blue screen if an old anti-virus application is ins
eboot your machine.
o effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
seful for system administrators who require better performance and are already aware of application compatibil
be enabled.
do not configure this policy setting, the Switchback will be turned on. Please reboot the system after changing
Guests group If you enable this policy setting, Group Policy allows deployment operations (adding, registering, s
in the default desktop app for a file type.

in the default desktop app for a file type.
n URIs in the default desktop app for a URI scheme. Note: Enabling this policy setting does not block Windows S
n URIs in the default desktop app for a URI scheme. Note: Enabling this policy setting does not block Windows S
the file. Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before
ndows marks file attachments with their zone information.
ng, Windows hides the check box and Unblock button.
of file types that pose a high risk. If you do not configure this policy setting, Windows uses its built-in list of hig
you do not configure this policy setting, Windows uses its default trust logic.
sable this policy setting, Windows uses its default trust logic. If you do not configure this policy setting, Window
all the registered antivirus programs when file attachments are opened. If you do not configure this policy setti
ompts than choosing the other options. If you enable this policy setting, you can choose the order in which Win
e included in Audit Process Creation events. Default: Not configured Note: When this policy setting is enabled,
d as a handler in the Autoplay dialog. If you enable this policy setting, an Administrator can change the default
d as a handler in the Autoplay dialog. If you enable this policy setting, an Administrator can change the default
-ROM and removable media drives, or disabled on all drives. This policy setting disables Autoplay on additional
-ROM and removable media drives, or disabled on all drives. This policy setting disables Autoplay on additional
e a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
indows-based computer. Note: Users who log on using biometrics should create a password recovery disk; this
policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. U
MB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use
oad peer-enabled BITS jobs from peer computers before reverting to the origin server. Note: This policy setting
effect if the "Allow BITS peer caching" setting is disabled or not configured.
as no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured.
efault size of the BITS peer cache is 1 percent of the total system disk size. Note: This policy setting has no effe
776,000 seconds) will be used.
value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occu
e for peer caching. If you enable this policy setting, you can enter a value in bits per second (bps) between 104
obs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setti
his limit.
cify that background jobs are by default to transfer only when on uncosted network connections, but foreground
can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a mai
ch of the three BITS background priority levels: high, normal, and low. You can specify a limit to use for backgro
is value if you are concerned about orphaned jobs occupying disk space. If you enable this policy setting, you c
owly. If you disable or do not configure this policy setting, the program continues without the registration. As a
owly. If you disable or do not configure this policy setting, the program continues without the registration. As a
setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in th
ts the action.
ntrol Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical
n saver timeout is set to a nonzero value through the setting or Control Panel. Also, see the "Prevent changing S
his setting is enabled and the file is not available at user logon, the default visual style is loaded. Note: When r
ot%\System32 directory, type the fully qualified path to the file. If the specified screen saver is not installed on
password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver time
systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control P
e "Allow only bitmapped wallpaper" setting.
then that background takes precedence over this policy.
anel specifies a valid existing screen saver program on the client. When not configured, whatever wait time is s
rs on the system with no customization allowed. If you disable or do not configure this policy setting, users will
reensaver timeout will limit the allowable options the user may choose. If you disable or don't configure this p
do not configure this policy setting, the default logon domain is always set to the domain to which the compute
set of installed credential providers available for authentication purposes. If you disable or do not configure th
domain password will be cached in the system vault when using this feature.
g, delegation of default credentials is not permitted to any computer. Applications depending upon this delegati
server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represe
ssion Host running on any machine (TERMSRV/*). If you disable this policy setting, delegation of fresh credentia
hine (TERMSRV/*). If you disable this policy setting, delegation of fresh credentials is not permitted to any mach
emote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting, delegation
ning on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-j
o which the user credentials cannot be delegated. The use of a single wildcard character is permitted when spe
rver to which the user credentials cannot be delegated. The use of a single wildcard character is permitted whe
ents the target server to which the user credentials cannot be delegated. The use of a single wildcard character
gate credentials to remote computers. Note: To disable most credential delegation, it may be sufficient to deny
l button. The policy applies to all Windows components and applications that use the Windows system controls
l button. The policy applies to all Windows components and applications that use the Windows system controls
ssion, potentially allowing malicious code access to the users Windows credentials.
ing, users can access Task Manager to start and stop programs, monitor the performance of their computers, vi
emption list if the "Define Activation Security Check exemptions" policy is not configured.
a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. If you en
m the "Add" list are not removed from the desktop. They are simply not added again. Note: For this setting to ta
ayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper ima
d, and both these policies are ignored.
ed, and both of these policies are ignored.

ect in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the
onsumes approximately 2 MB of memory or disk space. This setting is designed to protect the network and the
he Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the fold
on to Windows 2000 Professional.
policy file. If using a signed and protected policy then disabling this policy setting doesn't remove the feature
e Integrity validation path is protected by the virtualization based security feature. Warning: All drivers on the s
g, members of the Administrators group are subject to all policy settings that restrict device installation.
on (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Pre
example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installatio
les. -- "Warn" notifies the user that files are not digitally signed and lets the user decide whether to stop or to
ystem restore point as it normally would.

ation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," o
u disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented b
mote desktop server. If you disable or do not configure this policy setting, Windows can install and update devi
not have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting aff
ed on other criteria, such as version number or when the driver was created. If you disable this policy setting, d
o prevent searching Windows Update for drivers also see "Turn off Windows Update device driver searching" in A
ching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on
the server used in the search for device drivers.
ministrator will be prompted for consent before going to Windows Update to search for device drivers.
ministrator will be prompted for consent before going to Windows Update to search for device drivers.
the default value of 15 minutes is applied.
policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. Whe
aults are still detected and logged, but no corrective action is taken. If you do not configure this policy setting, t
you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and
and will not enable NV cache power saving mode. If you disable this policy setting, the system will manage the
ved and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the
ement" option on the Quota tab of NTFS volumes. Note: This policy setting turns on disk quota management bu
etting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though
not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to cha
strators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quot
for new users of this volume" section on the Quota tab. This policy setting applies to all new users as soon as t
esponse is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffix
is policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
etting is enabled with a suffix of "microsoft.com." To use this policy setting, click Enabled, and then enter a strin
d. If you disable this policy setting, computers may not use dynamic DNS registration for any of their network c
e this policy setting, then DNS responses from networks lower in the binding order will be preferred over respon
local administrators, from changing the primary DNS suffix. If you disable this policy setting, or if you do not co
e state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of t
qualified domain name based on the state of the Append primary and connection specific DNS suffixes radio bu
r.microsoft.com. If you enable this policy setting, a computer will register A and PTR resource records with its c
ster: Computers will attempt to register PTR resource records even if registration of the corresponding A records
e zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. C
with an IP address different than the one currently in use by the client. By default, the DNS client attempts to re
the TTL is 1200 seconds (20 minutes).
s on the client computer. If you disable this policy setting, or you do not configure this policy setting, LLMNR wi
y NetBT queries if LLMNR queries fail. If you disable this policy setting, or if you do not configure this policy set
on non-domain networks. Note: This policy setting is applicable only if the turn off smart multi-homed name re
o not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unse
ing, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or to
0 // surrogate char 0x1000 // IVS char 0xFFFF // no definition. If you disable or do not configure this policy setti
g is applied to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
s policy setting is applied to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection ap
e this policy setting. If you enable this policy setting, the setting overrides any user changes made to Windows
figure this policy setting, no Windows Error Reporting information is stored.
figure this policy setting, no Windows Error Reporting information is stored.
m reports by using the Solutions to Problems page in Control Panel. The Maximum number of reports to queue s
m reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue f
mpts the user for consent to send reports. - 2 (Send parameters): Windows Error Reporting automatically send
mpts the user for consent to send reports. - 2 (Send parameters): Windows Error Reporting automatically send
ported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of
Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Repo
Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Repo
do not have interactive users. If you do not configure this policy setting, users can change this setting in Contro
nt types.
nt types.
his policy setting, you can create a list of applications that are always included in error reporting. To add applica
ame, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setti
ame, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setti
e extension. Errors that are generated by applications in this list are not reported, even if the Default Application
r is running on battery power, but does not upload report data until the computer is connected to a more perma
r is running on battery power, but does not upload report data until the computer is connected to a more perma
e HTTP protocol, use port 5985. If you disable or do not configure this policy setting, the Event Collector compu
vents are discarded and the old events are retained.
icy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (
me tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy
nfigure this policy setting, components will not encrypt event log messages before writing them to the event log
lders to their actual file system profile folder at %userprofile%.

e option manually in the BIOS or other boot order configuration. If you do not configure this setting, users who a
s operation. Troubleshooting Only: Detection and troubleshooting of corrupted files will automatically start with
esourcesApp_m5g0r7arhahqy If you enable this policy setting, the application identified by the Package Famil
n all data volumes then short names will only be generated for files created on the system volume.
cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Alw
ability of the "Always available offline" menu option in the user interface. Note: The configuration of this policy
restore the server content to the new network location using a method that preserves the state of the files, incl
Server 2012 version of the Active Directory schema to function. If you enable this policy setting and the user h
Server 2012 version of the Active Directory schema to function. If you enable this policy setting and the user h
ows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or le
ows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or le
by the user. This is the default policy setting.

gnostics-wide scenario execution policy is not configured. This policy setting takes effect only when the Diagno
9. For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are
make sure that the per-computer policy setting is not configured.
make sure that the per-computer policy setting is not configured.
etting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale
etting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale
hen the user can customize their user locale overrides. If this policy is set to Enabled at the computer level, the
hen the user can customize their user locale overrides. If this policy is set to Enabled at the computer level, the
ons. Note: Even if a user can see the Administrative options, other policies may prevent them from modifying th
ical location" option can prevent them from actually changing their current geographical location.
anguage, other policy settings can prevent them from changing their UI language.
selected user" policy setting. If you disable or do not configure this policy setting, the logged-on user can acces
ble this policy setting, administrators can select a system locale only from the specified system locale list. If yo
CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). If you enable this policy settin
CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). If you enable this policy settin
anguage users should use. To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000
eing enabled.
r example, proper names and acronyms). Deleting email content or the browser history does not delete the sto
r example, proper names and acronyms). Deleting email content or the browser history does not delete the sto
eir preference. Note that the availability and function of this setting is dependent on supported languages bein
on supported languages being enabled.
essage (1529) is posted. - Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs)
you get the English ADM files as they were in the GPO. You can change this behavior by using this setting. If y
esult in shorter logon times. Group Policy will be applied in the background after the network becomes available
nnection. This policy setting allows the administrator the option to override the default to slow network connect
ow network connection" option updates the policies even when the update is being transmitted across a slow ne
on updates the policies even when the update is being transmitted across a slow network connection, such as a
hange the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allo
, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to dete
ve Directory Sites and Services snap-ins use. "Use any available domain controller" indicates that the Group Pol
u enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967
u enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967
m. The "Allow processing across a slow network connection" option updates the policies even when the update
Allow processing across a slow network connection" option updates the policies even when the update is being
will wait five minutes before running logon scripts.
cted policies in the background while the computer is in use. When background updates are disabled, policy ch
the update is being transmitted across a slow network connection, such as a telephone line. Updates across slo
he system from updating affected policies in the background while the computer is in use. When background up
ck boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect o
u enable this setting, you can select one of the following modes from the Mode box: "Replace" indicates that th
pdates the policies even when the update is being transmitted across a slow network connection, such as a tele
" option updates the policies even when the update is being transmitted across a slow network connection, such
effective until they are configured and tested, you must disable the object link.
soft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc Note:
soft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc Note:
und mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimat
ct Editor displays only true settings; preferences do not appear. If you disable or do not configure this policy se
nvoke a refresh of computer policy at any time, no matter how this policy setting is configured. Also, see the "S
the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with use
very short update intervals are not appropriate for most installations. If you disable or do not configure this set
date user Group Policy every 7 seconds. However, because updates might interfere with users' work and increas
time and override any default or system-computed wait time. If you disable or do not configure this policy sett
wait time for workplace connectivity, and overrides any default or system-computed wait time. If you disable or
es from copying to the GPO. Changing the status of this setting to Disabled will enforce the default behavior. Fi
If you make changes to this policy setting, you must restart your computer for it to take effect.
domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This pol
, you can use the RSoP snap-in in the Microsoft Management Console (MMC).
connection" option updates preference items even when the update is transmitted across a slow network conne
uration tracing: To perform tracing for items in this preference extension listed under User Configuration, you m
work connection" option updates preference items even when the update is transmitted across a slow network c
nfiguration tracing: To perform tracing for items in this preference extension listed under User Configuration, you
ption updates preference items even when the update is transmitted across a slow network connection, such as
g: To perform tracing for items in this preference extension listed under User Configuration, you must provide a
onnection" option updates preference items even when the update is transmitted across a slow network connec
tion tracing: To perform tracing for items in this preference extension listed under User Configuration, you must
ross a slow network connection" option updates preference items even when the update is transmitted across a
guration tracing: To perform tracing for items in this preference extension listed under User Configuration, you m
ates preference items even when the update is transmitted across a slow network connection, such as a telepho
orm tracing for items in this preference extension listed under User Configuration, you must provide a path in th
le." Notes: 1. The "Allow processing across a slow network connection" option updates preference items even
Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration,
ion updates preference items even when the update is transmitted across a slow network connection, such as a
To perform tracing for items in this preference extension listed under User Configuration, you must provide a p
option updates preference items even when the update is transmitted across a slow network connection, such a
: To perform tracing for items in this preference extension listed under User Configuration, you must provide a p
nnection" option updates preference items even when the update is transmitted across a slow network connect
ng: To perform tracing for items in this preference extension listed under User Configuration, you must provide a
e "Allow processing across a slow network connection" option updates preference items even when the update
xtension is turned off. Notes: 1. User Configuration tracing: To perform tracing for items in this preference exte
Notes: 1. The "Allow processing across a slow network connection" option updates preference items even whe
. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configu
ow network connection" option updates preference items even when the update is transmitted across a slow ne
ser Configuration tracing: To perform tracing for items in this preference extension listed under User Configurat
1. The "Allow processing across a slow network connection" option updates preference items even when the upd
Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration,
y is "Idle." Notes: 1. The "Allow processing across a slow network connection" option updates preference items
g: To perform tracing for items in this preference extension listed under User Configuration, you must provide a
a slow network connection" option updates preference items even when the update is transmitted across a slow
1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configu
n" option updates preference items even when the update is transmitted across a slow network connection, such
ng: To perform tracing for items in this preference extension listed under User Configuration, you must provide a
otes: 1. The "Allow processing across a slow network connection" option updates preference items even when t
User Configuration tracing: To perform tracing for items in this preference extension listed under User Configur
option updates preference items even when the update is transmitted across a slow network connection, such
ing: To perform tracing for items in this preference extension listed under User Configuration, you must provide
on" option updates preference items even when the update is transmitted across a slow network connection, su
racing: To perform tracing for items in this preference extension listed under User Configuration, you must prov
nnection" option updates preference items even when the update is transmitted across a slow network connect
ion tracing: To perform tracing for items in this preference extension listed under User Configuration, you must
use of Applications snap-ins, and new Application preference items cannot be created.
cted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
etting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting for the Control Pane
rides the "Restrict users to the explicitly permitted list of snap-ins" policy setting for the Control Panel Settings
prohibit use of the preference extension. If you do not configure this policy setting, you permit use of the prefe
bit use of the preference extension. If you do not configure this policy setting, you permit use of the preference
ted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
icted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
u prohibit use of the preference extension. If you do not configure this policy setting, you permit use of the pref
by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict us
tting, you prohibit use of the preference extension. If you do not configure this policy setting, you permit use of
you prohibit use of the preference extension. If you do not configure this policy setting, you permit use of the pr
stricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
u prohibit use of the preference extension. If you do not configure this policy setting, you permit use of the pref
. If you do not configure this policy setting, you permit use of the Preferences tab.
bit use of the preference extension. If you do not configure this policy setting, you permit use of the preference
not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict us
ou prohibit use of the preference extension. If you do not configure this policy setting, you permit use of the pr
configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users
d by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
gs synchronously. Note: This policy setting applies only to computers running Remote Desktop Services.
tings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the co
cy setting is available under Computer Configuration and User Configuration. If both are settings are used, any p
cy setting is available under Computer Configuration and User Configuration. If both are settings are used, any p
ting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTLM Help sto
WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots
n settings" section are set to not configured.
n settings" section are set to not configured.
the Windows Update website. If you disable or do not configure this policy setting, users can access the Window
ailable in the Open With dialog.
ailable in the Open With dialog.
y an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has
activated and the text "More Information" is not displayed at the end of the description. If you disable or do not
users who do not have Internet access, because the content in the "Did you know?" section will remain static in
nowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Bas
y setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
y setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.

the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
mitting any personal information (except the country/region you live in).
c Search. Note: Internet searches still send the search text and information about the search to Microsoft and th
ger collects anonymous usage information, and the setting is not shown. If you do not configure this policy sett
ger collects anonymous usage information, and the setting is not shown. If you do not configure this policy sett
Customer Experience Improvement Program. If you disable this policy setting, all users are opted into the Wind
orting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Confi
you disable or do not configure this policy setting, NCSI runs one of the two active tests.
administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. N
nstalled, as well as all the programs and applications that require IIS to run."
uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, use
template file. For information about creating this custom administrative template file, see the Internet Explorer
template file. For information about creating this custom administrative template file, see the Internet Explorer
rer. For each entry that you add to the list, enter the following information: Name of the Value - the CLSID (clas
rer. For each entry that you add to the list, enter the following information: Name of the Value - the CLSID (clas
e this policy setting, no behaviors will be allowed in zones set to 'admin-approved', just as if those zones were s
e this policy setting, no behaviors will be allowed in zones set to 'admin-approved', just as if those zones were s
settings.
settings.
ocesses. If you disable or do not configure this policy setting, Consistent Mime Handling is prevented for all pro
ocesses. If you disable or do not configure this policy setting, Consistent Mime Handling is prevented for all pro
any process other than Internet Explorer or those defined in a process list. If you disable or do not configure this
any process other than Internet Explorer or those defined in a process list. If you disable or do not configure this
not configure this policy setting, no policy is enforced for processes other than File Explorer and Internet Explore
not configure this policy setting, no policy is enforced for processes other than File Explorer and Internet Explore
Internet Explorer or those listed in the Process List.
Internet Explorer or those listed in the Process List.
he Process List receive no such protection.

he Process List receive no such protection.
stricted protocols; content over other protocols is unaffected. If you disable this policy setting, all attempts to ac
ed over any restricted protocols; content over other protocols is unaffected. If you disable this policy setting, all
ed over any restricted protocols; content over other protocols is unaffected. If you disable this policy setting, all
not configure this policy setting, binary and script behaviors are available.
not configure this policy setting, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors
not configure this policy setting, binary and script behaviors are not available unless applications have impleme
Delete Browsing History" policy setting is enabled, this policy setting has no effect.
Delete Browsing History" policy setting is enabled, this policy setting has no effect.
e automatically installed as necessary.
e automatically installed as necessary.
would be downloaded. If you do not configure this policy, users will be prompted when Web Components such
would be downloaded. If you do not configure this policy, users will be prompted when Web Components such
ot loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setti
not loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy se
ure this policy setting, the user can decide whether to load XPS files inside Internet Explorer.
a page containing an active Meta Refresh setting can be redirected to another Web page.
a page containing an active Meta Refresh setting cannot be redirected to another Web page.
the Settings charm. If you don't configure this policy setting, users can change the Suggestions setting on the S
the Settings charm. If you don't configure this policy setting, users can change the Suggestions setting on the S
rity Restrictions feature control setting for the process. If you do not configure this policy setting, the possible h
rity Restrictions feature control setting for the process. If you do not configure this policy setting, Windows Rest
will not appear for graphical images while the images are downloading. The user cannot change this policy setti
hat are installed on the user's computer.
hat are installed on the user's computer.
nd animation cannot be played through older media players. If you do not configure this policy setting, video a
nt computers. Allow website database and caches on Website Data Settings will be available to users. Users can
nt computers. Allow website database and caches on Website Data Settings will be available to users. Users can
e on client computers. Allow website database and caches on Website Data Settings will be available to users. U
e on client computers. Allow website database and caches on Website Data Settings will be available to users. U
nPrivate Browsing mode is used. If you don't configure the policy setting, users can select the Always send Do
nPrivate Browsing mode is used. If you don't configure the policy setting, users can select the Always send Do
hen click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
ontrol prompt.
y activated in the browser. If you disable or do not configure this policy setting, newly installed add-ons are not
y activated in the browser. If you disable or do not configure this policy setting, newly installed add-ons are not
mpt users to install them. If you do not configure this policy setting, Internet Explorer does not check the Intern
mpt users to install them. If you do not configure this policy setting, Internet Explorer does not check the Intern
If you do not configure this policy setting, current values of the URL action for the application or process on the
If you do not configure this policy setting, current values of the URL action for the application or process on the
et Explorer process attempts to perform a Clipboard operation. If you do not configure this policy setting, curre
et Explorer process attempts to perform a Clipboard operation. If you do not configure this policy setting, curre
following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click
et Explorer will not check server certificates to see if they have been revoked.
et Explorer will not check server certificates to see if they have been revoked.
wnloading them to user computers. If you do not configure this policy, Internet Explorer will not check the digita
wnloading them to user computers. If you do not configure this policy, Internet Explorer will not check the digita
ure on or off. This setting only applies if the Media Explorer Bar is enabled. If checked, the Media Explorer Bar w
olicy setting, the command buttons show selective text by default, and the user can change this.
olicy setting, the command buttons show selective text by default, and the user can change this.
of 1, prompts are bypassed. If you enter a value of 0, prompts are not bypassed. Value Name is the name of the
of 1, prompts are bypassed. If you enter a value of 0, prompts are not bypassed. Value Name is the name of the
olicy setting effectively removes this option from users - all add-ons are assumed to be denied unless they are s
olicy setting effectively removes this option from users - all add-ons are assumed to be denied unless they are s
you disable this policy or do not configure it, this control will not be designated as administrator-approved.
u disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks
u disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks
eir desktop. Note: Most channel providers use the words Add Active Channel for this option; however, a few use
g content. The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows C
d on the Schedule tab. This policy is intended for organizations that are concerned about server load for downlo
General tab from the interface.

set this policy, because the "Disable the Advanced page" policy removes the Advanced tab from the interface.
omatically configure these settings.
omatically configure these settings.
dows Components\Internet Explorer\Internet Control Panel) takes precedence over this policy. If it is enabled, thi
ernet Control Panel), which removes the Content tab from Internet Explorer in Control Panel, takes precedence o
ontrol Panel), you do not need to set this policy, because the "Disable the General page" policy removes the Ge
rs to determine which browser should be their default. The "Disable the Programs page" policy (located in \Use
"Disable the General page" policy removes the General tab from the interface. Note: The default font settings
Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "
not need to set this policy, because the "Disable the General page" policy removes the General tab from the int
tive Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Programs tab
e over this policy. If it is enabled, this policy is ignored.
licy. If it is enabled, this policy is ignored.
home pages.
home pages.
nents\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the Gen
Internet Explorer and File Explorer toolbars. This policy can be used in coordination with the "Disable customizi
g downloaded. The "Disable downloading of site subscription content" policy and the "Hide Favorites menu" po
ules for Web sites and groups of Web sites. The "Disable editing schedules for offline pages" policy and the "Hi
not configure it, users can edit an existing schedule for downloading Web content for offline viewing. This polic
or do not configure this policy setting, the user will be able to use the Import/Export Settings wizard.
or do not configure this policy setting, the user will be able to use the Import/Export Settings wizard.
verlaps with the "Disable the Connections page" policy (located in \User Configuration\Administrative Template
click the Open in New Window command, the link will not open in a new window and they will be informed that
tive content from the desktop interface.

this policy or do not configure it, users can remove the preconfigured settings for pages to be downloaded for o
on Channels to update their users' programs without user intervention.
uration settings"
uration settings"
g home page settings" "Disable changing Temporary Internet files settings" "Disable changing history settings
g home page settings" "Disable changing Temporary Internet files settings" "Disable changing history settings
ging default browser check"

ging default browser check"
it is enabled, this policy is ignored.
e Web pages that contain both secure (https://) and nonsecure (http://) content. If you disable this policy setting
versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locat
versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locat
ble to the user.

ble to the user.
etting, the reveal password button can be shown by the application as a user types in a password. The reveal pa
etting, the reveal password button can be shown by the application as a user types in a password. The reveal pa
ers with a Client Authentication message when they connect to a Web site that has no certificate or only one ce
rompt users with a "Client Authentication" message when they connect to a Web site that has no certificate or o
ecure (HTTPS) information to the cache.
ecure (HTTPS) information to the cache.
to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Secu
o create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Securit
aren't trusted. Code signed by trusted publishers is silently downloaded.

ernet Files folder when browser windows are closed. If you do not configure this policy, Internet Explorer will not
ernet Files folder when browser windows are closed. If you do not configure this policy, Internet Explorer will not
ernet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one do
t Options dialog. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot dr
process. If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
process. If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Exp
e Command bar enables the user to access and manage favorites, feeds, shortcuts to home page, and more. Fu
e Command bar enables the user to access and manage favorites, feeds, shortcuts to home page, and more. Fu
InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate Filtering.
InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate Filtering.
e Tracking Protection threshold by clicking the Safety button and then clicking Tracking Protection.
e Tracking Protection threshold by clicking the Safety button and then clicking Tracking Protection.
n New Window command. To prevent users from using the shortcut menu to open new browser windows, you sh
s by using the shortcut menu, set the "Disable Open in New Window menu option" policy, which disables this co
n click the Save As command. If you disable this policy or do not configure it, users can save all elements on a
n: If you enable this policy, users are not prevented from saving Web content by pointing to a link on a Web pag
ls menu (in Internet Explorer 6) to manage their favorite links that are set up for offline viewing.
he user can choose whether path information is sent when he or she is uploading a file via an HTML form. By de
-provided website lists are not active. The user can activate the feature by using the Compatibility View Settings
-provided website lists are not active. The user can activate the feature by using the Compatibility View Settings
ed with parameters or scripted. If you disable this policy setting, ActiveX controls that cannot be made safe are
orer and Internet Explorer processes.
orer and Internet Explorer processes.
a for all received files. If you disable this policy setting, Internet Explorer will not require consistent MIME data f
a for all received files. If you disable this policy setting, Internet Explorer will not require consistent MIME data f
files and content processed by Internet Explorer. If you disable this policy setting, Local Machine zone security is
files and content processed by Internet Explorer. If you disable this policy setting, Local Machine zone security is
er, and resources hosted on the MK protocol will fail.

er, and resources hosted on the MK protocol will fail.
ting, restricting content obtained through restricted protocols is prevented for File Explorer and Internet Explore
ting, restricting content obtained through restricted protocols is prevented for File Explorer and Internet Explore
no zone receives such protection for Internet Explorer processes. If you do not configure this policy setting, any
no zone receives such protection for Internet Explorer processes. If you do not configure this policy setting, any
not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Expl
not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Expl
ou disable or do not configure this policy setting for a zone, no protocols are restricted for that zone, regardless
mparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a
curity zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Ma
plets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy
Es on the pages in this zone. If you do not configure this policy setting, users are queried to choose whether to r
Es on the pages in this zone. If you do not configure this policy setting, users can run applications and download
Es on the pages in this zone. If you do not configure this policy setting, users are prevented from running applic
s can be used silently for the remainder of the session. Automatic logon with current user name and password t
on Web pages -- Popup Menu Object - enables Web authors to add pop-up menus to Web pages To specify how
wing steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Secu
click User Configuration, click Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zo
en click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Se
gs, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone i
he following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then cli
ndows and frames from othe domains and access applications from other domains.
configure this policy setting, users cannot open other windows and frames from different domains or access ap
Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content z
default web browser check box on the Programs tab in the Internet Options dialog box. Note that starting with In
ote: You can disable users from adding or removing websites to the exception list by enabling "Turn off Managin
ote: You can disable users from adding or removing websites to the exception list by enabling "Turn off Managin
e the navigation bar. The user cannot interchange the positions of the menu bar and the navigation bar. If you d
can click the Delete Browsing History button on the Settings charm.
can click the Delete Browsing History button on the Settings charm.
ption list" and "Turn off pop-up management" policy settings to prevent the user from configuring pop-up behav
ption list" and "Turn off pop-up management" policy settings to prevent the user from configuring pop-up behav
e clicks links from other applications.

e clicks links from other applications.
do not configure this policy setting, the user can specify what action applies to searches on the Address bar.
do not configure this policy setting, the user can specify what action applies to searches on the Address bar.
after a search on the Address bar: a top-result website or a search-results webpage in the main window. If you
after a search on the Address bar: a top-result website or a search-results webpage in the main window. If you
ored for visited websites. This feature is available in the Delete Browsing History dialog box. If you enable this p
ored for visited websites. This feature is available in the Delete Browsing History dialog box. If you enable this p
er can choose whether to delete or preserve InPrivate Filtering data when he or she clicks Delete.
er can choose whether to delete or preserve InPrivate Filtering data when he or she clicks Delete.
nabled by default.
nabled by default.
tting is enabled, this policy setting is enabled by default.
tting is enabled, this policy setting is enabled by default.
ers as Accelerators to include them on the Accelerator menu.

ers as Accelerators to include them on the Accelerator menu.
xperience.
xperience.
st are sent automatically to Microsoft without prompting the user. If you disable or do not configure this policy s
st are sent automatically to Microsoft without prompting the user. If you disable or do not configure this policy s
onfigure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started af
onfigure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started af
ure this policy setting, the user can specify the cipher strength update information URL.
rough the feed list control. A developer can add or delete a feed or Web Slice by using the Feed APIs.
rough the feed list control. A developer can add or delete a feed or Web Slice by using the Feed APIs.
nfigured on the Privacy tab in Internet Options.
nfigured on the Privacy tab in Internet Options.
alue of 0, the add-on management user preferences and policy settings are ignored by the specified process. Th
alue of 0, the add-on management user preferences and policy settings are ignored by the specified process. Th
f a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explo
f a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explo
want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, MI
want this security feature to be prevented or allowed. If you enable this policy setting and enter a Value of 1, MI
ue of 0, Local Machine Zone security does not apply. If a Value Name is empty or the Value is not 0 or 1, the pol
ue of 0, Local Machine Zone security does not apply. If a Value Name is empty or the Value is not 0 or 1, the pol
he Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable
ted Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is ena
ted Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is ena
obtained through restricted protocols is blocked. The Value Name is the name of the executable. If a Value Nam
obtained through restricted protocols is blocked. The Value Name is the name of the executable. If a Value Nam
or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Inter
or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Inter
ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes po
ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes po
nable this policy setting and enter a Value of 1, elevation to more privileged zones can be prevented. If you ent
nable this policy setting and enter a Value of 1, elevation to more privileged zones can be prevented. If you ent
sable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take prece
sable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take prece
y to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this
y to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this
ave none of these restrictions. The Value Name is the name of the executable. If a Value Name is empty or the V
ave none of these restrictions. The Value Name is the name of the executable. If a Value Name is empty or the V
installed from other applications). The only providers that appear are those in the list of policy keys for search p
installed from other applications). The only providers that appear are those in the list of policy keys for search p
xecute unsigned managed components. If you do not configure this policy setting, Internet Explorer will execut
xecute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not exe
gned managed components. If you do not configure this policy setting, Internet Explorer will execute signed ma
gned managed components. If you do not configure this policy setting, Internet Explorer will not execute signed
ers to explore the Internet or the hard disk. This policy can be used in coordination with the "File Menu: Disable
changing site management settings for security zones established by the administrator. Note: The "Disable th
rnet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, ta
the Intranet zone. 3) Unicode domain names are always converted to IDN format. If you disable or do not confi
the Intranet zone. 3) Unicode domain names are always converted to IDN format. If you disable or do not confi
0 MB. If you enable this policy setting, Internet Explorer will allow trusted domains to store additional files in ap
0 MB. If you enable this policy setting, Internet Explorer will allow trusted domains to store additional files in ap
s. The default is 30 days.
s. The default is 30 days.
If you enable this policy setting, Internet Explorer will allow trusted domains to store additional data in indexed
If you enable this policy setting, Internet Explorer will allow trusted domains to store additional data in indexed
If you disable or do not configure this policy setting, Internet Explorer will use the default application cache ind
If you disable or do not configure this policy setting, Internet Explorer will use the default application cache ind
manifest file contains the number of resources, including the page that referenced the manifest, that are less th
manifest file contains the number of resources, including the page that referenced the manifest, that are less th
e the default maximum storage limit for all application caches. The default is 1 GB.
e the default maximum storage limit for all application caches. The default is 1 GB.
r will use the default maximum storage limit for all indexed databases. The default is 4 GB.
r will use the default maximum storage limit for all indexed databases. The default is 4 GB.
default setting. The second algorithm must be explicitly enabled through the creation of an integer setting. In t
default setting. The second algorithm must be explicitly enabled through the creation of an integer setting. In t
Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which
s these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Compu
one (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The
one (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The
from being notified of software updates by e-mail, software packages from being automatically downloaded to u
his option to start with the tabs from the last browsing session. If you do not configure this policy setting, Inter
his option to start with the tabs from the last browsing session. If you do not configure this policy setting, Inter
Wizard should start automatically.
ges in this zone is prevented from being submitted. If you do not configure this policy setting, users are queried
ges in this zone is prevented from being submitted. If you do not configure this policy setting, information using
d for new information, it does not change the user interface in the Offline Favorites wizard. Note: The begin an
hanging Internet settings by clicking the Internet Options icon in Windows Control Panel. Also, see policies for I
his behavior. If you do not configure this policy setting, .NET Framework Setup is turned on by default. The user
policy setting, the ActiveX Opt-In prompt appears.

policy setting, the ActiveX Opt-In prompt appears.
ns exceeds the threshold. If you disable or do not configure this policy setting, users are notified when the aver
ns exceeds the threshold. If you disable or do not configure this policy setting, users are notified when the aver
Add-on List" policy settings. If you disable, or do not configure this policy setting, Flash is turned on for Interne
Add-on List" policy settings. If you disable, or do not configure this policy setting, Flash is turned on for Interne
"file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" If you disable or don'

"file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" If you disable or don'
nable Data Execution Prevention.

on or off through the registry.
on or off through the registry.
er sees a detailed description with hints about how to correct the problem. The user cannot change this policy se
etting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that
etting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that
setting is enabled. If you disable this policy setting, images appear. The user cannot turn off image display. If yo
ete for File Explorer.
nfigured through the registry.

nfigured through the registry.
ned on by default
ned on by default
cide whether to turn on the SmartScreen Filter during the first-run experience.
cide whether to turn on the SmartScreen Filter during the first-run experience.
ilable. Starting with Windows 8, the Print flyout for Internet Explorer will be available, and users will see installe
ilable. Starting with Windows 8, the Print flyout for Internet Explorer will be available, and users will see installe
ve the freedom to accept requests from Web sites for Profile Assistant information.
ve the freedom to accept requests from Web sites for Profile Assistant information.
this policy setting, the user can allow or prevent the sending of the path portion of URLs as UTF-8.
ternet Explorer Advanced Options settings. The default is to encode all query strings in UTF-8.
ternet Explorer Advanced Options settings. The default is to encode all query strings in UTF-8.
tabbed browsing.
tabbed browsing.
ses on or off.
ses on or off.
setting, users can turn this behavior on or off, using the Settings charm.
setting, users can turn this behavior on or off, using the Settings charm.
ting, websites can request data across domains by using the WebSocket object. By default, the WebSocket objec
ting, websites can request data across domains by using the WebSocket object. By default, the WebSocket objec
ously disabled through policy settings or user choice. If you disable or do not configure this policy setting, the t
ously disabled through policy settings or user choice. If you disable or do not configure this policy setting, the t
n be configured through the registry.
n be configured through the registry.
will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By default, URL Suggestions a
will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By default, URL Suggestions a
Complete to provide relevant results in the Address bar. The user cannot change this setting. If you do not confi
Complete to provide relevant results in the Address bar. The user cannot change this setting. If you do not confi
nced Protected Mode on 64-bit versions of Windows. If you don't configure this policy setting, users can turn thi
nced Protected Mode on 64-bit versions of Windows. If you don't configure this policy setting, users can turn thi
n Control Panel.
n Control Panel.
t change this behavior. If you do not configure this policy setting, the user can decide whether to start Internet
ng through the Feed APIs.
ng through the Feed APIs.
hrough the registry.
hrough the registry.
ned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Interne
ned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Interne
ows Vista, Windows 7, Internet Explorer 7, and Internet Explorer 8. By default, inline AutoComplete is turned on
y with existing webpages, but newer content written to common Internet standards may be displayed incorrectl
y with existing webpages, but newer content written to common Internet standards may be displayed incorrectl
user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet S
user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet S
olicy setting is not configured, a Notification bar notification appears for intranet content loaded on a browser on
olicy setting is not configured, a Notification bar notification appears for intranet content loaded on a browser on
urn on or turn off the printing of background colors and images.
he user can turn on or turn off script debugging.
ested Sites feature.

ested Sites feature.
is policy setting. If you do not configure this policy setting, the user can turn on or turn off the display of script
mailto links" check box.
mailto links" check box.
ectly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information
ectly within a Web page saved to disk. If you do not configure this policy setting, users cannot preserve informa
menu, set the "Turn off Shortcut Menu" policy, which disables the entire shortcut menu.
are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elev
e prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevati
If you do not configure this policy Tablet PC users can report handwriting recognition errors to Microsoft.
If you do not configure this policy Tablet PC users can report handwriting recognition errors to Microsoft.
ain controller does not support claims, compound authentication or armoring. If you configure the "Not support
unless the "Display information about previous logons during user logon" policy setting is enabled. Note: Inform
cy in the domain. If you disable or do not configure this policy setting, domain controllers will return service tic
. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. To
et maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if
tication request. If you disable or do not configure this policy setting and the resource domain requests compou
DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to
m name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate synt
C proxy server is not established if the revocation check fails.
main controllers. Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication
quest claims, provide information required to create compounded authentication and armor Kerberos messages
hority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA
cate. If you disable or do not configure this policy setting, any service is allowed to accept incoming connection
do not configure this policy setting, the Kerberos client or server uses the locally configured value or the defau
ame. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of m
s: Never: Compound authentication is never provided for this computer account. Automatic: Compound authen
h password will be attempted. Force: Device will always authenticate using its certificate. If a DC cannot be fou
e most preferred cipher suite at the top. Remove any cipher suites you don't want to use. Note: When configur
ervers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine po
vers require authentication and do not use insecure guest logons by default. Since insecure guest logons are un
s connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Proh
's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged n
nsions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to oper
Your Server on a Windows 2000 Server"" screen on Windows 2000 Server. Note: This setting appears in the Com
Your Server on a Windows 2000 Server"" screen on Windows 2000 Server. Note: This setting appears in the Com
configured to its run list. This policy setting appears in the Computer Configuration and User Configuration fold
configured to its run list. This policy setting appears in the Computer Configuration and User Configuration fold
gs are configured, the policy setting in Computer Configuration takes precedence over the policy setting in Use
gs are configured, the policy setting in Computer Configuration takes precedence over the policy setting in Use
y the fully qualified path to the file. If you disable or do not configure this policy setting, the user will have to st
y the fully qualified path to the file. If you disable or do not configure this policy setting, the user will have to st
If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any sna
Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To
t you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins. To explicitly prohibit a snap
mitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting
ermines whether this tab is displayed. -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled
Windows Mobility Center. If you do not configure this policy setting, Windows presentation settings can be invo
Windows Mobility Center. If you do not configure this policy setting, Windows presentation settings can be invo
e/Automatic Maintenance Control Panel will apply.

reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. T
emote computers only. If you enable this policy setting for local and remote troubleshooting, MSDT always prom
enabled by default. No reboots or service restarts are required for this policy setting to take effect. Changes ta
ts that an installation package has permitted the user to change a protected option, it stops the installation and
ialog box for new source" policy setting. If you disable or do not configure this policy setting, by default, only sy
d on the desktop or displayed in Add or Remove Programs. This policy setting does not affect installations that r
nstall programs from removable media only when the installation runs in the user's security context. During pri
restricted computers. If you disable or do not configure this policy setting, the system applies the current user
restricted computers. If you disable or do not configure this policy setting, the system applies the current user
ew updates. The existing cached files will remain on disk and will be deleted when the product is removed. If yo
e of an existing feature tree. The new feature must be added as a new leaf feature to an existing feature tree.
n pose a security risk, it should be applied cautiously.

a when an installation is running with elevated system privileges, such as installations offered on the desktop or
ches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or
y setting, a user can remove an update from the computer only if the user has been granted privileges to remov
ired to install programs. Also, it prevents malicious users from interrupting an installation to gather data about t
ired to install programs. Also, it prevents malicious users from interrupting an installation to gather data about t
se detection and the legacy file in use behavior is used. -- The "Restart Manager Off for Legacy App Setup" opt
ller ignores per-user applications. This causes a per-computer installed application to be visible to users, even if
llation is running in the user's security context. But only system administrators can browse when an installation
emove, or repair the installation. This policy setting is designed for enterprises to prevent unauthorized or malic
ource, omit or delete the letter representing that source type.
ogs the default event types, represented by the letters "iweap."
restore their computer to the state it was in before installing the application.
ption turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be ge
nfigured. -- The "For non-managed applications only" option permits users to install only those programs that
. This behavior is recommended for headless operation and is the default recovery behavior on Windows server.
entries must be a PING: resource. -A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transf
sts of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example: PING:2002:836b:1::836
anet resources across the DirectAccess server by specifying IPv6 addresses rather than names. The ability to d
u enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms comp
u disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator. If you do
in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This
C only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not
by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscov
d IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC ad
permission. By default, the Netlogon share will grant shared read access to files on the share when exclusive a
value. The range of values is from 0 to 65535. If you do not configure this policy setting, it is not applied to any
er might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. To enable the s
n. By default, the SYSVOL share will grant shared read access to files on the share when exclusive access is requ
e Weight field value in the SRV record. To specify the Weight in the DC Locator DNS SRV records, click Enabled, a
ddress lookups. 1 - DCs will perform an exhaustive address lookup to discover additional client IP addresses. 2
dap._tcp.pdc._msdcs.<DnsDomainName> Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> GcAtSite
ny DCs, and DCs use their local configuration.
onfigure it, the default behavior occurs as described above.
this setting is too small, clients will attempt to find DCs even when none are available.
e will be treated as infinity. The minimum value for this setting is to always refresh (0).
records, this reregistration is required to instruct the DNS servers configured to automatically remove (scaveng
gistered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An
ministrators to configure Active Directory access and replication. To specify the sites covered by the DC Locato
oximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower
u disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites
y setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied,
-label name using DNS name resolution. If you disable this policy setting, computers to which this setting is app
g is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The mini
in the NegativeCachePeriod subkey is used. Warning: If the value for this setting is too large, a client will not at
The minimum value for this setting is 0. If the value for this setting is smaller than the value specified for the In
ffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. T
n any user selects the connection, Properties appears on the File menu. If you disable this setting (and enable t
ngs for Administrators" setting), users (including administrators) cannot delete all-user remote access connectio
rtant: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting
Configuration Operators can rename all-user remote access connections. Note: This setting does not apply to A
remote access connections available to all users" setting is configured (set to either enabled or disabled), this s
nistrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 comp
0 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Abi
l not apply to administrators on post-Windows 2000 computers. If you disable this setting or do not configure it
ant: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting d
o administrators on post-Windows 2000 computers. If you disable this setting or do not configure it, the Propert
setting will not apply to administrators on post-Windows 2000 computers. If you disable this setting or do not co
If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and i
will not apply to administrators on post-Windows 2000 computers. If you disable this setting or do not configure
ly to administrators on post-Windows 2000 computers. If you disable this setting or do not configure it, the Inst
ators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Re
ct options for remote access connections are available to all users. Users can connect or disconnect a remote ac
ers. If you disable this setting or do not configure it, all users can delete their private remote access connection
o not configure it, the Properties dialog box for a connection includes a check box beside the name of each com
twork Connections folder. If you disable this setting or do not configure it, the user will be able to create and mo
y to administrators on post-Windows 2000 computers. If you disable this setting or do not configure it, the Rena
rators on post-Windows 2000 computers. If you disable this setting, the Advanced button is enabled, and all us
The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from In
cess connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard
nnections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties
l network. If you disable this policy setting, traffic between remote client computers running DirectAccess and t
g, this condition will not be reported as an error to the user. If you disable or do not configure this policy setting
hat are auto-discovered. To make this policy configuration the sole list of allowed proxies, enable the "Proxy defin
Internet proxies. Example: [3efe:3022::1000]; 18.0.0.1; 18.0.0.2 For more information see: http://go.microsoft
s private through automatic discovery. To ensure that these addresses are the only addresses ever classified as
t.com/fwlink/p/?LinkId=234043
orporate environment. For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
while the server is inaccessible. If you disable this setting or select the "Work offline" option, users can work o
while the server is inaccessible. If you disable this setting or select the "Work offline" option, users can work o
ot take effect until the affected computer is restarted.
e background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all netwo
used to determine if a network connection is considered to be slow. Note: Use the following formula when ente
Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency thresho
able this setting, you can specify an automatic-cache disk space limit. If you disable this setting, the system lim
low-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage.
able for subsequent reads. This policy setting is triggered by the configured round trip network latency value. W
ng, all files in the Offline Files cache are unencrypted. This includes existing files as well as files added later, eve
ffline storage cache is corrupted. "1" also records an event when the server hosting the offline file is disconnec
ffline storage cache is corrupted. "1" also records an event when the server hosting the offline file is disconnec
ed, such as database components. To use this setting, type the file name extension in the "Extensions" box. To
akes precedence over the setting in User Configuration.
akes precedence over the setting in User Configuration.
gure this setting, the system performs a quick synchronization by default, but users can change this option. Th
gure this setting, the system performs a quick synchronization by default, but users can change this option. Th
tion, the system performs only a quick synchronization. Quick synchronization ensures that files are complete b
tion, the system performs only a quick synchronization. Quick synchronization ensures that files are complete b
mputer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is s
mputer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is s
splayed by default when you enable offline files, but users can change the setting. To prevent users from chang
splayed by default when you enable offline files, but users can change the setting. To prevent users from chang
PNRP names and help other computers perform PNRP lookups.

to control the seed server used in your corporation. 1. In order to use the global, well known seed server on the
this setting is not configured, the protocol will revert to using a public registry key to determine the seed server
will be used. If this setting is not configured, the protocol will revert to using a public registry key to determine t
s no seed server for bootstrap (such as ad hoc networking scenarios). If you disable this setting, PNRP will use
re is no seed server for bootstrap (such as ad hoc networking scenarios). If you disable this setting, PNRP will us
re is no seed server for bootstrap (such as ad hoc networking scenarios). If you disable this setting, PNRP will u
t creates a site-local cloud if the computer has a site-local address. If you enable this policy setting, PNRP does
h are not met, default values will be used for both the maximum and minimum PIN lengths.
h are not met, default values will be used for both the maximum and minimum PIN lengths.
use of a phone as a companion device for desktop authentication.

not configure this policy setting, the PCA is configured to detect failures during application installation, failures d
when network latency is greater than the value, clients begin caching content after they receive it from the file
e the version of BranchCache that matches their operating system. Policy configuration Select one of the follow
and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client compute
y setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hoste
e a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for
nchCache settings are not applied to client computers by this policy. In the circumstance where client computer
ed cache clients at the branch office. Policy configuration Select one of the following: - Not Configured. With th
client computers are domain members but you do not want to configure a BranchCache client computer cache
In the circumstance where client computers are domain members but you do not want to enable BranchCache
the user that assisted resolution is available. If you disable this policy setting, Windows will not be able to dete
and indicate to the user that assisted resolution is available. If you disable this policy setting, Windows will not
erformance problems and indicate to the user that assisted resolution is available. If you disable this policy sett
ms and indicate to the user that assisted resolution is available. If you disable this policy setting, Windows will n
safely shuts down and remains in a powered state, ready for power to be safely removed. If you disable or do n
de show feature.
is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" po
is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" po
figuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes pre
figuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes pre
the module to False. If this policy setting is not configured, the LogPipelineExecutionDetails property of a modu
the module to False. If this policy setting is not configured, the LogPipelineExecutionDetails property of a modu
erates a high volume of event logs. Note: This policy setting exists under both Computer Configuration and Us
erates a high volume of event logs. Note: This policy setting exists under both Computer Configuration and Us
nscript cmdlet on each Windows PowerShell session. If you disable this policy setting, transcripting of PowerShe
nscript cmdlet on each Windows PowerShell session. If you disable this policy setting, transcripting of PowerShe
no scripts are allowed to run. Note: This policy setting exists under both "Computer Configuration" and "User Co
no scripts are allowed to run. Note: This policy setting exists under both "Computer Configuration" and "User Co
e this policy setting, it is disabled by default.

e this policy setting, it is disabled by default.
is active when the previous version is of a local file.
is active when the previous version is of a local file.
ting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored
ting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored
t. The Restore button is active when the previous version is of a file on a file share.
t. The Restore button is active when the previous version is of a file on a file share.
omputer from printing across the Internet. Also, see the "Custom support URL in the Printers folder's left pane"
to view available Web Services printers on your network, ensure that network discovery is turned on. To turn on
nable this policy and set the number of printers to display to 0.
e commands will then be sent to the print server, and the server will simply pass the commands to the printer.
nters. This setting makes it easy for users to find the printers you want them to add. Also, see the "Custom su
work and invites to choose a printer from the shown list. If you disable this setting, the network printer browse p
e system uses the specified location (and other search criteria) to find a printer nearby. You can also use this se
eb view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools m
, installation of a printer using a kernel-mode driver will not be allowed. Note: By applying this policy, existing k
xecuted. -This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by app
ing is not configured by default, and the behavior depends on the version of Windows that you are using. By de
figured to support driver isolation will be isolated. If you disable this policy setting, then print drivers will be loa
print driver is executed. -This policy setting applies only to print drivers loaded by the print spooler. Print drivers
policies to block all print connections to a specific print server. If this setting is enabled, users will only be able
policies to block all print connections to a specific print server. If this setting is enabled, users will only be able
ws Vista clients so that security warnings and elevated command prompts do not appear when users Point and P
ws Vista clients so that security warnings and elevated command prompts do not appear when users Point and P
cking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the Ge
Nor does it prevent users from running other programs to add printers. This setting does not delete printers th
ote: A client license is used each time a client computer announces a printer to a print browse master on the do
r does not prune this computer's printers. This setting is designed to prevent printers from being pruned when t
tting, you can change the interval between contact attempts. If you do not configure or disable this setting the
: This setting is used only on domain controllers.
s computers every eight hours and allows two retries before deleting printers from Active Directory. You can use
etermines the time interval between retries; the default value is every eight hours. If the computer has not resp
eted printer objects when they rejoin the network. However, because non-Windows 2000 computers and compu
notify users of their availability, to recommend their use, or to enable users to install them without having to sea
ng other tools and methods to change program access or defaults. This setting does not prevent the Default Pro
Programs control Panel" setting is enabled, this setting is ignored.

sic View will be available to all users. When enabled, this setting takes precedence over the other settings in th
r network adapter, this setting is ignored when configuring that network adapter.
articular network adapter, this setting is ignored when configuring that network adapter.
e registry for a particular network adapter, this setting is ignored when configuring that network adapter.
registry for a particular network adapter, this setting is ignored when configuring that network adapter.
at network adapter.
or a particular network adapter, this setting is ignored when configuring that network adapter.
a particular network adapter, this setting is ignored when configuring that network adapter.
maximum number of outstanding packets is specified in the registry for a particular network adapter, this settin
dwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that n
he registry for a particular network adapter, this setting is ignored when configuring that network adapter.
e registry for a particular network adapter, this setting is ignored when configuring that network adapter.
hat network adapter.
lar network adapter, this setting is ignored when configuring that network adapter.
particular network adapter, this setting is ignored when configuring that network adapter.
ring that network adapter.

ability information from the listed providers.
oblems and indicate to the user that assisted resolution is available. If you disable this policy setting, Windows w
eated system image. This is the default setting. If you disable this policy setting, the items "Use a system imag
ate Data feature is always enabled on Windows Server 2003. See "Supported on" for all supported versions.
ee "Supported on" for supported versions.) If you enable this policy setting and choose "Workstation Only" from
refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. Note: This fe
n of the operating system can connect to this computer. If you do not configure this policy setting, users can co
sistance. If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "A
nfigure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in Syst
warning message. If you do not configure this policy setting, the user sees the default warning message.
etting, bandwidth optimization occurs at the level specified. If you disable this policy setting, application-based
nt Mapper Service for calls that contain authentication information. Clients making such calls will not be able to
that uses constrained delegation. If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_P
ystem does not maintain any RPC state information. Note: Because the basic state information required for troub
disabled. It will only generate a status code to indicate an error condition. If you enable this policy setting, the
n Windows Client, and the value of "None" on Windows Server versions that support this policy setting. If you d
are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If either the RPC Client or the R
e configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or no
en for Windows NT 4.0 and earlier. Also, see the "Run Logon Scripts Visible" setting.
r Configuration and User Configuration folders. The policy setting set in Computer Configuration takes preceden
r Configuration and User Configuration folders. The policy setting set in Computer Configuration takes preceden
n asynchronously are no longer visible on startup, whether the ""Run startup scripts visible"" policy setting is en
O C include the following computer startup scripts: GPO B: B.cmd, B.ps1 GPO C: C.cmd, C.ps1 Assume also th
pts: GPO B: B.cmd, B.ps1 GPO C: C.cmd, C.ps1 Assume also that there are two users, Qin Hong and Tamara Joh
pts: GPO B: B.cmd, B.ps1 GPO C: C.cmd, C.ps1 Assume also that there are two users, Qin Hong and Tamara Joh
pts have finished, no matter how long they take, type 0. This interval is particularly important when other syste
agcab files.
leshooting Control Panel user interface. If you disable this policy setting, users can only access and search trou
ems on a scheduled basis. If you do not configure this policy setting, local troubleshooting preferences will take
e query should resemble the following, where XXXX is the locale ID of your WSS Service. For example, the Englis
mble the following: http://sitename/Search.aspx?k=$w If your intranet search service is Windows SharePoint S
etting is enabled or disabled, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive En
confidence.
Group Policy.
d in Search.
r not Search can perform queries on the web over metered connections, and if the web results are displayed in
oxes. Disabling this policy will block any indexing of online delegate mailboxes. Online delegate mailboxes are m
e mail items will be indexed at the speed of 120 items per minute. This policy has no effect on mail items when
ion" Group Policy. If you enable and then disable this policy setting, users can index any path not restricted by
at users can change later, see the administration guide for information about how to set up the initial machine
as VisFilter.CFilter.1. If you maintain a locked desktop environment, this setting is redundant because non-admi
eview pane
count info or specific location. If you disable or don't configure this policy setting, users can choose what inform
only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Wind
er Manager every [x] [minutes/hours/days] setting (in Windows Server 2012) that is configured in the Server M
istrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logo
(Windows Server 2012) option is selected, the console is not displayed automatically at logon. Note: Regardles
The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by
on tool with Microsoft. If you disable this policy, Tablet PC user writing samples from the handwriting recognitio
on tool with Microsoft. If you disable this policy, Tablet PC user writing samples from the handwriting recognitio
ng, users can share files out of their user profile after an administrator has opted in the computer.
olicy setting does not prevent them from starting programs in the command window even though they would be
or users that use Remote Desktop Services.

policy setting does not prevent them from starting programs in the command window even though they would
eDrive by default.
sable or do not configure this policy setting, only certificates that contain the smart card logon object identifier c
you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are n
policy setting, certificates which are expired or not yet valid will not be listed on the logon screen.
more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for log
rtificates from the smart card regardless of the feature set of the CSP. If you disable or do not configure this set
name and might need to be adjusted per organization. If you enable this policy setting or do not configure this
HQL) testing process.

able this policy setting, the SNMP agent only accepts requests from management systems within the communit
of permitted managers that you configure using this setting. If you disable or do not configure this policy settin
policy setting, the SNMP service sends trap messages to the hosts within the "public" community. If you disable
ontrolled by this policy setting, regardless of the file server configuration. If you do not configure this policy set
g, the Classification tab is hidden.

not configure this policy setting, the Global Resource Property List in AD DS provides the default set of properties
ption of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only
ects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears w
the user logged off. Note: The system saves document shortcuts in the user profile in the System-drive\Users\
tion Notifications" setting to prevent new notifications.

otification area, and the system clock. If this setting is disabled or is not configured, the taskbar displays all too
sed files, folders, or websites. If you disable or do not configure this setting, the system will store and display s
conducts a comprehensive search of the target drive in an attempt to find the file. Note: This policy setting only
ot correct, it conducts a comprehensive search of the target drive in an attempt to find the file. Note: This polic
splays in the new style, meaning the desktop icons are now on the Start page. If you do not configure this setti
e "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean
n configure the taskbar position. Note: Enabling this setting also locks the QuickLaunch bar and any other toolb
policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on th
e Start menu and in the notification area.
ble from the Start menu. Note: This policy setting does not prevent the Set Default Programs for This Computer
ocuments icon on the desktop" policy setting.
Start menu, click Display Favorites under Advanced Start menu options. Note:The items that appear in the Fav
mines any system files, security fixes, and Microsoft updates that users need and shows the newest versions av
the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does no
ailable from the Start Menu. Also, see the "Disable programs on Settings menu" and "Disable Control Panel" pol
nters, and Network and Connection folders from Settings are available on the Start menu, and from Computer a
enabled and while it was in effect appear in the Recent Items menu. When the setting is disabled, the Recent I
he Application key (the key with the Windows logo) + R. If you disable or do not configure this setting, users wil
still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. A
f you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Star
will be able to configure this setting.
esired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\Star
esired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\Star
ng" setting, the system disables user tracking and personalized menus and ignores this setting. Tip: To Turn off
setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned pr
m System Restore and configure System Restore settings through System Protection. Also, see the "Turn off Sy
ting in the Input Panel Options dialog box. If you disable this policy, Input Panel will provide text prediction sugg
ting in the Input Panel Options dialog box. If you disable this policy, Input Panel will provide text prediction sugg
is policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Use
is policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Use
nel will appear next to text entry areas in applications where this behavior is available. Users will not be able to
nel will appear next to text entry areas in applications where this behavior is available. Users will not be able to
rtcuts. If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition
g box. If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users
g box. If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users
e functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
e functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
password security is set to Low. At this setting, all password security settings are turned off. Users will not be
Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable t
Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable t
do not configure this policy, all the features described above will be available.
do not configure this policy, all the features described above will be available.
etting to reduce network traffic, particularly over slow network connections. If you disable or do not configure th
ot is required for this policy setting to take effect.
Beginning users will often not be interested or confused by having the property sheet displayed automatically.
Beginning users will often not be interested or confused by having the property sheet displayed automatically.
ars in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in
ars in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in
d, users cannot change the program a task runs. Important: This setting does not prevent users from creating a
d, users cannot change the program a task runs. Important: This setting does not prevent users from creating a
ote: This setting appears in the Computer Configuration and User Configuration folders. If both settings are confi
ote: This setting appears in the Computer Configuration and User Configuration folders. If both settings are confi
vent administrators from submitting tasks from remote computers.

ministrators of a computer from using At.exe to delete tasks.
ministrators of a computer from using At.exe to delete tasks.
e: 6to4 is enabled if the host has only link-local IPv6 connectivity and a public IPv4 address. If no global IPv6 add
tions. Policy Disabled State: No IP-HTTPS interfaces are present on the host.
ink-local address and an address for each prefix received from the ISATAP router through stateless address auto
tivity might be intermittent. If you disable or do not configure this policy setting, the refresh rate is configured
o interface is always present, even if the host is on a network that includes a domain controller.
bled and system will not try to identify connectivity and throughput problems casued by Firewalls or other middl
e user tries to start an RDP session, the user receives a message that the publisher has been blocked.
e user tries to start an RDP session, the user receives a message that the publisher has been blocked.
cy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session wi
his policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP ses
t, video playback is enabled. By default, audio and video playback redirection is not allowed when connecting t
when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. If you enable this pol
ge to take effect, you must restart Windows.
ne redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server wit
ote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remot
mote Desktop Connection client. They are prompted for a password to log on. If you disable this policy setting,
Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is
nsive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows
ng option to Attempt only for RemoteFX vGPU virtual machines be aware that, for Windows Server running Hy
s an encoding mechanism that results in medium quality images. This mode provides better graphics quality tha
ple sessions), and the original session might still be active. If you enable this policy setting, you must enter a k
on Broker. If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. If you
Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection
rich user experience by using a hardware-accelerated compression scheme. If you enable this policy setting, R
l change dynamically based on the network condition."
shes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the use
nsole session is also known as Session 0. Console access can be obtained by using the /console switch from Rem
mapping. If you do not configure this policy setting, client printer mapping is not specified at the Group Policy l
this policy setting, Clipboard redirection is not specified at the Group Policy level.
ion. If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level.
Windows Server 2003, Windows 8, and Windows XP. If you disable this policy setting, client drive redirection is a
are is available.
g, server administrators have full read/write permissions to the user security descriptors by using the Remote D
LPT port redirection is not specified at the Group Policy level.
t server must be joined to a domain.

to the remote computer. If you enable this policy setting, users cannot redirect their supported Plug and Play d
inistrator specifies otherwise. If you do not configure this policy setting, Remote Desktop Services deletes the t
the default printer upon connection. If you do not configure this policy setting, the default printer is not specifie
rs are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a com
etting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server setti
you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Ser
time limit for active but idle Remote Desktop Services sessions policy settings. If you enable this policy setting
time limit for active but idle Remote Desktop Services sessions policy settings. If you enable this policy setting
Enabled, wallpaper never appears in a Remote Desktop Services session. If the status is set to Disabled, wallpa
played on the RD Session Host server. If you disable or do not configure this policy setting, these notifications w
is specified in the Configure RD Connection Broker server name policy setting. If you disable this policy setting
ost servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. B
f you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of
ect Client Compatible, the highest color depth supported by the client will be used. If you disable or do not con
maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be dete
nd Remote Desktop for Administration allows two Remote Desktop Services sessions. To use this setting, enter
e Desktop Services session is not specified at the Group Policy level.
terval determines how often the size of the entire roaming user profile cache is checked. When the size of the e
ot configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia.
dwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen captu
ents connecting to a terminal server running Windows Server 2003. By default, if the most appropriate RDS CA
ver 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide c
y the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a R
r, unsecured communication is allowed for RPC clients that do not respond to the request. If the status is set to
ted, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protoc
n in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Rem
tting is not specified at the Group Policy level.
ser experience to varying network quality. If you disable Connect Time Detect and Continuous Network Detect,
olicy setting, RDP will choose the optimal protocols for delivering the best user experience.
Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certific
efault, the encryption level is set to High. The following encryption methods are available: * High: The High sett
s. The profiles are contained in subfolders named for the account name of each user. To configure this policy se
specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an
you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on t
r Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify
ermission: Allows the administrator to watch the session of a remote user with the user's consent. 5. View Sessi
ermission: Allows the administrator to watch the session of a remote user with the user's consent. 5. View Sessi
ou specify is honored by the Remote Desktop license server. If you disable or do not configure this policy settin
ion, idle session time limits do not apply. If you disable or do not configure this policy setting, the time limit is n
ion, idle session time limits do not apply. If you disable or do not configure this policy setting, the time limit is n
s do not apply. If you disable or do not configure this policy setting, this policy setting is not specified at the Gr
s do not apply. If you disable or do not configure this policy setting, this policy setting is not specified at the Gr
ed time on the server. If you enable this policy setting, disconnected sessions are deleted from the server after
ed time on the server. If you enable this policy setting, disconnected sessions are deleted from the server after
replaces any existing connection URL. The user cannot change the default connection URL. The user's default lo
t behavior. The available options are: "Do nothing if one is not found" - If there is a printer driver mismatch, the
ublisher is treated as a trusted .rdp publisher. Notes: You can define this policy setting in the Computer Config
the user exits the program the session is automatically logged off. To use this setting, in Program path and file
the user exits the program the session is automatically logged off. To use this setting, in Program path and file
, the Start screen is shown and apps are registered in the background.
hoose this option if you discover that applications published as RemoteApp programs do not support these adva
ection method, client computers must be able to connect directly by IP address to RD Session Host servers in th
the RD Session Host server. Note: For this policy setting to take effect, you must also enable and configure the
able for the Remote Desktop session. If you disable this policy setting, the RD Session Host server tries to find a
able for the Remote Desktop session. If you disable this policy setting, the RD Session Host server tries to find a
efault adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by def
are published in Active Directory Domain Services. 2. Remote Desktop license servers that are installed on do
esktop composition will be allowed for remote desktop sessions. On the client computer, you can configure desk
e RemoteApp Programs list can be started when a user starts a Remote Desktop Services session. If you enable
e: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal s
re this policy setting, an initial program can be specified that runs on the remote computer after the client conn
this policy setting, Clipboard redirection is not specified at the Group Policy level.
moothing on the Experience tab in Remote Desktop Connection (RDC) or by using the "allow font smoothing" se
through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Deskto
me limit specified is reached, the RemoteApp session will be logged off from the RD Session Host server. If the u
me limit specified is reached, the RemoteApp session will be logged off from the RD Session Host server. If the u
and handled by the msiexec process in the order in which they are received.
turned off.
ou disable this policy setting, users who do not have an existing session log on to the first RD Session Host serv
effect until the user logs off.
nable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer
nfigure this policy setting, only those TPM commands specified through the default or local lists may be blocked
mands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm i
e the Group Policy list of blocked TPM commands. If you disable or do not configure this policy setting, Windows
n authorization failure occurs each time a standard user sends a command to the TPM and receives an error res
n to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receiv
f you enable this policy setting, the administrator group is also given full control to the user's profile folder. If y
tory (such as \dir1\dir2\homedir). As a result, users can access any directory on the home share by using the ho
g Windows waits for a response from the server before considering the connection to be slow. If you disable or
e user's roaming profile are deleted when the user logs off. The roaming profile still remains on the network ser
o respond to a slow connection. If you disable this policy setting or do not configure it, slow link detection is en
dy exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and Windows XP SP1, the default be
handles to the per-user registry keys are closed. If you disable or do not configure this policy setting, Windows
t, Windows logs on the user with a temporary profile when Windows cannot load their user profile. Also, see the
y setting also requires the Windows Server 2012 version of the Active Directory schema to function. If you enab
n override the amount of time Windows waits for user input before using a default user profile for roaming user p
. By default, the Appdata\Local and Appdata\LocalLow folders and all their subfolders such as the History, Temp
havior. If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software inst
Specify a customized message notifying users of the oversized profile. -- Determine how often the customized
The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default
n a specific computer. If you enable this setting, the following occurs on the affected computer: At first logon, t
on a particular computer from being persisted. If you enable this policy setting, changes a user makes to their
Microsoft Windows Vista, a check box appears on the logon screen and the user must choose whether to downlo
ble up to the maximum wait time specified in this policy setting. Setting the value to zero causes Windows to p
to allow all users to access the profile. If you enable this policy setting, all users logging on this computer will u
er logs on. For example, with a value of 6 hours, the registry file of the roaming user profile is uploaded to the s
, enter a local path (for example, C:\HomeFolder) in the Path box. Do not specify environment variables or ellip
this policy setting will behave like any other cached data via Offline Files and continue to remain online while th
users will not be able to change this setting and the user's name and account picture will not be shared with ap
gure it, when a remote profile is slow to load, the system loads the local copy of the roaming user profile. The lo
y access to BitLocker-protected drives. When this policy setting is enabled, select the "Do not install BitLocker T
ve read-only access to BitLocker-protected drives. When this policy setting is enabled, select the "Do not install
s policy setting, enhanced PINs will not be used.
be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key
ble this policy setting, BitLocker will use legacy platform integrity validation, even on systems capable of Secure
he BitLocker setup wizard will display the computer's top-level folder view. If you disable or do not configure thi
s, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not run
pher strength for BitLocker to use to encrypt drives. If you disable or do not configure this policy setting, BitLoc
will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. I
t TechNet for more information about adding data recovery agents. In "Configure user storage of BitLocker reco
ve Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
on Microsoft TechNet for more information about adding data recovery agents. In "Configure user storage of Bit
onfigure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a
recovery message" option, the message you type in the "Custom recovery message option" text box will be dis
t release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery co
s). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" group policy sett
validation profile for BIOS-based firmware configurations" group policy setting to configure the TPM PCR profile
to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable thi
ou want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you dis
want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disab
when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the p
s are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive w
n unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If y
ing, users are not allowed to use smart cards to authenticate their access to BitLocker-protected fixed data drive
icy setting, users are not allowed to use smart cards to authenticate their access to BitLocker-protected remova
memory when the computer restarts.

ter the service has started, there will be a check to see if antivirus and antispyware definitions are enabled. If at
fault frequency.
cheduled full scan to complete remediation will run at a default frequency.
ion updates will occur at the default time.
after a nonconfigurable delay of approximately five seconds.
e or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
able or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
otection will have no impact on network performance. If you enable or do not configure this setting, definition re
nsions\Approved. For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_US
tting, users can perform OpenSearch queries in this zone using Search Connectors.
tting, users cannot perform OpenSearch queries in this zone using Search Connectors.
MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing
oftware Turn off SmartScreen If you disable or do not configure this policy setting, Windows SmartScreen beh
folder can introduce application compatibility issues in applications that depend on the existence of the known
b on the ribbon.
only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a pr
g, Windows only searches the current target path. It does not search for the original path even when it cannot fin
d Open dialog box, start Notepad and, on the File menu, click Open. Note: In Windows Vista, this policy setting
his policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third
x provided to developers of Windows programs. To see an example of the standard Open dialog box, start Word
Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent use
es it prevent users from using other methods to start Computer Management. Tip: To hide all context menus, u
his setting the default list of items will be displayed in the Places Bar. Note: In Windows Vista, this policy setting
etting does not prevent users from connecting to computers in their workgroup or domain by other commonly u
g the share name in the Run dialog box or the Map Network Drive dialog box. To remove computers in the user'
to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a searc
alid and the location contains the specified .Library-ms or .searchConnector-ms file. You can add up to five addit
n list. Note: The icons representing the specified drives still appear in My Computer, but if users double-click the
up Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting a
ar. This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu.
lso in My Computer when the client is part of a workgroup. Note: The ability to remove the Shared Documents
transition effects for menus and tooltips" option in Display in Control Panel.
ers to install programs without logging off and logging on again using their administrator credentials. If the dialo
ed, no default associations will be applied at logon time. If the policy is enabled, disabled, or not configured, us
in the registry or re-shown on subsequent uses of the search box.
ng of folders and files. If you disable this policy setting the protocol is in the protected mode, allowing applicati
ng of folders and files. If you disable this policy setting the protocol is in the protected mode, allowing applicati
Column headers * Exclude Libraries from the scope of Start search This policy will not enable users to add uns
e default File Explorer behavior is applied to the user. Note: In operating systems earlier than Windows Vista, en
Redirection does not create a temporary file and functions as if both new and old locations point to different sha
e this policy setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is u
, by default, files are scanned only during setup. Note: This policy setting affects file scanning only. It does not
able this policy setting and add systems to the list, upon disabling this policy, Windows Firewall deletes the list.
ws this computer to send or receive. If you disable this policy setting, Windows Firewall blocks all the listed inco
ws this computer to send or receive. If you disable this policy setting, Windows Firewall blocks all the listed inco
hich prevents this computer from sharing files and printers. If an administrator attempts to open any of these po
hich prevents this computer from sharing files and printers. If an administrator attempts to open any of these po
hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034. On Wind
hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034. On Wind
emote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions lis
emote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions lis
licy setting, Windows Firewall blocks these ports, which prevents this computer from receiving Plug and Play me
licy setting, Windows Firewall blocks these ports, which prevents this computer from receiving Plug and Play me
be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in. If you wish to preven
be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in. If you wish to preven
dministrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in
dministrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in
figuring the log file name, ensure that the Windows Firewall service account has write permissions to the folder
figuring the log file name, ensure that the Windows Firewall service account has write permissions to the folder
string that uses the syntax format. To remove a port, click its definition, and then press the DELETE key. To edit a
string that uses the syntax format. To remove a port, click its definition, and then press the DELETE key. To edit a
uch as the "Windows Firewall: Define inbound port exceptions" policy setting. To view the program list, enable th
uch as the "Windows Firewall: Define inbound port exceptions" policy setting. To view the program list, enable th
rewall. If you disable this policy setting, Windows Firewall applies other policy settings that allow unsolicited inc
rewall. If you disable this policy setting, Windows Firewall applies other policy settings that allow unsolicited inc
es as if the policy setting were disabled, except that in the Windows Firewall component of Control Panel, the "N
es as if the policy setting were disabled, except that in the Windows Firewall component of Control Panel, the "N
has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast m
has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast m
rewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy set
rewall on or off, unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy set
content on their computer, since the license is generated locally in this scenario. When this policy is either disa
u do not configure this policy setting, users can change the setting for the Allow screen saver during playback ch
he Player is not available for the HTTP protocol and the proxy cannot be configured. If the "Hide network tab" po
ab" policy setting is also enabled, the entire Network tab is hidden. This policy setting is ignored if the "Streami
policy setting, users can change the buffering options on the Performance tab.
ab" policy setting is also enabled, the entire Network tab is hidden. If you disable this policy setting, the RTSP p
skin" policy setting is enabled, some options in the anchor window are not available.
dden, and users can configure any privacy settings not configured by other polices.
e displayed when the user starts the Player for the first time.
eve media information for CDs and DVDs from the Internet check box.
is policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving m
e the setting for the Use Video Smoothing check box. Video smoothing is available only on the Windows XP Hom
kin is to leave the Skin box blank. A user has access only to the Player features that are available with the spec
etting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams
s Messenger user interface. Note: If you do not want users to use Windows Messenger, enable the "Do not allow
s Messenger user interface. Note: If you do not want users to use Windows Messenger, enable the "Do not allow
ill not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are config
r and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored sec
set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a r
the list of trusted hosts locally on each computer.
stall these updates, except in the case of updates that contain User Interface , End User License Agreement , or
pdates from a service other than an intranet Microsoft update service must always be signed by Microsoft and a
able updates at the default interval of 22 hours. Note: The "Specify intranet Microsoft update service location" s
sers can download and install any available updates. 3 = (Default setting) Download the updates automatically
ws dialog box if updates are available for installation at the time the user selects the Shut Down option in the Sta
ws dialog box if updates are available for installation at the time the user selects the Shut Down option in the Sta
ut Down option in the Start menu.

ut Down option in the Start menu.
will be sent to the intranet Microsoft update service. Note: This policy applies only when the intranet Microsoft u
ke the system up and install an update if an install deadline occurs. The system will not wake unless there are u
notify the user that the computer will automatically restart in 5 minutes to complete the installation. Note: This
te Web site. If enabled you can configure one of the following notification options: 0 = Do not show any notific
only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Auto
h values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to the spe
Windows Update Application and get more information about the software or install it. The user can also click "Cl
te: Windows Update is an online catalog customized for your computer that consists of items such as drivers, cr
ent variable for your system, enter the fully qualified path to the file. If you disable this setting or do not config
disable or do not configure this setting, only Ease of Access applications running on the secure desktop can sim
the user before the user is presented with the Microsoft Windows desktop. For domain user accounts in Window
ction to take when logon hours expire setting. If Set action to take when logon hours expire is disabled or not
s expire. If you disable or do not configure this setting, the system takes no action when the users logon hours
user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not rest
to ensure that Windows can shut down faster and more smoothly.
o share networks with their contacts. "Enable paid services" enables Windows to temporarily connect to open h
e basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted
the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically se
ly without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also
odify this setting.
ions running on the machine via local API calls from within the application. If you disable or do not configure th
or or user.
take effect.
setting is disabled or is not configured, the cost of 3G connections is Fixed by default.

setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
hat you want to ignore. Note: This policy setting applies to all sites in Trusted zones.
omponents button starts the Windows Component Wizard immediately. Because the only remaining option on th
ws Component Wizard.
ts\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
ell which programs have been published by the system administrator, and they cannot use Add or Remove Progr
am Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defa
ols and methods to install or uninstall programs.
k appears. Note: Not all programs provide a support information hyperlink.
pens. You can use this setting to direct users to the programs they are most likely to need. Note: This setting is
Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from ru
ti-virus application is installed.) The Windows Resource Protection and User Account Control features of Window
Collector will be off.
of application compatibility issues. If you disable or do not configure this policy setting, the PCA will be turned o
e system after changing the setting to ensure that your system accurately reflects those changes.
ns (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a sp
oes not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI sche
oes not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI sche
prompt the user before accessing the file, regardless of the file's zone information. If you enable this policy se
uses its built-in list of high-risk file types.
his policy setting, Windows uses its default trust logic.

onfigure this policy setting, Windows does not call the registered antivirus programs when file attachments are
se the order in which Windows processes risk assessment data. If you disable this policy setting, Windows uses
policy setting is enabled, any user with access to read the security events will be able to read the command line
r can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun comma
r can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun comma
es Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is
es Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is
s their logon credentials.

word recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
nt requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not
nch Cache disable its use entirely.
Note: This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configure
policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS use
cond (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer cachin
his computer" policy setting is not configured. BITS jobs created by services and the local administrator account
nections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: -
M. to 10:00 A.M. on a maintenance schedule. If you disable or do not configure this policy setting, the limits defi
a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of
this policy setting, you can configure the inactive job timeout to specified number of days. If you disable or do
out the registration. As a result, the program might not perform all its functions, or it might stop. This setting ap
out the registration. As a result, the program might not perform all its functions, or it might stop. This setting ap
Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Mic
ol Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalizat
e the "Prevent changing Screen Saver" setting.
is loaded. Note: When running Windows XP, you can select the Luna visual style by typing %windir%\resources
saver is not installed on a computer to which this setting applies, the setting is ignored. Note: This setting can
a the "Screen Saver timeout" setting. Note: To remove the Screen Saver dialog, use the "Prevent changing Scre
he in Display in Control Panel.
, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Contr
policy setting, users will be able to customize their account pictures.
or don't configure this policy setting, the user cannot configure the amount of time after the device's screen tu
ain to which the computer is joined.

ble or do not configure this policy, all installed and otherwise enabled credential providers are available for auth
nding upon this delegation behavior might fail authentication. For more information, see KB. FWlink for KB: htt
s (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a sing
egation of fresh credentials is not permitted to any machine. Note: The "Allow delegating fresh credentials" poli
t permitted to any machine. Note: The "Allow delegating fresh credentials with NTLM-only server authenticatio
policy setting, delegation of saved credentials is not permitted to any machine. Note: The "Allow delegating sav
. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
er is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote D
aracter is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Rem
single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.f
may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrati
Windows system controls, including Internet Explorer.
Windows system controls, including Internet Explorer.
ce of their computers, view and monitor all programs running on their computers, including system services, fin
king for errors. If you enable this policy setting, you can view and change the list of DCOM activation security c
Note: For this setting to take affect, you must log off and log on to the system.
y that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. If you disab
resulting display, on the View menu, click Filter.
ect the network and the domain controller from the effect of expansive searches.
ate to Computer, the folder will be empty. If you disable this setting, Computer is displayed as usual, appearing
esn't remove the feature from the computer. Instead, you must either: 1) first update the policy to a non-protec
rning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this
vice installation.
s" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent inst
g, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of remo
de whether to stop or to proceed with the installation and whether to permit unsigned files to be installed. "War
r these device classes," or "Prevent installation of removable devices" policy setting.

as allowed or prevented by other policy settings.
n install and update devices as allowed or prevented by other policy settings.
ver, the policy setting affects redirection of removable devices from a remote desktop client to the remote desk
able this policy setting, drivers that are signed by a Microsoft Windows Publisher certificate are selected for insta
ice driver searching" in Administrative Templates/System/Internet Communication Management/Internet Commu
s not locally available on the system. If you disable or do not configure this policy setting, members of the Adm
device drivers.
device drivers.
n the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS ca
gure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect on
ache is used for boot and resume optimizations. Note: This policy setting is applicable only if the NV cache feat
e system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately c
is applicable only if the NV cache feature is on.
k quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota limit
stem responds as though the physical space on the volume were exhausted. When users reach an unenforced li
e Quota tab option to change the setting. This policy setting is independent of the enforcement policy settings f
does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect th
ll new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect c
appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary
nfigured.
ed, and then enter a string value representing the DNS suffixes that should be appended to single-label names.
or any of their network connections, regardless of the configuration for individual network connections.
be preferred over responses from link local protocols received from networks higher in the binding order. Note:
etting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is us
pend parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Int
fic DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in
source records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all n
corresponding A records was not successful. Register only if A record registration succeeds: Computers will at
S zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the
DNS client attempts to replace the existing A resource record with an A resource record that has the client's curr
policy setting, LLMNR will be enabled on all available network adapters.

configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
art multi-homed name resolution policy setting is disabled or not configured.
ents attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure
tes to the root zone or top-level domain zones that are authoritative for the resource records that the computer
configure this policy setting, no range of characters are filtered by default. This policy setting applies to Japanes
ur malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
anges made to Windows Error Reporting settings in Control Panel, and default values are applied for any Window
ber of reports to queue setting determines how many reports can be queued before older reports are automatic
is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, o
rting automatically sends the minimum data required to check for an existing solution, and Windows prompts th
rting automatically sends the minimum data required to check for an existing solution, and Windows prompts th
s category is a subset of Microsoft applications. If you disable or do not configure this policy setting, users can e
n off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Window
n off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Window
nge this setting in Control Panel, which is set to enable notification by default on computers that are running Win
reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, a
lications on this list setting takes precedence. If you disable or do not configure this policy setting, errors are re
lications on this list setting takes precedence. If you disable or do not configure this policy setting, errors are re
if the Default Application Reporting Settings policy setting is configured to report all application errors. If this p
nnected to a more permanent power source.
nnected to a more permanent power source.
e Event Collector computer will not be specified.
e "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
g access (legacy)" policy setting to enforce this change across all tools and APIs.
ng them to the event log.

this setting, users who are members of the Administrators group can make changes using the Windows To Go S
automatically start with no UI. Recovery is not attempted automatically. Windows will log an administrator even
ed by the Package Family Name will be permitted to revoke access to all content protected using the specified E
em volume.
e availability of the "Always available offline" menu option in the user interface. Note: Do not enable this policy
nfiguration of this policy for any folder will override the configured value of "Do not automatically make all redir
the state of the files, including their timestamps, before updating the Folder Redirection location. If you disable
cy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redire
cy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redire
cting the Start Menu or legacy My Documents folder. Note: This policy is valid only on Windows Vista, Windows
cting the Start Menu or legacy My Documents folder. Note: This policy is valid only on Windows Vista, Windows
ect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diag
qual to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit ye
ect a replacement locale if one is installed. If you disable or do not configure this policy setting, the user can se
ect a replacement locale if one is installed. If you disable or do not configure this policy setting, the user can se
at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the comp
at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the comp
t them from modifying the values.

al location.
ogged-on user can access the dialog box controls in the Regional and Language Options control panel to select
d system locale list. If you disable or do not configure this policy setting, administrators can select any system l
u enable this policy setting, only locales in the specified locale list can be selected by users. If you disable or do
u enable this policy setting, only locales in the specified locale list can be selected by users. If you disable or do
ows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting
y does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. Note:
y does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. Note:
upported languages being enabled.
up Policy Objects (GPOs) that are scoped to the computer. - An event log message (1109) is posted, stating that
by using this setting. If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM fil
etwork becomes available. Note that because this is a background refresh, extensions requiring synchronous pr
to slow network connection and instead default to using a fast network connection in the case that no network
nsmitted across a slow network connection, such as a telephone line. Updates across slow connections can caus
ork connection, such as a telephone line. Updates across slow connections can cause significant delays. The "D
on the system. The "Allow processing across a slow network connection" option updates the policies even when
ndwidth estimate to determine slow link thresholds. (See the Configure Group Policy Slow Link Detection policy
cates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller
between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this r
between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this r
es even when the update is being transmitted across a slow network connection, such as a telephone line. Upda
hen the update is being transmitted across a slow network connection, such as a telephone line. Updates acros
es are disabled, policy changes will not take effect until the next user logon or system restart. The "Process eve
e line. Updates across slow connections can cause significant delays. The "Do not apply during periodic backgro
se. When background updates are disabled, policy changes will not take effect until the next user logon or syste
setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates
eplace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings
onnection, such as a telephone line. Updates across slow connections can cause significant delays. The "Do not
network connection, such as a telephone line. Updates across slow connections can cause significant delays. Th
typing RSOP.msc Note: This policy setting exists as both a User Configuration and Computer Configuration sett
typing RSOP.msc Note: This policy setting exists as both a User Configuration and Computer Configuration sett
uses a bandwidth estimate to determine slow link thresholds. (See the Configure Group Policy Slow Link Detecti
t configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can
figured. Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refre
might interfere with users' work and increase network traffic, very short update intervals are not appropriate fo
do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To spec
users' work and increase network traffic, very short update intervals are not appropriate for most installations.
configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Win
ait time. If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 se
the default behavior. Files will always be copied to the GPO if they have a later timestamp. NOTE: If the Comp
ain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
ss a slow network connection, such as a telephone line. Updates across slow connections can cause significant d
ser Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be
across a slow network connection, such as a telephone line. Updates across slow connections can cause signifi
r User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can
work connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. Th
tion, you must provide a path in the "User trace" box to the location where a user trace file can be created on th
s a slow network connection, such as a telephone line. Updates across slow connections can cause significant d
Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be cre
te is transmitted across a slow network connection, such as a telephone line. Updates across slow connections c
User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can b
ection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not
must provide a path in the "User trace" box to the location where a user trace file can be created on the client co
s preference items even when the update is transmitted across a slow network connection, such as a telephone
nder User Configuration, you must provide a path in the "User trace" box to the location where a user trace file
ork connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The
on, you must provide a path in the "User trace" box to the location where a user trace file can be created on the
twork connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. Th
on, you must provide a path in the "User trace" box to the location where a user trace file can be created on the
a slow network connection, such as a telephone line. Updates across slow connections can cause significant de
tion, you must provide a path in the "User trace" box to the location where a user trace file can be created on t
s even when the update is transmitted across a slow network connection, such as a telephone line. Updates acr
ms in this preference extension listed under User Configuration, you must provide a path in the "User trace" box
eference items even when the update is transmitted across a slow network connection, such as a telephone line
sted under User Configuration, you must provide a path in the "User trace" box to the location where a user tra
smitted across a slow network connection, such as a telephone line. Updates across slow connections can cause
ed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace
items even when the update is transmitted across a slow network connection, such as a telephone line. Updates
nder User Configuration, you must provide a path in the "User trace" box to the location where a user trace file c
pdates preference items even when the update is transmitted across a slow network connection, such as a tele
tion, you must provide a path in the "User trace" box to the location where a user trace file can be created on th
transmitted across a slow network connection, such as a telephone line. Updates across slow connections can c
listed under User Configuration, you must provide a path in the "User trace" box to the location where a user tra
network connection, such as a telephone line. Updates across slow connections can cause significant delays. 2.
ation, you must provide a path in the "User trace" box to the location where a user trace file can be created on t
rence items even when the update is transmitted across a slow network connection, such as a telephone line. U
sted under User Configuration, you must provide a path in the "User trace" box to the location where a user trac
etwork connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. T
ration, you must provide a path in the "User trace" box to the location where a user trace file can be created on
w network connection, such as a telephone line. Updates across slow connections can cause significant delays.
figuration, you must provide a path in the "User trace" box to the location where a user trace file can be created
s a slow network connection, such as a telephone line. Updates across slow connections can cause significant de
Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be cre
tting for the Control Panel Settings item, but not for its children. Enabling this policy setting does not override a
e Control Panel Settings item, but not for its children. Enabling this policy setting does not override any "Permit
u permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list o
mit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap
ou permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list
ricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settings (
etting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly perm
you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted li
ou permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list
mit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap
tricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settings
you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted lis
ted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settings (Co
by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settings (Users
Desktop Services.
xample, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the follo
e settings are used, any programs listed in either of these locations cannot launched from Help
e settings are used, any programs listed in either of these locations cannot launched from Help
enefit, but HTLM Help stops if DEP detects system memory abnormalities.
ate with WLAN hotspots using a web browser.
rs can access the Windows Update website and enable automatic updating to receive notifications and critical u
ite to see if Microsoft has added the CA to its list of trusted authorities. If you disable or do not configure this p
. If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user a
ction will remain static indefinitely without an Internet connection.
abled the Knowledge Base search from the Search Options page.
online ordering wizards. See the documentation for the web publishing and online ordering wizards for more in
online ordering wizards. See the documentation for the web publishing and online ordering wizards for more in
plates/Printers.
plates/Printers.
earch to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feat
configure this policy setting, users have the choice to opt in and allow information to be collected.
configure this policy setting, users have the choice to opt in and allow information to be collected.
s are opted into the Windows Customer Experience Improvement Program. If you do not configure this policy se
gs under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting.
ver is not found locally. Note: This policy setting is replaced by "Specify Driver Source Search Order" in "Adminis
re this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from anothe
re this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses M
re this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another si
see the Internet Explorer documentation on search providers. If you disable or do not configure this policy settin
see the Internet Explorer documentation on search providers. If you disable or do not configure this policy settin
e Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets
e Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets
as if those zones were set to 'disable'. If you do not configure this policy setting, only VML will be allowed in zo
as if those zones were set to 'disable'. If you do not configure this policy setting, only VML will be allowed in zo
g is prevented for all processes.

g is prevented for all processes.
e or do not configure this policy setting, Local Machine zone security is not applied to local files or content proce
e or do not configure this policy setting, Local Machine zone security is not applied to local files or content proce
lorer and Internet Explorer.

lorer and Internet Explorer.
setting, all attempts to access such content over the restricted protocols is blocked. If you do not configure this
ble this policy setting, all attempts to access such content over the restricted protocols is blocked. If you do not
ble this policy setting, all attempts to access such content over the restricted protocols is blocked. If you do not
s under Binary Behaviors Security Restriction policy are available.

pplications have implemented a custom security manager.
n Web Components such as fonts would be downloaded.
n Web Components such as fonts would be downloaded.
configure this policy setting, the user can decide whether to load XBAPs inside Internet Explorer.
t configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
gestions setting on the Settings charm.
gestions setting on the Settings charm.
cy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include t
cy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added la
t change this policy setting. If you do not configure this policy setting, the user can allow or prevent the display
is policy setting, video and animation can be played through older media players in specified zones.
lable to users. Users can choose whether or not to allow websites to store data on their computers.
lable to users. Users can choose whether or not to allow websites to store data on their computers.
l be available to users. Users can choose whether or not to allow websites to store data on their computers.
l be available to users. Users can choose whether or not to allow websites to store data on their computers.
ect the Always send Do Not Track header option, in Internet Explorer settings. By selecting this option, Internet
ect the Always send Do Not Track header option, in Internet Explorer settings. By selecting this option, Internet
e Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want
nstalled add-ons are not automatically activated in the browser. Internet Explorer notifies the user when newly i
nstalled add-ons are not automatically activated in the browser. Internet Explorer notifies the user when newly i
oes not check the Internet for new versions of the browser, so does not prompt users to install them.
oes not check the Internet for new versions of the browser, so does not prompt users to install them.
cation or process on the computer prevail.
cation or process on the computer prevail.
this policy setting, current values of the URL action for the Internet Explorer process prevail.
this policy setting, current values of the URL action for the Internet Explorer process prevail.
ntenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current
r will not check the digital signatures of executable programs or display their identities before downloading them
r will not check the digital signatures of executable programs or display their identities before downloading them
the Media Explorer Bar will automatically display and play the media content when the user clicks on a media li
ange this.
ange this.
Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1, the policy setting is
Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1, the policy setting is
denied unless they are specifically allowed through the 'Add-on List' policy setting. If you enable this policy se
denied unless they are specifically allowed through the 'Add-on List' policy setting. If you enable this policy se
nistrator-approved.
Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
tion; however, a few use different words, such as Subscribe.
ve Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled, this po
ut server load for downloading content. The "Hide Favorites menu" policy (located in User Configuration\Admini
tab from the interface.
policy. If it is enabled, this policy is ignored.

anel, takes precedence over this policy. If it is enabled, this policy is ignored. Caution: If you enable this policy,
e" policy removes the General tab from the interface. Note: The default Web page colors are ignored on Web pa
e" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Intern

The default font settings colors are ignored in cases in which the Web page author has specified the font attribu
his policy, because the "Disable the General page" policy removes the General tab from the interface.
General tab from the interface. Note: The default link colors are ignored on Web pages on which the author ha
emoves the Programs tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enable
use the "Disable the General page" policy removes the General tab from the interface.
h the "Disable customizing browser toolbars" policy, which prevents users from determining which toolbars are
Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Components\Inte

pages" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Wind
offline viewing. This policy is intended for organizations that are concerned about server load for downloading c
tings wizard.
tings wizard.
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Co
ey will be informed that the command is not available.
es to be downloaded for offline viewing. This policy is intended for organizations that are concerned about serve
changing history settings" "Disable changing color settings" "Disable changing link color settings" "Disable cha
changing history settings" "Disable changing color settings" "Disable changing link color settings" "Disable cha
disable this policy setting, users cannot receive the security information message and nonsecure content canno
Mode also limits the locations Internet Explorer can read from in the registry and the file system. When Enhance
Mode also limits the locations Internet Explorer can read from in the registry and the file system. When Enhance
password. The reveal password button is visible by default. On at least Windows 8, if the "Do not display the re
password. The reveal password button is visible by default. On at least Windows 8, if the "Do not display the re
certificate or only one certificate.
at has no certificate or only one certificate.
ng Internet Explorer Security settings.

Internet Explorer Security settings.
Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are c
Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are c
rag content from one domain to a different domain when the source and destination are in different windows. U
figure it, users cannot drag content from one domain to a different domain when the source and destination are
l not apply in this zone.
not run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control s
ome page, and more. Full-screen mode disables not only these three bars, but also the shortcuts to these bars.
ome page, and more. Full-screen mode disables not only these three bars, but also the shortcuts to these bars.
Protection.
Protection.
browser windows, you should also set the "Disable Open in New Window menu option" policy, which disables th
y, which disables this command on the shortcut menu, or the "Turn off Shortcut Menu" policy, which disables th
n save all elements on a Web page. The "File menu: Disable Save As... menu option" policy, which removes the
ng to a link on a Web page, clicking the right mouse button, and then clicking Save Target As.
viewing.
via an HTML form. By default, path information is sent.
mpatibility View Settings dialog box.
mpatibility View Settings dialog box.
cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, Act
cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, use
e consistent MIME data for all received files. If you do not configure this policy setting, Internet Explorer require
e consistent MIME data for all received files. If you do not configure this policy setting, Internet Explorer require
Machine zone security is not applied to local files or content processed by Internet Explorer. If you do not confi
Machine zone security is not applied to local files or content processed by Internet Explorer. If you do not confi
orer and Internet Explorer processes. If you do not configure this policy setting, the policy setting is ignored.
orer and Internet Explorer processes. If you do not configure this policy setting, the policy setting is ignored.
e this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
e this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
xplorer and Internet Explorer processes.

xplorer and Internet Explorer processes.
for that zone, regardless of the setting for "Allow active content over restricted protocols to access my compute
ent zone. If you select a security level for any zone (including selecting no security), the same change should be
lick Internet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings
not configure this policy setting, the permission is set to High Safety.
not configure this policy setting, the permission is set to High Safety.
not configure this policy setting, the permission is set to Medium Safety.
not configure this policy setting, Java applets are disabled.
not configure this policy setting, the permission is set to Low Safety.
not configure this policy setting, the permission is set to Low Safety.
ed to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
pplications and download files from IFRAMEs on the pages in this zone without user intervention.
nted from running applications and downloading files from IFRAMEs on the pages in this zone.
ser name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentic
eb pages To specify how administrator-approved controls are handled for each security zone, carry out the follo
nce, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Current Secur
Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then cl
urrent Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which you want to
Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the R
aintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click Import the Curre
ent domains or access applications from different domains.

. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In
Note that starting with Internet Explorer 10 on Windows 8, the check box is located on the Advanced tab in the I
abling "Turn off Managing Pop-up Allow list" policy.

abling "Turn off Managing Pop-up Allow list" policy.
e navigation bar. If you disable this policy setting, the menu bar is below the navigation bar. The user cannot in
configuring pop-up behavior.
configuring pop-up behavior.
es on the Address bar.

es on the Address bar.
the main window. If you disable or do not configure this policy setting, the user can select their preference for t
the main window. If you disable or do not configure this policy setting, the user can select their preference for t
box. If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved
box. If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved
ks Delete.
ks Delete.
not configure this policy setting, the user is prompted to decide the mode of operation for the phishing filter.
not configure this policy setting, the user is prompted to decide the mode of operation for the phishing filter.
the browser is started after installation.

the browser is started after installation.
the Feed APIs.

the Feed APIs.
the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Value is n
the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Value is n
enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or
enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or
nd enter a Value of 1, MIME handling is in effect. If you enter a Value of 0 file-type information is allowed to be in
nd enter a Value of 1, MIME handling is in effect. If you enter a Value of 0 file-type information is allowed to be in
alue is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the
alue is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the
olicy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in
olicy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in
sses policy setting is enabled, the processes configured in this box take precedence over that setting. If you dis
sses policy setting is enabled, the processes configured in this box take precedence over that setting. If you dis
xecutable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the File
xecutable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the File
ist: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Processes p
ist: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Processes p
et Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the
et Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the
be prevented. If you enter a Value of 0, elevation to any zone is allowed. The Value Name is the name of the ex
be prevented. If you enter a Value of 0, elevation to any zone is allowed. The Value Name is the name of the ex
ed in this box take precedence over that setting. If you disable or do not configure this policy setting, the secur
ed in this box take precedence over that setting. If you disable or do not configure this policy setting, the secur
ocesses configured in this box take precedence over that setting. If you disable or do not configure this policy se
ocesses configured in this box take precedence over that setting. If you disable or do not configure this policy se
Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer proce
Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explorer proce
f policy keys for search providers. Note: This list can be created through a custom administrative template file. F
f policy keys for search providers. Note: This list can be created through a custom administrative template file. F
rnet Explorer will execute unsigned managed components.
rnet Explorer will not execute unsigned managed components.
er will execute signed managed components.
er will not execute signed managed components.
h the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templates\Wi
r. Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windo
lorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Se
ou disable or do not configure this policy setting, the user can control this setting by using Advanced Options in
ou disable or do not configure this policy setting, the user can control this setting by using Advanced Options in
tore additional files in application caches, up to the limit set in this policy setting. If you disable or do not config
tore additional files in application caches, up to the limit set in this policy setting. If you disable or do not config
additional data in indexed databases, up to the limit set in this group policy. If you disable or do not configure th
additional data in indexed databases, up to the limit set in this group policy. If you disable or do not configure th
ault application cache individual resource size for all application caches resources. The default is 50 MB.
ault application cache individual resource size for all application caches resources. The default is 50 MB.
manifest, that are less than or equal to the limit set in this policy setting. If you disable or do not configure this
manifest, that are less than or equal to the limit set in this policy setting. If you disable or do not configure this
of an integer setting. In this case, each Internet Explorer isolation setting will quickly grow to use the specified i
of an integer setting. In this case, each Internet Explorer isolation setting will quickly grow to use the specified i
he content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run Activ
ntranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
ne (High template). (The Local Machine zone and its locked down equivalent have special security settings that p
ne (High template). (The Local Machine zone and its locked down equivalent have special security settings that p
matically downloaded to users' computers, and software packages from being automatically installed on users' c
this policy setting, Internet Explorer starts with the home page. Users can change this option to start with the t
this policy setting, Internet Explorer starts with the home page. Users can change this option to start with the t
etting, users are queried to choose whether to allow information using HTML forms on pages in this zone to be
etting, information using HTML forms on pages in this zone can be submitted automatically.
ard. Note: The begin and end times for downloading are measured in minutes after midnight. The Maximum Offl
el. Also, see policies for Internet options in the \Administrative Templates\Windows Components\Internet Explore
d on by default. The user can change this behavior.
e notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is the defau
e notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is the defau
h is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash ob
h is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash ob
m" If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to bloc
m" If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to bloc
nnot change this policy setting. If you do not configure this policy setting, the user can turn on or turn off details
encryption methods that you select from the drop-down list. If you disable or do not configure this policy settin
encryption methods that you select from the drop-down list. If you disable or do not configure this policy settin
rn off image display. If you do not configure this policy setting, the user can turn on or turn off image display.
nd users will see installed printers under the Devices charm.

nd users will see installed printers under the Devices charm.
s as UTF-8.
ault, the WebSocket object is enabled.
ault, the WebSocket object is enabled.
this policy setting, the toolbar upgrade tool checks for incompatible toolbars. The user can enable or disable in
this policy setting, the toolbar upgrade tool checks for incompatible toolbars. The user can enable or disable in
efault, URL Suggestions are turned on.

efault, URL Suggestions are turned on.
etting. If you do not configure this policy setting, the user can choose to turn the Use Windows Search setting o
etting. If you do not configure this policy setting, the user can choose to turn the Use Windows Search setting o
etting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
etting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
whether to start Internet Explorer automatically to complete the signup process after the branding is complete f
de introduced in Internet Explorer 7 for Windows Vista. If you do not configure this policy, users will be able to
de introduced in Internet Explorer 7 for Windows Vista. If you do not configure this policy, users will be able to
toComplete is turned on for Internet Explorer 9.
y be displayed incorrectly. If you disable this policy setting, Internet Explorer uses a current user agent string. A
y be displayed incorrectly. If you disable this policy setting, Internet Explorer uses a current user agent string. A
onally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot c
onally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot c
t loaded on a browser on a computer that is not a domain member, until the user turns off the Notification bar.
t loaded on a browser on a computer that is not a domain member, until the user turns off the Notification bar.
n off the display of script errors.
can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page sa
cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page
rotection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less pr
ection from Zone Elevation feature control. If you do not configure this policy setting, the possibly harmful navi
rotection from Zone Elevation feature control. If you do not configure this policy setting, a warning is issued to
rotection from Zone Elevation feature control. If you do not configure this policy setting, a warning is issued to
rrors to Microsoft.
rrors to Microsoft.
nfigure the "Not supported" option, the domain controller does not support claims, compound authentication or
is enabled. Note: Information about previous logons is provided only if the domain functional level is Windows
ers will return service tickets that contain compound authentication any time the client sends a compound auth
cation might be used. To ensure consistent behavior, this policy setting must be supported and set identically o
d in your environment if you are not configuring using Group Policy. If you disable or do not configure this poli
domain requests compound authentication, devices will send a non-compounded authentication request first th
ick the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current en
sing the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry fr
ompound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. If you disa
mor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerbe
client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certifi
cept incoming connections by using this system-generated SPN.
gured value or the default value. Note: This policy setting configures the existing MaxTokenSize registry value i
rmat. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mappi
matic: Compound authentication is provided for this computer account when one or more applications are config
te. If a DC cannot be found which support computer account authentication using certificates then authenticatio
se. Note: When configuring this security setting, changes will not take effect until you restart Windows.
onfigure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy
ecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption a
public network" and "Prohibit operation while in private network" options instead. If you disable or do not config
cted to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit ope
anges. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must b
etting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the
etting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the
d User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration
d User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration
the policy setting in User Configuration. Note: Customized run-once lists are stored in the registry in HKEY_LOC
the policy setting in User Configuration. Note: Customized run-once lists are stored in the registry in HKEY_LOC
g, the user will have to start the appropriate programs after logon. Note: This setting appears in the Computer C
g, the user will have to start the appropriate programs after logon. Note: This setting appears in the Computer C
d, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable
w on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank M
explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings
d. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use
st of snap-ins" is enabled, users will not have access to the Group Policy tab. To explicitly permit use of the Grou
tion settings can be invoked.

tion settings can be invoked.
ke effect immediately. This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the
oting, MSDT always prompts for additional tool downloading. If you disable this policy setting, MSDT never dow
o take effect. Changes take effect immediately.
stops the installation and displays a message. These security features operate only when the installation progra
etting, by default, only system administrators can browse during installations with elevated privileges, such as i
affect installations that run in the user's security context. By default, users can install patches to programs that
curity context. During privileged installations, such as those offered on the desktop or displayed in Add or Remo
applies the current user's permissions when it installs programs that a system administrator does not distribute
applies the current user's permissions when it installs programs that a system administrator does not distribute
product is removed. If you set the baseline cache to 100, the Windows Installer will use available free space for
n existing feature tree. If you disable or do not configure this policy setting, the Windows Installer will use less
offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to use media source while ele
the desktop or in Add or Remove Programs. Also, see the "Enable user to patch elevated products" policy settin
nted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disab
on to gather data about the internal state of the computer or to search secure system files. However, because a
on to gather data about the internal state of the computer or to search secure system files. However, because a
r Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0
e visible to users, even if those users have a per-user install of the product registered in their user profile.
wse when an installation is running with elevated system privileges, such as installations offered on the desktop
ent unauthorized or malicious editing of transform files. If you disable this policy setting, Windows Installer stor
y. Log files can still be generated using the logging command line switch or the Logging policy. If you disable or
nly those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add
avior on Windows server. Troubleshooting Only: Detection and verification of file corruption will be performed w
s with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is
: PING:2002:836b:1::836b:1. You must configure this setting to have complete NCA functionality.
names. The ability to disconnect allows users to specify single-label, unqualified names (such as PRINTSVR)
ography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potentia
PDC emulator. If you do not configure this policy setting, it is not applied to any DCs.
ame is not required. This policy setting does not affect DC location based on DNS names. If you enable this polic
S-based discovery is not recommended. Note that this policy setting does not affect NetBIOS-based discovery f
rry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients
o return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavio
e share when exclusive access is requested. Note: The Netlogon share is a share created by the Net Logon serv
g, it is not applied to any DCs, and DCs use their local configuration.
domain. To enable the setting, click Enabled, and then specify the interval in seconds.
n exclusive access is requested. Note: The SYSVOL share is a share created by the Net Logon service for use by
V records, click Enabled, and then enter a value. The range of values is from 0 to 65535. If you do not configure
al client IP addresses. 2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP addre
sForestName> GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName> DcByGuid
atically remove (scavenge) stale records that these records are current and should be preserved in the database
partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administ
overed by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited f
is closer if it has a lower site link cost than another site with a higher site link cost. If you enable this policy se
ecords for any other sites but their own. If you do not configure this policy setting, it is not applied to any DCs,
ich this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a sing
o which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS n
*60=4233600). The minimum value for this setting is 0. Warning: If the value for this setting is too small, a clie
large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is v
value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used. Warnin
the same OS version. The allowable values for this setting result in the following behaviors: 1 - Computers wil
this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties m
remote access connections. (By default, users can still delete their private connections, but you can change the
configured, this setting will not apply to administrators on post-Windows 2000 computers. If you do not config
tting does not apply to Administrators Note: When the "Ability to rename LAN connections or remote access con
nabled or disabled), this setting does not apply.
post-Windows 2000 computers. If this setting is not configured, only Administrators and Network Configuration
s. These settings are "Ability to rename LAN connections or remote access connections available to all users", "P
ing or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN co
configured, this setting does not apply to administrators on post-Windows 2000 computers. If you disable this s
configure it, the Properties button is enabled for all users. The Networking tab of the Remote Access Connectio
e this setting or do not configure it, the Advanced Settings item is enabled for administrators. Note: Nonadminis
s in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon
tting or do not configure it, the Remote Access Preferences item is enabled for all users.
not configure it, the Install and Uninstall buttons for components of connections in the Network Connections fol
strators) can open the Remote Access Connection Properties dialog box for a private connection. Important: If th
r disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicki
emote access connections. Private connections are those that are available only to one user. (By default, only A
de the name of each component that the connection uses. Selecting the check box enables the component, and
be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an ex
not configure it, the Rename option is enabled for all users' private remote access connections. Users can renam
on is enabled, and all users can open the Advanced TCP/IP Setting dialog box. Note: This setting is superseded
s to protect them from Internet network security threats. If you enable this setting, Internet Connection Firewal
New Connection Wizard. The Network Setup Wizard is disabled. If you disable this setting or do not configure i
he Connection Properties dialog box. Important: If the "Enable Network Connections settings for Administrators
nning DirectAccess and the Internet is not routed through the internal network. If you do not configure this poli
nfigure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be repor
s, enable the "Proxy definitions are authoritative" setting. If you disable or do not configure this policy setting, a
n see: http://go.microsoft.com/fwlink/p/?LinkId=234043
dresses ever classified as private, enable the "Subnet definitions are authoritative" policy setting. If you disable
kId=234043
option, users can work offline if disconnected. If you do not configure this setting, users can work offline by def
option, users can work offline if disconnected. If you do not configure this setting, users can work offline by def
to ensure that all network folders on the machine are synchronized with the server on a regular basis. You can
owing formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value
han) the Latency threshold parameter. You can configure the slow-link mode by specifying threshold values for
s setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the s
network latency value. We recommend using this policy setting when the network connection to the server is s
l as files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on
e offline file is disconnected from the network. "2" also records events when the local computer is connected an
e offline file is disconnected from the network. "2" also records events when the local computer is connected an
the "Extensions" box. To type more than one extension, separate the extensions with a semicolon (;). Note: To m
n change this option. This setting appears in the Computer Configuration and User Configuration folders. If both
n change this option. This setting appears in the Computer Configuration and User Configuration folders. If both
that files are complete but does not ensure that they are current. If you do not configure this setting and Synch
that files are complete but does not ensure that they are current. If you do not configure this setting and Synch
he time the computer is suspended, a synchronization is not performed.
he time the computer is suspended, a synchronization is not performed.
prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders"
prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders"
known seed server on the Internet only; enable the setting, leave the seed server list empty, leave the checkbox
termine the seed server to bootstrap from.
gistry key to determine the seed server to bootstrap from.
is setting, PNRP will use multicast for bootstrapping on the same subnet. If this setting is not configured, the pr
this setting, PNRP will use multicast for bootstrapping on the same subnet. If this setting is not configured, the
this setting, PNRP will use multicast for bootstrapping on the same subnet. If this setting is not configured, the
olicy setting, PNRP does not create a cloud, and applications cannot use this cloud to publish or resolve names
on installation, failures during application runtime, and drivers blocked due to compatibility issues. Note: This p
y receive it from the file servers. Policy configuration Select one of the following: - Not Configured. With this se
n Select one of the following: - Not Configured. With this selection, this policy setting is not applied to client com
bled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must
attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache ser
ecify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable Br
e where client computers are domain members but you do not want to enable BranchCache on all client compu
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In
e client computer cache setting on all client computers, you can specify Not Configured for this domain Group P
t to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy se
s will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled b
setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Performance proble
ou disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/R
cy setting, Windows will not be able to detect, troubleshoot or resolve any Windows System Responsiveness pro
d. If you disable or do not configure this policy setting, the computer system safely shuts down to a fully power
ck screen slide show" policy setting can be used to disable the slide show feature.
ck screen slide show" policy setting can be used to disable the slide show feature.
n policy setting takes precedence over the User Configuration policy setting.
n policy setting takes precedence over the User Configuration policy setting.
etails property of a module or snap-in determines whether the execution events of a module or snap-in are logg
etails property of a module or snap-in determines whether the execution events of a module or snap-in are logg
ter Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting t
ter Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting t
ranscripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled
ranscripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled
nfiguration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precede
nfiguration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precede
of a local file and stored on the backup.
of a local file and stored on the backup.
rinters folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in Us
ry is turned on. To turn on network discovery, click "Start", click "Control Panel", and then click "Network and Int
ommands to the printer. This increases the workload of the client while decreasing the load on the server. If you
Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "
network printer browse page is removed from within the Add Printer Wizard, and users cannot search the netwo
You can also use this setting to direct users to a particular printer or group of printers that you want them to us
lder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in f
ying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation o
int drivers loaded by applications are not affected. -This policy setting takes effect without restarting the print s
hat you are using. By default, Windows Ultimate, Professional and Home SKUs will continue to search for compa
n print drivers will be loaded within all associated application processes. Notes: -This policy setting applies onl
rint spooler. Print drivers loaded by applications are not affected. -This policy setting takes effect without restar
, users will only be able to package point and print to print servers approved by the network administrator. Whe
, users will only be able to package point and print to print servers approved by the network administrator. Whe
ar when users Point and Print, or when printer connection drivers need to be updated. If you do not configure th
ar when users Point and Print, or when printer connection drivers need to be updated. If you do not configure th
ion screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer l
es not delete printers that users have already added. However, if users have not added a printer when this sett
browse master on the domain.
om being pruned when the computer is temporarily disconnected from the network. Note: You can use the "Dir
r disable this setting the default values will be used. Note: This setting is used only on domain controllers.
ve Directory. You can use this setting to change the number of retries. If you enable this setting, you can chang
he computer has not responded by the last contact attempt, its printers are pruned from the directory. If you en
0 computers and computers in other domains cannot republish printers in Active Directory automatically, by de
em without having to search for installation files. If this setting is enabled, users cannot view the programs that
t prevent the Default Programs icon from appearing on the Start menu.
r the other settings in this folder. This setting does not prevent users from using other tools and methods to ins
network adapter.
network adapter.
work adapter, this setting is ignored when configuring that network adapter.
d when configuring that network adapter.
at network adapter.
network adapter.
policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion pro
ems "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (or "Return yo
supported versions.
e "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut dow
rver 2003. Note: This feature might interfere with power configuration settings that turn off hard disks after a p
licy setting, users can configure the setting in System Properties in the Control Panel.
de Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the comp
tance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. I
warning message.
etting, application-based settings are used. If you do not configure this policy setting, application-based setting
h calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. If you do not co
ll generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using c
mation required for troubleshooting has a negligible effect on performance and uses only about 4K of memory,
e this policy setting, the RPC runtime will generate extended error information. You must select an error respon
is policy setting. If you do not configure this policy setting, it remains disabled. The RPC server runtime will be
r the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows, this policy setting
setting is enabled or not.
guration takes precedence over the policy setting set in User Configuration.
guration takes precedence over the policy setting set in User Configuration.
sible"" policy setting is enabled or not.
d, C.ps1 Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A, B, an
Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C r
Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C r
portant when other system tasks must wait while the scripts complete. By default, each startup script must com
y access and search troubleshooting content that is available locally on their computers, even if they are connec
ing preferences will take precedence, as configured in the control panel. If no local troubleshooting preference
e. For example, the English locale ID is 1033. http://sitename/_layouts/XXXX/searchresults.aspx?SearchString=$
is Windows SharePoint Services (WSS), the query should resemble the following, where XXXX is the locale ID of
uch as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to main
results are displayed in Search. Note: If you enable the "Don't search the web or display web results in Search
delegate mailboxes are managed separately from online mailboxes. The "Enable Indexing of Uncached Exchange
ffect on mail items when using Microsoft Office Outlook in cached mode.
y path not restricted by other policies, but their original list of paths to index is not restored.
et up the initial machine preference.
ndant because non-administrative users do not have permission to install new components. If your users have A
s can choose what information is shared in Search.
er is not joined to a Windows domain, the policy setting will have no effect. If you do not congifure this policy se
onfigured in the Server Manager console. If you disable this policy setting, Server Manager does not refresh aut
ayed on subsequent logons.
logon. Note: Regardless of the status of this policy setting, Server Manager is available from the Start menu or
n should be specified by prefixing the path with wim: and include the index of the image to use in the WIM file
e handwriting recognition personalization tool will automatically be shared with Microsoft. If you do not configu
e handwriting recognition personalization tool will automatically be shared with Microsoft. If you do not configu
computer.
en though they would be prevented from doing so using File Explorer. Note: Non-Microsoft applications with Win
even though they would be prevented from doing so using File Explorer. Note: Non-Microsoft applications with W
d logon object identifier can be used to log on with a smart card.
t logons when you are not connected to the network.
gon screen.
ficate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise
do not configure this setting, Windows will only attempt to read the default certificate from those cards that do
g or do not configure this setting, then the subject name will be reversed. If you disable , the subject name will
ems within the communities it recognizes, and only SNMP Read operation is allowed for the community. If you d
onfigure this policy setting, SNMP service takes the permitted managers configured on the local computer inste
ommunity. If you disable or do not configure this policy setting, the SNMP service takes the trap configuration co
configure this policy setting, users see a standard Access Denied message unless the file server is configured t
e default set of properties.

heck box is enabled only when a user enters a 16-bit program in the Run dialog box.
alog box that appears when you press Ctrl+Alt+Del. Note: To add or remove the Log Off item on a computer, c
the System-drive\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu"
e taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears
m will store and display shortcuts to recently and frequently used files, folders, and websites. Note: The system
e: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking an
the file. Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this
o not configure this setting, the default is the new style, and the user can change the view.
there is no need to clean up the icons.
h bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user can
mands are available on the Start menu. The Power button on the Windows Security screen is also available. Not
grams for This Computer option from appearing in the Default Programs control panel.
ms that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to mo
ws the newest versions available for download. If you disable or do not configure this policy setting, the Window
+Alt+Del, and it does not prevent users from using other methods to log off. Tip: To add or remove the Log Off
isable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Config
nu, and from Computer and File Explorer. Also, see the "Disable Control Panel," "Disable Display in Control Pane
is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it. If the setting is not
ure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use th
he user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon represen
s add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the
ocal path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specifi
ocal path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specifi
setting. Tip: To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskba
e the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" p
Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy settin
ovide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialo
ovide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialo
behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. If you
behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. If you
Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not configure this
Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not configure this
e included in recognition results when handwriting is converted to typed text. Users will not be able to configure
Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. Caution
Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. Caution
Panel Options dialog box. If you do not configure this policy, application auto complete lists will appear next to I
Panel Options dialog box. If you do not configure this policy, application auto complete lists will appear next to I
ned off. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this
alog box. If you enable this policy and choose Tolerant," users will be able to use the Z-shaped scratch-out ges
alog box. If you enable this policy and choose Tolerant," users will be able to use the Z-shaped scratch-out ges
ble or do not configure this policy setting, all files that the user opens appear in the menus, including files locate
isplayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled or Not
isplayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled or Not
onfigured, the setting in Computer Configuration takes precedence over the setting in User Configuration. Tip: T
onfigured, the setting in Computer Configuration takes precedence over the setting in User Configuration. Tip: T
ent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To prev
ent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To prev
. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in Use
. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in Use
ess. If no global IPv6 address is present and no global IPv4 address is present, the host will not have a 6to4 inte
gh stateless address auto-configuration. If the ISATAP router name is not resolved successfully, ISATAP connectiv
efresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds.
y Firewalls or other middle boxes.

been blocked.
been blocked.
o start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP s
can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an
owed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Ser
2. If you enable this policy setting, audio recording redirection is allowed. If you disable this policy setting, aud
2003 terminal server with a client using RDP 5.1 and later.
mine whether the remote connection is allowed. This setting is found on the Remote tab in the System properti
sable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their p
econnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection.
k bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used
ndows Server running Hyper-V with RemoteFX vGPU enabled, the policy has to be set on the Hyper-V host machi
etter graphics quality than low quality and uses less bandwidth than high quality. If you enable this policy settin
tting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the serve
Connection Broker. If you disable or do not configure this policy setting, the farm name is not specified at the G
of all the RD Connection Broker servers. If you disable or do not configure this policy setting, the policy setting
able this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP
be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without auth
/console switch from Remote Desktop Connection in the computer field name or from the command line.
fied at the Group Policy level.
the Group Policy level.

ient drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard
rs by using the Remote Desktop Session WMI Provider. Note: The preferred method of managing user access is
upported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redi
op Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the
ault printer is not specified at the Group Policy level.
puter are stored in a common Temp folder under the user's profile folder on the remote computer. If you disable
RD Gateway server settings" option on the client. Note: To enforce this policy setting, you must also specify the
support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy
enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. If you disa
enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. If you disa
s set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client config
ing, these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
isable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is n
on the license server. By default, the RDS Endpoint Servers group is empty. If you disable or do not configure
ned by the bandwidth of the remote connection. The audio playback quality that you specify on the remote com
you disable or do not configure this policy setting, the color depth for connections is not specified at the Group P
vices session will be determined by the values specified on the Display Settings tab in the Remote Desktop Sess
To use this setting, enter the number of connections you want to specify as the maximum for the server. To spec
d. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, th
h multimedia.
setting for screen capture rate and the highest setting for image quality. By default, Remote Desktop Connect
most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a W
n Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab
ds to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnecte
st. If the status is set to Not Configured, unsecured communication is allowed. Note: The RPC interface is used
e Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server
About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication s
tinuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect ti
s when a specific certificate has not been selected. If no certificate can be found that was created with the spe
le: * High: The High setting encrypts data sent from the client to the server and from the server to the client by
To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. D
an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentica
ocol that is enabled on the client or a smart card can be used. To allow users to overwrite the "Set RD Gateway
ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends
s consent. 5. View Session without user's permission: Allows the administrator to watch the session of a remote
s consent. 5. View Session without user's permission: Allows the administrator to watch the session of a remote
onfigure this policy setting, the licensing mode is not specified at the Group Policy level.
etting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sess
etting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sess
is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active
is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active
ed from the server after the specified amount of time. To enforce the default behavior that disconnected session
ed from the server after the specified amount of time. To enforce the default behavior that disconnected session
URL. The user's default logon credentials are used when setting up the default connection URL. If you disable or
nter driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is no
g in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for th
in Program path and file name, type the fully qualified path and file name of the executable file to be run when
in Program path and file name, type the fully qualified path and file name of the executable file to be run when
o not support these advanced graphics.

ession Host servers in the farm. If you disable this policy setting, the IP address of the RD Session Host server i
enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting.
Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does no
Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does no
graphics renderer by default. NOTE: The policy setting affects only the default graphics processing unit (GPU) o
s that are installed on domain controllers in the same domain as the RD Session Host server. If you disable or do
, you can configure desktop composition on the Experience tab in Remote Desktop Connection (RDC) or by usin
es session. If you enable this policy setting, remote users can start any program on the RD Session Host server
ws Server 2003 terminal server with a client using RDP 5.1 or later.
uter after the client connects to the remote computer. If an initial program is not specified, the desktop is always
allow font smoothing" setting in a Remote Desktop Protocol (.rdp) file. If you enable this policy setting, font sm
ab in the Remote Desktop Connection options for more information). Servers running Windows Server 2008 do n
ssion Host server. If the user starts a RemoteApp program before the time limit is reached, the user will reconne
ssion Host server. If the user starts a RemoteApp program before the time limit is reached, the user will reconne
rst RD Session Host server to which they connect. If you do not configure this policy setting, you can configure
y of the local computer according to the operating system managed TPM authentication setting you choose. C
ocal lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows.
against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM
s policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Gr
and receives an error response indicating an authorization failure occurred. Authorization failures older than the
and to the TPM and receives an error response indicating an authorization failure occurred. Authorization failure
user's profile folder. If you disable or do not configure this policy setting, only the user is given full control of th
me share by using the home directory drive letter. If you disable or do not configure this policy setting, the syst
e slow. If you disable or do not configure this policy setting, Windows considers the network connection to be sl
mains on the network server that stores it. If you disable or do not configure this policy setting, Windows keeps
slow link detection is enabled. The system measures the speed of the connection between the user's computer
ws XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder already exis
policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to th
ser profile. Also, see the "Delete cached copies of roaming profiles" policy setting.
a to function. If you enable this policy setting and the user has a roaming profile, the roaming profile is downloa
profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting, type the num
uch as the History, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile. In
roup Policy software installation data for roaming users when profiles are deleted from the machine. This will im
ow often the customized message is displayed. Note: In operating systems earlier than Microsoft Windows Vista
istry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minute). If
omputer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff, changes
ges a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off. I
hoose whether to download the remote user profile before Windows detects the network connection speed. If yo
ero causes Windows to proceed without waiting for the network. If you disable or do not configure this policy se
g on this computer will use the roaming profile path specified in this policy. If you disable or do not configure th
ofile is uploaded to the server every six hours while the user is logged on. If "Run at specified time of day" is ch
onment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user
o remain online while the user is logged on, if the network paths are accessible. Note: You should not use this p
will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise aut
ming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when slow
Do not install BitLocker To Go Reader on FAT formatted fixed drives" check box to help prevent users from runnin
select the "Do not install BitLocker To Go Reader on FAT formatted removable drives" check box to help prevent
d to create Network Key Protectors, and protects the information exchanged with the server to unlock the comp
stems capable of Secure Boot-based integrity validation. When this policy is enabled and the hardware is capab
e or do not configure this policy setting, the BitLocker setup wizard will display the computer's top-level folder v
devices that are not running Windows 10 (Version 1511). If you disable or do not configure this policy setting, B
his policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive en
use to encrypt drives. If you disable or do not configure this policy setting, BitLocker will use the default encry
storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to generat
ng data recovery agents. In "Configure user storage of BitLocker recovery information" select whether users are
figure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed
crypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit r
ption" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in
he BitLocker Recovery console and require that either the recovery password or recovery key be provided to unl
ations" group policy setting to configure the TPM PCR profile for computers using native UEFI firmware. If you e
gure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with a CSM en
yption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system
ed encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating
d encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating s
a drive with any of the protectors available on the drive. If you enable this policy setting, users can configure a
allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting, users
vailable on the drive. If you enable this policy setting, users can configure a password that meets the requirem
protected fixed data drives. If you do not configure this policy setting, smart cards can be used to authenticate
Locker-protected removable data drives. If you do not configure this policy setting, smart cards are available to
finitions are enabled. If at least one is enabled, the service will remain running. If both are disabled, the service
urned off.
this setting, definition retirement will be enabled. If you disable this setting, definition retirement will be disab
ry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.
l prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the
indows SmartScreen behavior is managed by administrators on the PC by using Windows SmartScreen Settings
e existence of the known folder.
permissions to install a program, the installation continues with the current user's logon credentials. As a result,
h even when it cannot find the target file in the current target path. If you disable or do not configure this polic
Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. T
s a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
en dialog box, start Wordpad and, on the File menu, click Open. Note: In Windows Vista, this policy setting appl
ing does not prevent users from using programs to access these drives or their contents. And, it does not preve
ide all context menus, use the "Remove File Explorer's default context menu" setting.
Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. T
ain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network
e computers in the user's workgroup or domain from lists of network resources, use the "No Computers Near Me
File Explorer after a search is executed. These links will be shared between Internet search sites and Search Con
u can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer
t if users double-click the icons, a message appears explaining that a setting prevents the action. Also, this set
users from connecting and disconnecting drives. Note: It is a requirement for third-party applications with Win
nu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu
e the Shared Documents folder via Group Policy is only available on Windows XP Professional.
or credentials. If the dialog box does not appear, the installation proceeds with the current user's permissions. If
led, or not configured, users will still be able to override default file type and protocol associations.
mode, allowing applications to only open a limited set of folders. If you do not configure this policy setting the
mode, allowing applications to only open a limited set of folders. If you do not configure this policy setting the
enable users to add unsupported locations to Libraries. If you enable this policy, Windows Libraries features th
er than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will a
ons point to different shares when their network paths are different. Note: If the paths point to different network
s XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.

canning only. It does not affect the standard background file change detection that Windows File Protection prov
Firewall deletes the list. Note: You define entries in this list by using Security Descriptor Definition Language (S
blocks all the listed incoming and outgoing ICMP message types. As a result, utilities that use the blocked ICMP
blocks all the listed incoming and outgoing ICMP message types. As a result, utilities that use the blocked ICMP
s to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the p
s to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the p
1024 to 1034. On Windows Vista, this policy setting does not control connections to SVCHOST.EXE and LSASS.E
1024 to 1034. On Windows Vista, this policy setting does not control connections to SVCHOST.EXE and LSASS.E
a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Cont
a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Cont
ceiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port
ceiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port
-in. If you wish to prevent all locally created rules from applying, use the Group Policy Object Editor snap-in and
-in. If you wish to prevent all locally created rules from applying, use the Group Policy Object Editor snap-in and
vanced Security snap-in. If you wish to prevent all locally created rules from applying, use the Group Policy Obj
vanced Security snap-in. If you wish to prevent all locally created rules from applying, use the Group Policy Obj
permissions to the folder containing the log file. Default path for the log file is %systemroot%\system32\LogFiles
permissions to the folder containing the log file. Default path for the log file is %systemroot%\system32\LogFiles
the DELETE key. To edit a definition, remove the current definition from the list and add a new one with differen
the DELETE key. To edit a definition, remove the current definition from the list and add a new one with differen
he program list, enable the policy setting and then click the Show button. To add a program, enable the policy se
he program list, enable the policy setting and then click the Show button. To add a program, enable the policy se
that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the "Block all in
that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the "Block all in
t of Control Panel, the "Notify me when Windows Firewall blocks a new program" check box is selected by defaul
t of Control Panel, the "Notify me when Windows Firewall blocks a new program" check box is selected by defaul
tocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast re
tocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast re
main network" policy setting overrides.
main network" policy setting overrides.
n this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the
saver during playback check box.
he "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. This policy is ignored if th
s ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected. If you disab
policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings. If you do
MP3 files) by retrieving missing media information from the Internet check box.
on the Windows XP Home Edition and Windows XP Professional operating systems.
e available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different ski
eceive multicast streams" check box on the Network tab is selected. If you enable this policy setting, the admin
, enable the "Do not allow Windows Messenger to run" policy setting. Note: This policy setting is available unde
, enable the "Do not allow Windows Messenger to run" policy setting. Note: This policy setting is available unde
WinRM listeners are configured. The service listens on the addresses specified by the IPv4 and IPv6 filters. The IP
d value will be stored securely. If you enable and then disable this policy setting,any values that were previousl
is rejected. However, a request that does not contain a channel binding token is accepted (though it is not prot
r License Agreement , or Windows Update setting changes. There are two situations where the effect of this set
signed by Microsoft and are not affected by this policy setting. Note: This policy is not supported on Windows RT
pdate service location" setting must be enabled for this policy to have effect. Note: If the "Configure Automatic
he updates automatically and notify when they are ready to be installed Windows finds updates that apply to th
ut Down option in the Start menu. Note that this policy setting has no impact if the User Configuration\Adminis
ut Down option in the Start menu. Note that this policy setting has no impact if the Computer Configuration\Ad
n the intranet Microsoft update service this computer is directed to is configured to support client-side targeting
t wake unless there are updates to be installed. If the system is on battery power, when Windows Update wake
e installation. Note: This policy applies only when Automatic Updates is configured to perform scheduled instal
Do not show any notifications This setting will remove all access to Windows Update features and no notificati
es. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
lient connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and d
he user can also click "Close this message" or "Show me later" to defer the notification as appropriate. In Wind
items such as drivers, critical updates, Help files, and Internet products that you can download to keep your co
s setting or do not configure it, the setting is ignored and the system displays the Explorer interface. Tip: To find
e secure desktop can simulate the SAS.
user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domain
expire is disabled or not configured, the Remove logon hours expiration warnings setting will have no effect,
n the users logon hours expire. The user can continue the existing session, but cannot log on to a new session.
screen apps are not restarted after the system restarts.
orarily connect to open hotspots to determine if paid services are available. If this policy setting is disabled, bo
nnections is Unrestricted by default.

rs is not automatically set up. If you disable or do not configure this policy setting, Work Folders uses the "Forc
on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores fi
le or do not configure this policy setting, the client computer will connect to WNS at user login and applications
ly remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected au
gardless of this setting.
use Add or Remove Programs to install published programs. However, they can still install programs by using ot
Program Access and Defaults from Start menu" setting.
eed. Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New
6-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit compon
ontrol features of Windows use the application compatibility engine to provide mitigations for application proble
, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and
e changes.
ore apps when using a special profile. If you disable or do not configure this policy setting, Group Policy blocks
ttps, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilit
ttps, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilit
you enable this policy setting, you can specify the default risk level for file types. If you disable this policy settin
hen file attachments are opened.

y setting, Windows uses its default trust logic, which prefers the file handler over the file type. If you do not con
o read the command line arguments for any successfully created process. Command line arguments can contain
y disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the au
y disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the au
y on drives on which it is disabled by default. If you disable or do not configure this policy setting, AutoPlay is en
y on drives on which it is disabled by default. If you disable or do not configure this policy setting, AutoPlay is en
ogon credentials.
hing server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible t
disabled or not configured.
nfigured.
s policy setting, BITS uses all available unused bandwidth. Note: You should base the limit on the speed of the
width used for peer caching. If you disable this policy setting or do not configure it, the default value of 30 perce
al administrator account do not count toward this limit.
can be assigned are: - Always transfer - Transfer unless roaming - Transfer unless surcharge app
cy setting, the limits defined for work or nonwork schedules will be used. Note: The bandwidth limits that are s
he network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, an
ays. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inac
ght stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings ar
ght stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings ar
e. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. Note: For Windows Vista,
or Microsoft.Personalization. Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, t
ping %windir%\resources\Themes\Luna\Luna.msstyles Note: To select the Windows Classic visual style, leave th
. Note: This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" sett
e "Prevent changing Screen Saver" setting.
alization or Display Control Panel is used. The default is 15 minutes.
er the device's screen turns off before a password is required when waking the device. Instead, a password will
ers are available for authentication purposes.
e KB. FWlink for KB: http://go.microsoft.com/fwlink/?LinkId=301508 Note: The "Allow delegating default crede
egated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/h
ng fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represen
only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN rep
he "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs)
mitted to any machine. If you disable this policy setting, delegation of saved credentials is not permitted to any
s.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TERMSR
ources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine TE
V/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam
y modifying Administrative template settings (located at Computer Configuration\Administrative Templates\Syst
uding system services, find the executable names of programs, and change the priority of the process in which p
OM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and se
pecification. If you disable this setting or do not configure it, no wallpaper is displayed. However, users can sele
ayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restric
he policy to a non-protected policy and then disable the setting, or 2) disable the setting and then remove the
y crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Crede
ting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a rem
event installation of removable devices" policy setting). If you enable this policy setting on a remote desktop se
files to be installed. "Warn" is the default. -- "Block" directs the system to refuse to install unsigned files. As a
client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install an
ate are selected for installation over drivers that are signed by other Authenticode certificates.
agement/Internet Communication settings.
ng, members of the Administrators group can determine the priority order in which Windows searches source lo
ot executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. Note:
cy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or se
only if the NV cache feature is on.
cache are appropriately configured. Note: This policy setting will take effect on next boot. If you do not configur
specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system
rs reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to
rcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whe
vent, users can detect that they have reached their warning level because their status in the Quota Entries win
current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volum
cal DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list. If attac
d to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.
ork connections.
he binding order. Note: This policy setting is applicable only if the turn off smart multi-homed name resolution
y DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. Devolution is not enabled if a global suffi
ck box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. Devo
uffix. This applies to all network connections used by computers that receive this policy setting. For example, w
eeds: Computers will attempt to register PTR resource records only if registration of the corresponding A record
he refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. To spe
that has the client's current IP address. If you enable this policy setting or if you do not configure this policy se
NR and NetBT queries.
clients try to use secure update.

cords that the computer needs to update.
setting applies to Japanese Microsoft IME only. Note: Changes to this setting will not take effect until the user lo
malware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to
e applied for any Windows Error Reporting policy settings that are not configured (even if users have changed s
der reports are automatically deleted. The setting for Number of days between solution check reminders determ
rompted to send them, or until the administrator sends them by using the Solutions to Problems page in Contro
and Windows prompts the user for consent to send any additional data requested by Microsoft. - 3 (Send param
and Windows prompts the user for consent to send any additional data requested by Microsoft. - 3 (Send param
olicy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Contr
Control Panel for Windows Error Reporting are applied.

Control Panel for Windows Error Reporting are applied.
ters that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification
ions on this list setting, and edit the list of application file names in the Show Contents dialog box. The file name
licy setting, errors are reported on all Microsoft and Windows applications by default.
licy setting, errors are reported on all Microsoft and Windows applications by default.
plication errors. If this policy setting is enabled, the Exclude errors for applications on this list setting takes pre
sing the Windows To Go Startup Options Control Panel item.
og an administrator event with instructions if manual recovery is possible. If you enable this setting, the recove
cted using the specified EID on the device. If you disable or do not configure this policy setting, the only Windo
Do not enable this policy setting if users will need access to their redirected files if the network or server holdin
omatically make all redirected folders available offline".
n location. If you disable or do not configure this policy setting, when the path to a redirected folder is changed
ers, the folders are redirected on the user's primary computer only. If you disable or do not configure this policy
ers, the folders are redirected on the user's primary computer only. If you disable or do not configure this policy
Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy a
Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy a
stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-i
nversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to
y setting, the user can select a custom locale as their user locale. If this policy setting is enabled at the machin
y setting, the user can select a custom locale as their user locale. If this policy setting is enabled at the machin
t to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configure
t to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configure
s control panel to select any available UI language.

s can select any system locale shipped with the operating system.
sers. If you disable or do not configure this policy setting, users can select any locale installed on the computer
sers. If you disable or do not configure this policy setting, users can select any locale installed on the computer
language" policy setting.
lected and stored. Note: Automatic learning of both text and ink might not be available for all languages, even
lected and stored. Note: Automatic learning of both text and ink might not be available for all languages, even
09) is posted, stating that loopback was invoked in Replace mode. If you enable this policy setting, the behavior
always uses local ADM files in your %windir%\inf directory when editing GPOs. This leads to the following behav
equiring synchronous processing such as Software Installation, Folder Redirection and Drive Maps preference e
he case that no network bandwidth speed is determined. Note: When Group Policy detects a slow network con
ow connections can cause significant delays. The "Do not apply during periodic background processing" option
gnificant delays. The "Do not apply during periodic background processing" option prevents the system from u
es the policies even when the update is being transmitted across a slow network connection, such as a telephon
ow Link Detection policy setting to configure asynchronous foreground behavior.) The slow link value that is d
ailable domain controller. If you disable this setting or do not configure it, the Group Policy Object Editor snap-i
nection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. If
nection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. If
as a telephone line. Updates across slow connections can cause significant delays. The "Do not apply during pe
hone line. Updates across slow connections can cause significant delays. The "Do not apply during periodic bac
estart. The "Process even if the Group Policy objects have not changed" option updates and reapplies the polici
y during periodic background processing" option prevents the system from updating affected policies in the bac
e next user logon or system restart. The "Process even if the Group Policy objects have not changed" option upd
nnection" option updates the policies even when the update is being transmitted across a slow network connect
replace the user settings normally applied to the user. "Merge" indicates that the user settings defined in the c
cant delays. The "Do not apply during periodic background processing" option prevents the system from updati
se significant delays. The "Do not apply during periodic background processing" option prevents the system fro
mputer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer C
mputer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer C
p Policy Slow Link Detection policy setting to configure asynchronous foreground behavior.) The slow link value
lt, but administrators can view preferences by turning off the "Show Policies Only" command. Note: To find the
o change the policy refresh interval. Note: If you make changes to this policy setting, you must restart your com
als are not appropriate for most installations. If you disable this setting, Group Policy is updated every 90 minut
es (the default). To specify that Group Policies for users should never be updated while the computer is in use, s
te for most installations. If you disable this setting, user Group Policy is updated every 90 minutes (the default)
n computers running Windows Vista operating system.
default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 confi
amp. NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Objec
orkgroup.
ns can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents th
e a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are
ections can cause significant delays. 2. The "Do not apply during periodic background processing" option preve
here a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there
significant delays. 2. The "Do not apply during periodic background processing" option prevents the system fro
e file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preferenc
s can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents th
user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no
cross slow connections can cause significant delays. 2. The "Do not apply during periodic background processin
ere a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there ar
delays. 2. The "Do not apply during periodic background processing" option prevents the system from updatin
e created on the client computer, and you must turn on the "Tracing" option. If there are no preference items un
ion, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not app
n where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If the
gnificant delays. 2. The "Do not apply during periodic background processing" option prevents the system from
le can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference
e significant delays. 2. The "Do not apply during periodic background processing" option prevents the system fr
file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference
can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the
e file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preferenc
ephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic
h in the "User trace" box to the location where a user trace file can be created on the client computer, and you m
such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply d
ocation where a user trace file can be created on the client computer, and you must turn on the "Tracing" option
ow connections can cause significant delays. 2. The "Do not apply during periodic background processing" optio
ation where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. I
a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during per
n where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If the
onnection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do n
file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference
s slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" o
location where a user trace file can be created on the client computer, and you must turn on the "Tracing" optio
use significant delays. 2. The "Do not apply during periodic background processing" option prevents the system
e file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preferen
ch as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply duri
ocation where a user trace file can be created on the client computer, and you must turn on the "Tracing" option
e significant delays. 2. The "Do not apply during periodic background processing" option prevents the system f
ce file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preferen
ause significant delays. 2. The "Do not apply during periodic background processing" option prevents the syste
trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no prefe
s can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the
user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no
tting does not override any "Permit use of <extension name> preference extension" policy settings that are disa
not override any "Permit use of <extension name> preference extension" policy settings that are disabled. If yo
explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Contro
itly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Pan
e explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Cont
f Control Panel Settings (Users)" policy settings.

ers to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit us
he explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Co
explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Cont
itly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Pan
of Control Panel Settings (Users)" policy settings.
he explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Co
ontrol Panel Settings (Computers)" policy settings.
trol Panel Settings (Users)" policy settings.
somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder". Note: An environment var
notifications and critical updates from Windows Update.

r do not configure this policy setting, your computer will contact the Windows Update website.
which prompts the user and then sends information about the event over the Internet to Microsoft. Also, see "E
ering wizards for more information, including details on specifying service providers in the registry.
ering wizards for more information, including details on specifying service providers in the registry.
e Search Companion feature completely.
e collected.
e collected.
ot configure this policy setting, the administrator can use the Problem Reports and Solutions component in Cont
ows Error Reporting.
earch Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
access data from another site in the zone.

in the zone that uses MSXML or ADO to access data from another site in the zone.
cess data from another site in the zone.
onfigure this policy setting, the user can configure their list of search providers unless another policy setting res
onfigure this policy setting, the user can configure their list of search providers unless another policy setting res
ID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-o

ID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-o
VML will be allowed in zones set to 'admin-approved'. Note. If this policy is set in both Computer Configuration
VML will be allowed in zones set to 'admin-approved'. Note. If this policy is set in both Computer Configuration
ocal files or content processed by any process other than Internet Explorer or those defined in a process list.
ocal files or content processed by any process other than Internet Explorer or those defined in a process list.
you do not configure this policy setting, the Notification bar will appear to allow control over questionable conten
is blocked. If you do not configure this policy setting, all attempts to access such content over the restricted pr
is blocked. If you do not configure this policy setting, all attempts to access such content over the restricted pr
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
ernet Explorer.
d windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on
uns without the added layer of security provided by this feature.
ow or prevent the display of placeholders for graphical images while the images are downloading.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
ecified zones.
computers.
computers.
on their computers.
on their computers.
ting this option, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user gran
ting this option, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user gran
zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Contro
es the user when newly installed add-ons are ready for use. The user must choose to activate them by respondi
es the user when newly installed add-ons are ready for use. The user must choose to activate them by respondi
o install them.
o install them.
click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in w
before downloading them to user computers.

before downloading them to user computers.
user clicks on a media link. If unchecked, the content will be played by the default media client on their system
r 1, the policy setting is ignored. If you enable this policy setting for an application or process in the list, a scrip
r 1, the policy setting is ignored. If you enable this policy setting for an application or process in the list, a scrip
you enable this policy setting, Internet Explorer only allows add-ons that are specifically listed (and allowed) thr
you enable this policy setting, Internet Explorer only allows add-ons that are specifically listed (and allowed) thr
y. If it is enabled, this policy is ignored.

ser Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this
f you enable this policy, users can still run the Certificate Manager Import Wizard by double-clicking a software
rs are ignored on Web pages in which the author has specified the background and text colors.
s\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Pa
specified the font attributes.
m the interface.
s on which the author has specified link colors.
r this policy. If it is enabled, this policy is ignored.
ining which toolbars are displayed in Internet Explorer and File Explorer.
indows Components\Internet Explorer) take precedence over this policy. If either policy is enabled, this policy is
nistrative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is
er load for downloading content. The "Hide Favorites menu" policy (located in User Configuration\Administrative
el), which removes the Connections tab from the interface. Removing the Connections tab from the interface, ho
re concerned about server load for downloading content. The "Hide Favorites menu" policy (located in User Con
or settings" "Disable changing font settings" "Disable changing language settings" "Disable changing accessib
or settings" "Disable changing font settings" "Disable changing language settings" "Disable changing accessib
nonsecure content cannot be displayed. If you do not configure this policy setting, the user will receive the secu
system. When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an
system. When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an
the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative
the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative
en browser windows are closed.
en browser windows are closed.
e in different windows. Users can change this setting in the Internet Options dialog. In Internet Explorer 9 and e
ource and destination are in the same window. Users can change this setting in the Internet Options dialog. In In
d by the feature control setting for the process.
shortcuts to these bars. If you enable this policy setting, the navigation bar, the menu bar, and the Command
shortcuts to these bars. If you enable this policy setting, the navigation bar, the menu bar, and the Command
policy, which disables this command on the shortcut menu, or the "Turn off Shortcut Menu" policy, which disabl
policy, which disables the entire shortcut menu.
olicy, which removes the Save As command, takes precedence over this policy. If it is enabled, this policy is igno
re this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
re this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
Internet Explorer requires consistent MIME data for all received files.
Internet Explorer requires consistent MIME data for all received files.
lorer. If you do not configure this policy setting, the Local Machine zone security applies to all local files and co
lorer. If you do not configure this policy setting, the Local Machine zone security applies to all local files and co
cy setting is ignored.
cy setting is ignored.
r processes.
r processes.
s to access my computer." Note. If policy for a zone is set in both Computer Configuration and User Configurat
e same change should be made to the Locked-Down equivalent. Note. It is recommended to configure template
nes and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Se
s in this zone.
s in this zone.
s in this zone.
s in this zone.
ervention.
ervention.
s in this zone.
s in this zone.
s in this zone.
s in this zone.
ervention.
ervention.
ervention.
ervention.
ervention.
ervention.
known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses t
zone, carry out the following steps: 1. In Group Policy, click User Configuration, click Internet Explorer Mainten
Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone in which
nes Settings, and then click Modify Settings. 3. Select the content zone in which you want to manage ActiveX c
one in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls
Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
gs, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select the content zone i
lick Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
he Advanced tab in the Internet Options dialog box. For more information, see "Group Policy Settings in Interne
n bar. The user cannot interchange the positions of the menu bar and the navigation bar. If you do not configure
ect their preference for this behavior. Browsing to the top-result website is the default.
ect their preference for this behavior. Browsing to the top-result website is the default.
Track data is preserved when the user clicks Delete. If you disable this policy setting, ActiveX Filtering, Tracking
Track data is preserved when the user clicks Delete. If you disable this policy setting, ActiveX Filtering, Tracking
or the phishing filter.
or the phishing filter.
s empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter Internet Explorer processes in this
s empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter Internet Explorer processes in this
esses policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes config
esses policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes config
mation is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty o
mation is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty o
sses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Pro
sses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Pro
processes configured in this box take precedence over that setting. If you disable or do not configure this polic
processes configured in this box take precedence over that setting. If you disable or do not configure this polic
er that setting. If you disable or do not configure this policy setting, the policy setting is ignored.
er that setting. If you disable or do not configure this policy setting, the policy setting is ignored.
ed. Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Pr
ed. Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Pr
ses. If the All Processes policy setting is enabled, the processes configured in this box take precedence over tha
ses. If the All Processes policy setting is enabled, the processes configured in this box take precedence over tha
y setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do
y setting is enabled, the processes configured in this box take precedence over that setting. If you disable or do
me is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignore
me is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignore
policy setting, the security feature is allowed.
policy setting, the security feature is allowed.
ot configure this policy setting, the security feature is allowed.
ot configure this policy setting, the security feature is allowed.
nistrative template file. For information about creating this custom administrative template file, see the Interne
nistrative template file. For information about creating this custom administrative template file, see the Interne
ministrative Templates\Windows Components\Internet Explorer\Browser Menus), which prevents users from open
strative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security t
nored. Also, see the "Security zones: Use only machine settings" policy.
ing Advanced Options in Internet Control Panel. By default, domain names are converted to IDN format only for
ing Advanced Options in Internet Control Panel. By default, domain names are converted to IDN format only for
u disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for
u disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for
ble or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all ind
ble or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all ind
default is 50 MB.
default is 50 MB.
or do not configure this policy setting, Internet Explorer will use the default maximum application cache resour
or do not configure this policy setting, Internet Explorer will use the default maximum application cache resour
ow to use the specified integer number of tab processes, regardless of the physical memory on the computer o
ow to use the specified integer number of tab processes, regardless of the physical memory on the computer o
Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
al security settings that protect your local computer.) If you enable this policy setting, you can enter a list of sit
al security settings that protect your local computer.) If you enable this policy setting, you can enter a list of sit
cally installed on users' computers. If you disable this policy setting, permissions are set to high safety. If you d
option to start with the tabs from the last session.

option to start with the tabs from the last session.
pages in this zone to be submitted.



dnight. The Maximum Offline Page Crawl Depth setting specifies how many levels of a Web site are searched for
mponents\Internet Explorer and in \Administrative Templates\Windows Components\Internet Explorer\Internet Co
reshold. This is the default.

reshold. This is the default.
gy to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that A
gy to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that A
xplorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more info
xplorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more info
turn on or turn off details in these error messages.
nfigure this policy setting, the user can select which encryption method the browser supports. Note: SSL 2.0 is
nfigure this policy setting, the user can select which encryption method the browser supports. Note: SSL 2.0 is
turn off image display.
can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not un
can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not un
Windows Search setting on or off. Note: If you enable this policy setting, feeds do not appear in the Address bar.
Windows Search setting on or off. Note: If you enable this policy setting, feeds do not appear in the Address bar.
e is turned off by default.
e is turned off by default.
e branding is complete for ISPs (IEAK).

cy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Optio
cy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Optio
rrent user agent string. Additionally, all Standards Mode webpages appear in the Standards Mode available in th
rrent user agent string. Additionally, all Standards Mode webpages appear in the Standards Mode available in th
Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. If you do not
Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. If you do not
off the Notification bar.

off the Notification bar.
tly within a Web page saved to disk.
rectly within a Web page saved to disk.
g, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
he possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as s
g, a warning is issued to the user that potentially risky navigation is about to occur.
g, a warning is issued to the user that potentially risky navigation is about to occur.
mpound authentication or armoring which is the default behavior for domain controllers running Windows Server
ctional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windo
sends a compound authentication request regardless of the account configuration.
rted and set identically on all domain controllers in the domain.
do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos M
ntication request first then a compound authentication request when the service requests compound authentic
ng, remove the current entry from the list and add a new one with different parameters. If you disable this polic
e Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove t
eros armoring. If you disable or do not configure this policy setting, the client computers in the domain enforce
ms for clients using Kerberos protocol transition.
of the KDC's X.509 certificate. If you disable or do not configure this policy setting, the Kerberos client requires
okenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, w

tton. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key
re applications are configured for Dynamic Access Control. Always: Compound authentication is always provide
ficates then authentication will fail. If you disable this policy setting, Disable will be used. If you do not configur
estart Windows.
the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on indi
ng and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a vari
u disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
etwork" and "Prohibit operation while in private network" options instead. If you disable or do not configure this
n. Therefore, they must be processed in the foreground before users are actively using the computer. In addition
ttings are configured, the setting in Computer Configuration takes precedence over the setting in User Configur
ttings are configured, the setting in Computer Configuration takes precedence over the setting in User Configur
Computer Configuration takes precedence over the policy setting in User Configuration. Note: To create a cust
Computer Configuration takes precedence over the policy setting in User Configuration. Note: To create a cust
the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the ""Do
the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the ""Do
ppears in the Computer Configuration and User Configuration folders. If both settings are configured, the system
ppears in the Computer Configuration and User Configuration folders. If both settings are configured, the system
se of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. Wh
o cannot open a blank MMC console window from a command prompt. If you disable this setting or do not confi
hen disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabl
nabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, e
tly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Grou
cy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not b
setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. If you do not c
en the installation program is running in a privileged security context in which it has access to directories denied
ated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
isplayed in Add or Remove Programs, only system administrators can install from removable media. Also, see t
trator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and Us
trator does not distribute or offer. Note: This policy setting appears both in the Computer Configuration and Us
e available free space for the baseline file cache. If you disable or do not configure this policy setting, the Windo
ws Installer will use less restrictive rules for component upgrades.
e media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy setting
ed products" policy setting.
nistrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are s
les. However, because an incomplete installation can render the system or a program inoperable, do not use th
les. However, because an incomplete installation can render the system or a program inoperable, do not use th
r versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Rest
n their user profile.
ns offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only. It do
g, Windows Installer stores transform files in the Application Data directory in the user's profile. If you do not co
policy. If you disable or do not configure this policy setting, Windows Installer will automatically generate log fi
ishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Se
tion will be performed without UI. Recovery is not attempted. If you enable this policy setting, the recovery be
ot matter. The syntax is HTTP: followed by a URL. The host portion of the URL must resolve to an IPv6 address
nctionality.
es (such as PRINTSVR) for local resources when connected to a different intranet and for temporary access to i
ms represents a potential security risk. If you disable this policy setting, Net Logon will not allow the negotiatio
s. If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetB
etBIOS-based discovery for DC location if only the NetBIOS domain name is known. If you enable or do not confi
load-balancing of clients across all available domain controllers in all domains or forests. The default time interv
nable the default behavior. If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. T
ed by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon sha
Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures t
. If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
additional client IP addresses. To specify this behavior in the DC Locator DNS SRV records, click Enabled, and th
stName> DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> GcIpAddress
reserved in the database. Warning: If the DNS resource records are registered in zones with scavenging enable
nets that allow administrators to configure Active Directory access and replication. To specify the sites covered
es in a space-delimited format. If you do not configure this policy setting, it is not applied to any DCs, and DCs
you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer. If you disab
not applied to any DCs, and DCs use their local configuration.
main specified with a single-label name, by appending different registered DNS suffixes to perform DNS name re
ed or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active
etting is too small, a client will stop trying to find a DC too soon.
ue set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may
Setting is used. Warning: If the value for this setting is too large, a client may take very long periods to try to fi
viors: 1 - Computers will ping DCs at the normal frequency. 2 - Computers will ping DCs at the higher frequenc
etting), the Properties menu items are disabled, and users (including administrators) cannot open the remote a
, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) Import
ers. If you do not configure this setting, only Administrators and Network Configuration Operators can enable/d
ons or remote access connections available to all users" setting is configured (set to either Enabled or Disabled)
d Network Configuration Operators have the right to rename LAN or all user remote access connections. Note: W
available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to pr
on representing a LAN connection. Also, when users select the connection, Properties is enabled on the File men
ers. If you disable this setting or do not configure it, the Properties button is enabled for administrators and Ne
Remote Access Connection Properties dialog box includes a list of the network components that the connection u
rators. Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regard
ke New Connection icon starts the New Connection Wizard. Note: Changing this setting from Enabled to Not Co
Network Connections folder are enabled. Also, administrators can gain access to network components in the Wi
nnection. Important: If the "Enable Network Connections settings for Administrators" is disabled or not configur
onnection, by right-clicking it, or by using the File menu.
user. (By default, only Administrators and Network Configuration Operators can delete connections available to
bles the component, and clearing the check box disables the component. Note: When the "Prohibit access to pr
ng does not remove an existing Network Bridge from the user's computer.
ections. Users can rename their private connection by clicking an icon representing the connection or by using
is setting is superseded by settings that prohibit access to properties of connections or connection components
ernet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet
ting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab
ettings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Wind
do not configure this policy setting, traffic between remote client computers running DirectAccess and the Intern
n IP address will be reported via a notification, providing the user with information as to how the problem can be
gure this policy setting, apps will use the Internet proxies auto-discovered by Windows Network Isolation. Exam
cy setting. If you disable or do not configure this policy setting, Windows Network Isolation attempts to automat
s can work offline by default, but they can change this option. This setting appears in the Computer Configurat
s can work offline by default, but they can change this option. This setting appears in the Computer Configurat
a regular basis. You can also configure Background Sync for network shares that are in user selected Work Offli
to set a threshold value of 128,000 bps, enter a value of 1280.
ying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths
ent of the space on the system drive. If you do not configure this setting, disk space for automatically cached fi
nection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the ne
rive Encryption while on the server. The cached copy on the local computer is affected, but the associated netw
computer is connected and disconnected from the network. "3" also records an event when the server hosting t
computer is connected and disconnected from the network. "3" also records an event when the server hosting t
semicolon (;). Note: To make changes to this setting effective, you must log off and log on again.
figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over
figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over
re this setting and Synchronization Manager is configured for logon synchronization, the system performs a quic
re this setting and Synchronization Manager is configured for logon synchronization, the system performs a quic
the "Enable reminders" option on the Offline Files tab This setting appears in the Computer Configuration and
the "Enable reminders" option on the Offline Files tab This setting appears in the Computer Configuration and
mpty, leave the checkbox unchecked. 2. In order to use a corporate seed server only, enable the setting; insert
is not configured, the protocol will revert to using a public registry key to determine whether it will publish the
ng is not configured, the protocol will revert to using a public registry key to determine whether it will publish th
ng is not configured, the protocol will revert to using a public registry key to determine whether it will publish th
ublish or resolve names regardless of whether the computer has an IPv6 address that matches the cloud scope.
bility issues. Note: This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy settin
t Configured. With this selection, BranchCache latency settings are not applied to client computers by this polic
s not applied to client computers, and the clients run the version of BranchCache that is included with their oper
to take effect, you must also enable the "Turn on BranchCache" policy setting. This policy setting can only be a
detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, host
puter policy to enable BranchCache client computer cache age settings on individual client computers. Because
ache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then con
mputers by this policy. In the circumstance where client computers are domain members but you do not want to
d for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client co
s domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual cli
blems that are handled by the DPS. If you do not configure this policy setting, the DPS will enable Windows Boo
own Performance problems that are handled by the DPS. If you do not configure this policy setting, the DPS wil
e any Windows Standby/Resume Performance problems that are handled by the DPS. If you do not configure thi
tem Responsiveness problems that are handled by the DPS. If you do not configure this policy setting, the DPS
uts down to a fully powered-off state.

odule or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is
odule or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is
figuration policy setting takes precedence over the User Configuration policy setting.
figuration policy setting takes precedence over the User Configuration policy setting.
ing can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirectory setting to enable
ing can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirectory setting to enable
onfiguration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it
onfiguration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it
nd printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
en click "Network and Internet". On the "Network and Internet" page, click "Network and Sharing Center". On the
oad on the server. If you do not enable this policy setting, the behavior is the same as disabling it. Note: This p
net printing" settings in "Computer Configuration\Administrative Templates\Printers."
cannot search the network but must type a printer name. Note: This setting affects the Add Printer Wizard only
hat you want them to use. If you disable this setting or do not configure it, and the user does not type a locatio
"Enable Web content in folders.") Also, see the "Activate Internet printing" setting in this setting folder and the
e packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode p
hout restarting the print spooler service.

tinue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must expli
policy setting applies only to applications opted into isolation. -This policy setting applies only to print drivers lo
akes effect without restarting the print spooler service.

twork administrator. When using package point and print, client computers will check the driver signature of all
twork administrator. When using package point and print, client computers will check the driver signature of all
f you do not configure this policy setting: -Windows Vista client computers can point and print to any server. -W
f you do not configure this policy setting: -Windows Vista client computers can point and print to any server. -W
Group Policy Computer location setting, the default location you entered appears in the Location field by defaul
d a printer when this setting is applied, they cannot print. Note: You can use printer permissions to restrict the u
ote: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact int
domain controllers.
s setting, you can change the interval between attempts. If you do not configure or disable this setting, the def
m the directory. If you enable this policy setting, the contact events are recorded in the event log. If you disable
ory automatically, by default, the system never prunes their printer objects. You can enable this setting to chan
t view the programs that have been published by the system administrator, and they cannot use the "Get Progr
tools and methods to install or uninstall programs.
Resource Exhaustion problems that are handled by the DPS. If you do not configure this policy setting, the DPS
Windows" (or "Return your computer to factory condition") in Recovery (in Control Panel) will be unavailable. H
layed when you shut down a computer running a client version of Windows. (See "Supported on" for supported
rn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control
emotely control the computer." When you configure this policy setting, you also specify the list of users or user
te Assistance settings. If you enable this policy setting, you have two ways to allow helpers to provide Remote
application-based settings are used.

Service. If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the
onnect to servers using constrained delegation. If you do not configure this policy setting, it remains disabled a
nly about 4K of memory, this setting is not recommended for most installations. -- "Auto1" directs RPC to main
ust select an error response type in the drop-down box. -- "Off" disables all extended error information for all pr
PC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Clie
ndows, this policy setting will be ignored. The minimum allowed value for this policy setting is 90 seconds. The
DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for D
cripts for GPOs B and C run in the following order for Qin: Within GPO B: B.ps1, B.cmd Within GPO C: C.ps1, C.c
cripts for GPOs B and C run in the following order for Qin: Within GPO B: B.ps1, B.cmd Within GPO C: C.ps1, C.c
startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously
s, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that h
ubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and res
lts.aspx?SearchString=$w This adds intranet search location to: 1) The Windows Deskbar 2) The Desktop Sea
e XXXX is the locale ID of your WSS Service. For example, the English locale ID is 1033. http://sitename/_layouts
tion of the index to maintain security for encrypted files.
ay web results in Search" policy setting, queries won't be performed on the web over metered connections and
ng of Uncached Exchange Folders" policy has no effect on online delegate mailboxes. To stop indexing of online
ents. If your users have Administrator permissions or can install software, this policy prevents them from specific
ot congifure this policy setting, the Security Center is turned off for domain members. If you enable this policy s
ager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh
e from the Start menu or the Windows taskbar.

age to use in the WIM file. For example wim:\\server\share\install.wim:3. If you disable or do not configure this
oft. If you do not configure this policy, Tablet PC users can choose whether or not they want to share their writin
oft. If you do not configure this policy, Tablet PC users can choose whether or not they want to share their writin
soft applications with Windows 2000 or later certification are required to comply with this policy setting. Note: T
rosoft applications with Windows 2000 or later certification are required to comply with this policy setting. Note
will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. Note: T
rom those cards that do not support retrieval of all certificates in a single call. Certificates other than the defau
e , the subject name will be displayed as it appears in the certificate.
the community. If you disable or do not configure this policy setting, the SNMP service takes the Valid Commun
the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTW
the trap configuration configured on the local computer instead. Note: This setting has no effect if the SNMP ag
file server is configured to display the customized Access Denied message. By default, users see the standard A
ff item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab,
menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The sys
bars" command appears in the context menu.

sites. Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Rec
have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the
rtitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roa
locked, and the user cannot show and hide various toolbars using the taskbar context menu.
een is also available. Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows
e system to appeal to most users. However, users can add and remove items from this menu, and system admi
olicy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Interne
d or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the St
s folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connection
e Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings.
ve it. If the setting is not configured, users can turn the Recent Items menu on and off. Note: This setting does
Task Manager and use the Internet Explorer Address Bar. Note:This setting affects the specified interface only. I
ht-click an icon representing a drive or a folder. This policy setting affects the specified user interface elements
e directory but not on the Start menu. If you disable this setting or do not configured it, Windows 2000 Professio
Layout.xml. If the specified file is not available when the user logs on, the layout won't be changed. Users cann
Layout.xml. If the specified file is not available when the user logs on, the layout won't be changed. Users cann
ck Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" opt
ograms to the Taskbar" policy settings.
em Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy settin
nput Panel Options dialog box. If you do not configure this policy, Input Panel will provide text prediction sugge
nput Panel Options dialog box. If you do not configure this policy, Input Panel will provide text prediction sugge
ptions dialog box. If you do not configure this policy, Input Panel will appear next to text entry areas in applicat
ptions dialog box. If you do not configure this policy, Input Panel will appear next to text entry areas in applicat
you do not configure this policy, Input Panel will appear next to text entry areas in applications where this beha
you do not configure this policy, Input Panel will appear next to text entry areas in applications where this beha
l not be able to configure this setting in the Input Panel Options dialog box. If you disable this policy, rarely use
ut Panel Options. Caution: If you enable both the Prevent Input Panel from appearing next to text entry areas
ut Panel Options. Caution: If you enable both the Prevent Input Panel from appearing next to text entry areas
lists will appear next to Input Panel in applications where the functionality is available. Users will be able to con
lists will appear next to Input Panel in applications where the functionality is available. Users will be able to con
box. If you enable this policy and choose Medium-Low from the drop-down box, password security is set to
Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be abl
Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be abl
nus, including files located remotely on another computer. Note: This setting does not prevent Windows from di
etting is Disabled or Not Configured. Note: This setting appears in the Computer Configuration and User Config
etting is Disabled or Not Configured. Note: This setting appears in the Computer Configuration and User Config
User Configuration. Tip: This setting affects existing tasks only. To prevent users from changing the properties of
User Configuration. Tip: This setting affects existing tasks only. To prevent users from changing the properties of
uled Tasks folder. To prevent this action, use the "Prohibit Drag-and-Drop" setting. Note: This setting appears in
uled Tasks folder. To prevent this action, use the "Prohibit Drag-and-Drop" setting. Note: This setting appears in
e over the setting in User Configuration.
e over the setting in User Configuration.
will not have a 6to4 interface. If no global IPv6 address is present and a global IPv4 address is present, the host
ssfully, ISATAP connectivity is not available on the host using the corresponding IPv4 address. Policy Enabled St
ate is 30 seconds.
en a user starts an RDP session, the user is asked to confirm whether they want to connect. If you disable this p
nt. When a user starts an RDP session, the user is asked to confirm whether they want to connect. If you disabl
er 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting
le this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in
b in the System properties sheet. By default, remote connections are not allowed. Note: You can limit which clie
cally by supplying their passwords in the Remote Desktop Connection client. If you do not configure this policy
Connection.
ge and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use a
n the Hyper-V host machine. If you set the encoding option to Attempt only for non-RemoteFX vGPU scenarios
u enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism t
en, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. If you dis
is not specified at the Group Policy level. Notes: 1. This policy setting is not effective unless both the Join RD C
etting, the policy setting is not specified at the Group Policy level. Notes: 1. For Windows Server 2008, this polic
AN connections and RDP 7.1. If you disable this policy setting, RemoteFX will be disabled. If you do not configur
Host server without authenticating the RD Session Host server. Do not connect if authentication fails: The clien
he command line.
ways allowed if Clipboard redirection is allowed. If you do not configure this policy setting, client drive redirectio
managing user access is by adding a user to the Remote Desktop Users group.
cy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running
pecified otherwise by the server administrator. Note: This setting only takes effect if per-session temporary fold
computer. If you disable this policy setting, per-session temporary folders are always created, even if the serve
you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" poli
o this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and d
ime-out limit. If you disable this policy setting, Remote Desktop Services always disconnects a timed-out sessio
ime-out limit. If you disable this policy setting, Remote Desktop Services always disconnects a timed-out sessio
nding on the client configuration. If the status is set to Not Configured, the default behavior applies.
as a local administrator.
user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Deskt
able or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Ses
pecify on the remote computer by using this policy setting is the maximum quality that can be used for a Remo
t specified at the Group Policy level. Note: 1.Setting the color depth to 24 bits is only supported on Windows Se
the Remote Desktop Session Host Configuration tool.
m for the server. To specify an unlimited number of connections, type 999999. If the status is set to Enabled, th
at you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the e
emote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN cond
nse server will issue a Windows Server 2008 TS CAL, if available, to the following: * A client connecting to a Win
n the Log on Settings tab in Remote Desktop Session Host Configuration. If you disable or do not configure this
not prevent disconnected sessions at the server. You can control how long a disconnected session remains activ
The RPC interface is used for administering and configuring Remote Desktop Services.
e RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not reco
k Level Authentication supported. If you disable this policy setting, Network Level Authentication is not require
quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed con
was created with the specified certificate template, the RD Session Host server will issue a certificate enrollmen
he server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain
putername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Serv
n method, the authentication method that you specify in this policy setting is used by default. If you disable or d
rite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must s
s automatically appends this at logon. Note: The Drive Letter field is ignored if you choose to specify a local pat
h the session of a remote user without the user's consent. If you disable this policy setting, administrators can
h the session of a remote user without the user's consent. If you disable this policy setting, administrators can
ktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote De
ktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote De
essions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead o
essions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead o
hat disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, dis
hat disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, dis
on URL. If you disable or do not configure this policy setting, the user has no default connection URL. Note: Rem
, the client's printer is not available. This is the default behavior. "Default to PCL if one is not found" - If no suit
e this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the
table file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the
table file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the
RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client r
policy setting.
ssion Host server does not have a printer driver that matches the client printer, the server tries to use the Remo
ssion Host server does not have a printer driver that matches the client printer, the server tries to use the Remo
s processing unit (GPU) on a computer with more than one GPU installed. All additional GPUs are considered sec
erver. If you disable or do not configure this policy setting, the RD Session Host server does not specify a license
nnection (RDC) or by using the "allow desktop composition" setting in a Remote Desktop Protocol (.rdp) file. In a
e RD Session Host server when they start a Remote Desktop Services session. For example, a remote user can d
ed, the desktop is always displayed on the remote computer after the client connects to the remote computer.
his policy setting, font smoothing will not be allowed for remote connections, even if font smoothing is enabled
indows Server 2008 do not display wallpaper by default to Remote Desktop Services sessions.
ed, the user will reconnect to the disconnected session on the RD Session Host server. If you disable or do not c
ed, the user will reconnect to the disconnected session on the RD Session Host server. If you disable or do not c
tting, you can configure the RD Session Host server to participate in RD Connection Broker load balancing by us
on setting you choose. Choose the operating system managed TPM authentication setting of "Full" to store the
-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Mana
Policy list of blocked TPM commands. If you disable or do not configure this policy setting, Windows will block th
n to commands in the Group Policy and default lists of blocked TPM commands.
on failures older than the duration are ignored. For each standard user two thresholds apply. Exceeding either
ed. Authorization failures older than the duration are ignored. For each standard user two thresholds apply. Ex
is given full control of their user profile, and the administrators group has no file system access to this folder. N
s policy setting, the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully
work connection to be slow if the server returns less than 500 kilobits of data per second or take 120 millisecon
setting, Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs
ween the user's computer and profile server. If the connection is slow (as defined by the "Slow network connectio
profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct. B
e any open handles to the per-user registry keys at user logoff.
oaming profile is downloaded on the user's primary computer only. If you disable or do not configure this policy
olicy setting, type the number of seconds Windows should wait for user input. The minumum value is 0 seconds,
ser's roaming profile. In operating systems earlier than Microsoft Windows Vista, only the History, Local Settings
the machine. This will improve the performance of Group Policy based Software Installation during user logon w
n Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to withi
ourse of one minute). If you enable this policy setting, you can adjust the number of times the system tries to
rofile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile. If you disable
when the user logs off. If you disable or not configure this policy setting, the default behavior occurs, as indicat
k connection speed. If you disable or do not configure this policy setting, the system does not consult the user.
t configure this policy setting, Windows waits for the network for a maximum of 30 seconds.
ble or do not configure this policy setting, users logging on this computer will use their local profile or standard r
pecified time of day" is chosen, then a time of day must be specified. Once set, Windows uploads the registry file
name because the user name will be appended at logon. Note: The Drive letter box is ignored if you choose O
You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming, S
t have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Sel
"Prompt user when slow link is detected" policy setting), but does not respond in the time allowed (as set in the
prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertog
heck box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To
erver to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\S
nd the hardware is capable of using Secure Boot for BitLocker scenarios, the "Use enhanced Boot Configuration
mputer's top-level folder view when the user chooses the option to save the recovery password in a folder. Note:
gure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose dri
as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7
will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the se
or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select "Omit recovery option
select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bi
, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select "Omit reco
text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery passwor
is available, include it in the message. If you select the "Use custom recovery URL" option, the URL you type in
ry key be provided to unlock the drive. If you disable or do not configure this policy setting, the TPM uses the de
e UEFI firmware. If you enable this policy setting before turning on BitLocker, you can configure the boot compo
FI firmware with a CSM enabled. If you enable this policy setting before turning on BitLocker, you can configure
on with operating system drives and BitLocker software-based encryption will be used by default when the drive
encryption with operating system drives and BitLocker software-based encryption will be used by default when t
cryption with operating system drives and BitLocker software-based encryption will be used by default when the
ng, users can configure a password that meets the requirements you define. To require the use of a password, s
this policy setting, users can configure a password that meets the requirements you define. To enforce complex
that meets the requirements that you define. To require the use of a password, select "Require password for rem
be used to authenticate user access to a BitLocker-protected drive.
art cards are available to authenticate user access to a BitLocker-protected removable data drive.
re disabled, the service will be stopped.
retirement will be disabled.
ns\Approved.
ails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a sou
ws SmartScreen Settings in Security and Maintenance. Options: Require approval from an administrator befor
credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might
o not configure this policy setting, Windows searches for the original path when it cannot find the target file in th
mmon dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. A
adhere to this setting.
, this policy setting applies only to applications that are using the Windows XP common dialog box style. This p
s. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteris
mmon dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
box or the Map Network Drive dialog box. To remove network computers from lists of network resources, use th
e "No Computers Near Me in Network Locations" setting. Note: It is a requirement for third-party applications wi
arch sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search
returned in File Explorer after a search is executed. These links will be shared between Internet search sites and
the action. Also, this setting does not prevent users from using programs to access local and network drives. An
rty applications with Windows 2000 or later certification to adhere to this setting.
ch menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskba
ent user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete bu
ssociations.
re this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of fo
re this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of fo
ows Libraries features that rely on indexed file data will be disabled. If you disable or do not configure this polic
b view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabl
point to different network shares, this policy setting is not required. If the paths point to the same network share
dows File Protection provides.
r Definition Language (SDDL) strings. For more information about the SDDL format, see the Windows Firewall de
hat use the blocked ICMP messages will not be able to send those messages to or from this computer. If you ena
hat use the blocked ICMP messages will not be able to send those messages to or from this computer. If you ena
ewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing"
ewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing"
VCHOST.EXE and LSASS.EXE. If you enable this policy setting, Windows Firewall allows the computer to receive
VCHOST.EXE and LSASS.EXE. If you enable this policy setting, Windows Firewall allows the computer to receive
ewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select
ewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select
ding them to a local port exceptions list, Windows Firewall does not open the ports. In the Windows Firewall com
ding them to a local port exceptions list, Windows Firewall does not open the ports. In the Windows Firewall com
Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Firewa
Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Firewa
use the Group Policy Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Se
use the Group Policy Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Se
root%\system32\LogFiles\Firewall\pfirewall.log. If you disable this policy setting, Windows Firewall does not reco
root%\system32\LogFiles\Firewall\pfirewall.log. If you disable this policy setting, Windows Firewall does not reco
a new one with different parameters. To allow administrators to add ports to the local port exceptions list that i
a new one with different parameters. To allow administrators to add ports to the local port exceptions list that i
ram, enable the policy setting, note the syntax, click the Show button. In the Show Contents dialog box type a d
ram, enable the policy setting, note the syntax, click the Show button. In the Show Contents dialog box type a d
ol Panel, the "Block all incoming connections" check box is cleared and administrators cannot select it. If you do
ol Panel, the "Block all incoming connections" check box is cleared and administrators cannot select it. If you do
box is selected by default, and administrators can change it.
box is selected by default, and administrators can change it.
ts those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that de
ts those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that de
ly and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform lic
This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected. If yo
not selected. If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure
proxy settings. If you do not configure this policy setting, users can configure the RTSP proxy settings.
not choose a different skin. If you disable or do not configure this policy setting, users can display the Player in
policy setting, the administrator must also specify the protocols that are available to users on the Network tab.
setting is available under both Computer Configuration and User Configuration. If both are present, the Comput
setting is available under both Computer Configuration and User Configuration. If both are present, the Comput
v4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies on
alues that were previously configured for RunAsPassword will need to be reset.
ted (though it is not protected from credential-forwarding attacks). If HardeningLevel is set to None, all request
here the effect of this setting depends on the operating system: Hide/Restore updates, and Cancel an install. On
upported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
he "Configure Automatic Updates" policy is disabled, this policy has no effect. Note: This policy is not supporte
updates that apply to the computer and downloads them in the background (the user is not notified or interrup
er Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Update

mputer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install U
port client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not con
n Windows Update wakes it up, it will not install updates and the system will automatically return to hibernation
perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy h
eatures and no notifications will be shown. 1 = Show restart required notifications This setting will show notific
pdate, to search for and download updates. Enabling this setting means that end users in your organization don
as appropriate. In Windows 7, this policy setting will only control detailed notifications for optional applications
ownload to keep your computer up to date. Also, see the "Remove links and access to Windows Update" setting
rer interface. Tip: To find the folders indicated by the Path environment variable, click System Properties in Con
d functional level domains, if you enable this setting, a warning message will appear that Windows could not ret
tting will have no effect, and users receive no warnings about logon hour expiration
log on to a new session. Note: If you configure this setting, you might want to examine and appropriately confi
cy setting is disabled, both "Connect to suggested open hotspots," "Connect to networks shared by my contacts
ork Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to deter
ich Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If
er login and applications will be allowed to poll for tile notification updates in the background. No reboots or se
that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the W
all programs by using other methods, and they can view and install assigned (partially installed) programs that
ng or the "Hide Add New Programs page" setting is enabled.
s or other 16-bit components cannot run. If the status is set to Disabled, the MS-DOS subsystem runs for all use
ns for application problems. If the engine is turned off, these mitigations will not be applied to applications and
m->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. Note: The Diagnostic Policy Servi
ing, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
st URI-based vulnerabilities from untrusted sources, reducing the associated risk.

st URI-based vulnerabilities from untrusted sources, reducing the associated risk.
u disable this policy setting, Windows sets the default risk level to moderate. If you do not configure this policy
le type. If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file ha
e arguments can contain sensitive or private information such as passwords or user data.
matically executing the autorun command. If you disable or not configure this policy setting, Windows Vista or la
matically executing the autorun command. If you disable or not configure this policy setting, Windows Vista or la
cy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User
cy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User
y settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be
imit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does n
default value of 30 percent of the slowest active network interface will be used. Note: This setting has no effect
sfer unless surcharge applies (when not roaming or overcap) - Transfer unless nearing limit (when not roam
andwidth limits that are set for the maintenance period supersede any limits defined for work and other schedul
onday through Friday, and then set the limit to 512 Kbps for nonwork hours. If you disable or do not configure t
will be used for the inactive job timeout.
olders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting
olders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting
Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be en
er versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Contr
ssic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windo
nable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run.
Instead, a password will be required immediately upon the screen turning off. Note: This policy setting only ap
delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SP
or Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.hum
SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single
ames (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a
e Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated.
ls is not permitted to any machine. Note: The "Allow delegating saved credentials with NTLM-only server authe
m.com machine TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*.humanresource
brikam.com machine TERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*.humanres
umanresources.fabrikam.com machine TERMSRV/* Remote Desktop Session Host running on all machines. TER
nistrative Templates\System\Credentials Delegation).
of the process in which programs run.

n appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM ser
However, users can select the wallpaper of their choice. Also, see the "Allow only bitmapped wallpaper" in the
Web views, unless restricted by another setting. If you do not configure this setting, the default is to display Com
ng and then remove the policy from each computer, with a physically present user.
to be compatible. Credential Guard This setting lets users turn on Credential Guard with virtualization-based se
s policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a
on a remote desktop server, the policy setting affects redirection of the specified devices from a remote deskto
stall unsigned files. As a result, the installation stops, and none of the files in the driver package are installed. T
g, Windows can install and update device drivers for removable devices as allowed or prevented by other policy
dows searches source locations for device drivers.
agement Console. Note: For Windows Server systems, this policy setting applies only if the Desktop Experience
figured. No reboots or service restarts are required for this policy setting to take effect: changes take effect imm
ot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
. Otherwise, the system uses the physical space on the volume as the quota limit. Note: To turn on or turn off d
y can continue to write to the volume as long as physical space is available. Note: This policy setting overrides
event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does no
in the Quota Entries window changes. Note: To find the logging option, in My Computer, right-click the name of
n the Quota tab in Volume Properties). If you disable or do not configure this policy setting, the disk space avail
suffix search list. If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com
ring, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. If you en
-homed name resolution policy setting is disabled or not configured.
enabled if a global suffix search list is configured using Group Policy. If a global suffix search list is not configur
perties dialog box. Devolution is not enabled if a global suffix search list is configured using Group Policy. If a g
setting. For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a con
e corresponding A records was successful. If you disable this policy setting, or if you do not configure this policy
resource records. To specify the registration refresh interval, click Enabled and then enter a value of 1800 or gr
t configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting
ke effect until the user logs off.
ich boot-start drivers to initialize the next time the computer is started. If you disable or do not configure this p
if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the f
check reminders determines the interval time between the display of system notifications that remind the user
Problems page in Control Panel. The Maximum number of reports to queue setting determines how many repor
icrosoft. - 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the mini
icrosoft. - 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the mini
e default setting in Control Panel is Upload all applications. This policy setting is ignored if the Configure Error R
n, and disable notification by default on computers that are running Windows Server. See also the Configure Err
dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are
this list setting takes precedence. If an application is listed both in the List of applications to always report error
e this setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubl
cy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on
network or server holding the redirected files becomes unavailable. Note: If one or more valid folder GUIDs are
rected folder is changed and Folder Redirection is configured to move the content to the new location, Windows
o not configure this policy setting and the user has redirected folders, the folders are redirected on every compu
o not configure this policy setting and the user has redirected folders, the folders are redirected on every compu
egacy redirection policy already deployed for these folders in your existing localized environment.
egacy redirection policy already deployed for these folders in your existing localized environment.
with the Services snap-in to the Microsoft Management Console. No system restart or service restart is require
ed by 19, that is, 1930 to 1999. If you disable or do not configure this policy setting, Windows does not interpre
s enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disable
s enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disable
y is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this
y is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this
nstalled on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this p
nstalled on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this p
e for all languages, even when handwriting personalization is available. See Tablet PC Help for more information
e for all languages, even when handwriting personalization is available. See Tablet PC Help for more information
licy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user pro
ds to the following behavior: - If you had originally created the GPO with an English system, and then you edit t
Drive Maps preference extension will not be applied. Note: There are two conditions that will cause Group Poli
tects a slow network connection, Group Policy will only process those client side extensions configured for proce
ound processing" option prevents the system from updating affected policies in the background while the comp
vents the system from updating affected policies in the background while the computer is in use. When backgro
ction, such as a telephone line. Updates across slow connections can cause significant delays. The "Process eve
e slow link value that is defined in this policy setting determines how long Group Policy will wait for a response f
olicy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.
considered to be fast. If you disable this setting or do not configure it, the system uses the default value of 500
considered to be fast. If you disable this setting or do not configure it, the system uses the default value of 500
"Do not apply during periodic background processing" option prevents the system from updating affected polic
apply during periodic background processing" option prevents the system from updating affected policies in the
s and reapplies the policies even if the policies have not changed. Many policy implementations specify that the
ffected policies in the background while the computer is in use. When background updates are disabled, policy c
not changed" option updates and reapplies the policies even if the policies have not changed. Many policy imp
s a slow network connection, such as a telephone line. Updates across slow connections can cause significant de
settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are c
s the system from updating affected policies in the background while the computer is in use. When background
n prevents the system from updating affected policies in the background while the computer is in use. When ba
cy setting in Computer Configuration\Administrative Templates\System\GroupPolicy.

cy setting in Computer Configuration\Administrative Templates\System\GroupPolicy.
vior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a re
mand. Note: To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative T
ou must restart your computer for it to take effect.
updated every 90 minutes (the default). To specify that Group Policy should never be updated while the compu
the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting also lets yo
90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is
ter than Windows 7 configured for workplace connectivity.

or the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
essing" option prevents the system from updating affected preference items in the background while the compu
cing" option. If there are no preference items under User Configuration in this extension, no user trace file is cre
processing" option prevents the system from updating affected preference items in the background while the co
Tracing" option. If there are no preference items under User Configuration in this extension, no user trace file is
n prevents the system from updating affected preference items in the background while the computer is in use.
If there are no preference items under User Configuration in this extension, no user trace file is created. 2. Com
ssing" option prevents the system from updating affected preference items in the background while the comput
g" option. If there are no preference items under User Configuration in this extension, no user trace file is create
dic background processing" option prevents the system from updating affected preference items in the backgro
racing" option. If there are no preference items under User Configuration in this extension, no user trace file is c
the system from updating affected preference items in the background while the computer is in use. When back
e no preference items under User Configuration in this extension, no user trace file is created. 2. Computer Con
elays. 2. The "Do not apply during periodic background processing" option prevents the system from updating a
he "Tracing" option. If there are no preference items under User Configuration in this extension, no user trace fil
revents the system from updating affected preference items in the background while the computer is in use. W
there are no preference items under User Configuration in this extension, no user trace file is created. 2. Comp
n prevents the system from updating affected preference items in the background while the computer is in use.
there are no preference items under User Configuration in this extension, no user trace file is created. 2. Comp
sing" option prevents the system from updating affected preference items in the background while the compute
not apply during periodic background processing" option prevents the system from updating affected preferenc
ent computer, and you must turn on the "Tracing" option. If there are no preference items under User Configura
s. 2. The "Do not apply during periodic background processing" option prevents the system from updating affec
rn on the "Tracing" option. If there are no preference items under User Configuration in this extension, no user t
ground processing" option prevents the system from updating affected preference items in the background whil
on the "Tracing" option. If there are no preference items under User Configuration in this extension, no user trac
"Do not apply during periodic background processing" option prevents the system from updating affected prefe
he "Tracing" option. If there are no preference items under User Configuration in this extension, no user trace fil
cant delays. 2. The "Do not apply during periodic background processing" option prevents the system from upd
ackground processing" option prevents the system from updating affected preference items in the background
urn on the "Tracing" option. If there are no preference items under User Configuration in this extension, no user
tion prevents the system from updating affected preference items in the background while the computer is in us
. If there are no preference items under User Configuration in this extension, no user trace file is created. 2. Co
2. The "Do not apply during periodic background processing" option prevents the system from updating affected
n on the "Tracing" option. If there are no preference items under User Configuration in this extension, no user tr
on prevents the system from updating affected preference items in the background while the computer is in use
n. If there are no preference items under User Configuration in this extension, no user trace file is created. 2. Co
ption prevents the system from updating affected preference items in the background while the computer is in
tion. If there are no preference items under User Configuration in this extension, no user trace file is created. 2
sing" option prevents the system from updating affected preference items in the background while the compute
g" option. If there are no preference items under User Configuration in this extension, no user trace file is create
licy settings that are disabled. If you disable this policy setting, you prohibit use of preference extensions unde
s that are disabled. If you disable this policy setting, you prohibit use of preference extensions under Control Pa
" or "Permit use of Control Panel Settings (Users)," policy settings.
Permit use of Control Panel Settings (Users)," policy settings.
)," or "Permit use of Control Panel Settings (Users)," policy settings.
mputers)," or "Permit use of Control Panel Settings (Users)," policy settings.

rs)," or "Permit use of Control Panel Settings (Users)," policy settings.
," or "Permit use of Control Panel Settings (Users)," policy settings.
Permit use of Control Panel Settings (Users)," policy settings.
rs)," or "Permit use of Control Panel Settings (Users)," policy settings.
Note: An environment variable may be used, (for example, %windir%), as long as it is defined on the system. Fo
o Microsoft. Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Param
he registry.
he registry.
tions component in Control Panel to enable Windows Customer Experience Improvement Program for all users.
ns of Windows.
another policy setting restricts such configuration.
another policy setting restricts such configuration.
}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is
}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is
Computer Configuration and User Configuration, both lists of behaviors will be allowed as appropriate.
Computer Configuration and User Configuration, both lists of behaviors will be allowed as appropriate.
ned in a process list.

ned in a process list.
over questionable content accessed over any restricted protocols when the Network Protocol Lockdown security
ent over the restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
ent over the restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
ecurity feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control s
wnloading.
sts; unless the user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted
sts; unless the user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted
n the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
ctivate them by responding to the notification, using Manage Add-ons, or using other methods.
ctivate them by responding to the notification, using Manage Add-ons, or using other methods.
ect the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run
dia client on their system.

process in the list, a script can perform a Clipboard operation without prompting the user. This means that if the
process in the list, a script can perform a Clipboard operation without prompting the user. This means that if the
y listed (and allowed) through the 'Add-on List' policy setting. If you disable or do not configure this policy settin
y listed (and allowed) through the 'Add-on List' policy setting. If you disable or do not configure this policy settin
kes precedence over this policy. If it is enabled, this policy is ignored.
uble-clicking a software publishing certificate (.spc) file. This wizard enables users to import and configure setti
net Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
is enabled, this policy is ignored.

policy. If either policy is enabled, this policy is ignored.
figuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy.
ab from the interface, however, does not prevent users from running the Internet Connection Wizard from the d
olicy (located in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes pre
Disable changing accessibility settings"

Disable changing accessibility settings"
user will receive the security information message on the Web pages that contain both secure (https://) and non
that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explore
that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explore
figuration\Administrative Templates\Windows Components\Credential User Interface is enabled for the system,

figuration\Administrative Templates\Windows Components\Credential User Interface is enabled for the system,
Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content f
rnet Options dialog. In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not config
bar, and the Command bar are not visible, and the user cannot access them. If you disable or do not configure
bar, and the Command bar are not visible, and the user cannot access them. If you disable or do not configure
enu" policy, which disables the entire shortcut menu. Note: the user will still be able to open New Tabs.
nabled, this policy is ignored.

rameters or scripted.
arameters or scripted.
s to all local files and content processed by Internet Explorer.
s to all local files and content processed by Internet Explorer.
tion and User Configuration, both lists of protocols will be restricted for that zone.
ed to configure template policy settings in one Group Policy object (GPO) and configure any related individual p
ck Modify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Cu
server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Respon
nternet Explorer Maintenance, and then click Security. 2. Double-click Security Zones and Content Ratings, click
e content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the Run Activ
ant to manage ActiveX controls, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area,
he Run ActiveX Controls and Plug-ins area, click Administrator Approved.
Select the content zone in which you want to manage ActiveX controls, and then click Custom Level. 4. In the R
Approved.
Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
r. If you do not configure this policy setting, the user can interchange the positions of the menu bar and the na
ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks Delete. If you don't
ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks Delete. If you don't
xplorer processes in this list because these processes always respect add-on management user preferences and
xplorer processes in this list because these processes always respect add-on management user preferences and
led, the processes configured in this box take precedence over that setting. If you disable or do not configure t
led, the processes configured in this box take precedence over that setting. If you disable or do not configure t
a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explore
a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored. Do not enter the Internet Explore
E processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence
E processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence
o not configure this policy setting, the security feature is allowed.
s ignored.
s ignored.
ated Internet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is
ated Internet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is
ake precedence over that setting. If you disable or do not configure this policy setting, the Notification bar is no
ake precedence over that setting. If you disable or do not configure this policy setting, the Notification bar is no
ting. If you disable or do not configure this policy setting, the security feature is allowed.
ting. If you disable or do not configure this policy setting, the security feature is allowed.
he policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Exp
he policy setting is ignored. Do not enter the Internet Explorer processes in this list: use the related Internet Exp
licy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in
licy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in
plate file, see the Internet Explorer documentation on search providers. If you disable or do not configure this po
plate file, see the Internet Explorer documentation on search providers. If you disable or do not configure this po
revents users from opening files by using the browser.
h removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ig
d to IDN format only for addresses that are not in the Intranet zone.
d to IDN format only for addresses that are not in the Intranet zone.
aximum storage limit for all application caches. The default is 50 MB.
aximum storage limit for all application caches. The default is 50 MB.
m storage limit for all indexed databases. The default is 500 MB.
m storage limit for all indexed databases. The default is 500 MB.
application cache resource list size for all application caches. The default is 1000 resources.
application cache resource list size for all application caches. The default is 1000 resources.
mory on the computer or how many Internet Explorer isolation settings are running. If you enable this policy se
mory on the computer or how many Internet Explorer isolation settings are running. If you enable this policy se
you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure tha
you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure tha
et to high safety. If you do not configure this policy setting, permissions are set to Medium safety.
et to high safety. If you do not configure this policy setting, permissions are set to Low safety.
et to high safety. If you do not configure this policy setting, permissions are set to High safety.
et to high safety. If you do not configure this policy setting, permissions are set to High safety.
Web site are searched for new information.
rnet Explorer\Internet Control Panel folders.
s dialog box. Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unles
s dialog box. Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unles
net Zone. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
net Zone. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
upports. Note: SSL 2.0 is off by default. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs th
upports. Note: SSL 2.0 is off by default. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs th
policy settings do not undergo these checks.
policy settings do not undergo these checks.
ppear in the Address bar. This does not affect subscribing to feeds and interacting with them through the Favorit
ppear in the Address bar. This does not affect subscribing to feeds and interacting with them through the Favorit
tab of the Internet Options dialog.
tab of the Internet Options dialog.
ards Mode available in the latest version of Internet Explorer. This option matches the default behavior of Intern
ards Mode available in the latest version of Internet Explorer. This option matches the default behavior of Intern
ialog box. If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent st
ialog box. If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent st
will be on in this zone as set by Protection from Zone Elevation feature control.
running Windows Server 2008 R2 or earlier operating systems. Note: For the following options of this KDC poli
dows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide informatio
is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
sts compound authentication.
If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is del
edit a mapping, remove the current entry from the list and add a new one with different parameters. If you disa
s in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifie
a\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,0
en press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with diff
ication is always provided for this computer account. If you disable this policy setting, Never will be used. If yo
d. If you do not configure this policy setting, Automatic will be used.
ting that you use on individual servers where you want to enable BranchCache. - Enabled. With this selection, h
s are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and expo
e or do not configure this policy setting, the default behavior for the Responder will apply.
the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, hom
setting in User Configuration. Tip: To display the welcome screen, click Start, point to Programs, point to Acces
setting in User Configuration. Tip: To display the welcome screen, click Start, point to Programs, point to Acces
n. Note: To create a customized run list by using a policy setting, use the ""Run these applications at startup"" p
n. Note: To create a customized run list by using a policy setting, use the ""Run these applications at startup"" p
Once. Also, see the ""Do not process the legacy run list"" policy setting.
Once. Also, see the ""Do not process the legacy run list"" policy setting.
re configured, the system starts the programs specified in the Computer Configuration setting just before it star
re configured, the system starts the programs specified in the Computer Configuration setting just before it star
snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MM
is setting or do not configure it, users can enter author mode and open author-mode console files.
ting in the folder is enabled or not configured, the snap-in is permitted. When a snap-in is prohibited, it does no
rmit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in
d (or disabled), the Group Policy tab is inaccessible. -- If "Restrict users to the explicitly permitted list of snap-i
ostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Mana
omputers. If you do not configure this policy setting, MSDT prompts the user before downloading any additional
cess to directories denied to the user. This policy setting is designed for less restrictive environments. It can be
ove Programs.
ing" policy setting.
vable media. Also, see the "Prevent removable media source for any install" policy setting.
ter Configuration and User Configuration folders. To make this policy setting effective, you must enable it in bot
ter Configuration and User Configuration folders. To make this policy setting effective, you must enable it in bot
policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum
isk' option" policy settings.

ges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged,
noperable, do not use this policy setting unless it is essential. This policy setting appears in the Computer Confi
noperable, do not use this policy setting unless it is essential. This policy setting appears in the Computer Confi
e UI while still using Restart Manager for detection. If you disable or do not configure this policy setting, Window
ndows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Lo
s profile. If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and
matically generate log files for those packages that include the MsiLogging property.
Installer on Windows Server 2003 family when the policy is not configured. -- The "Always" option indicates th
setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows
solve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.conto
for temporary access to intranet resources when network location detection has not correctly determined that th
not allow the negotiation and use of older cryptography algorithms. If you do not configure this policy setting,
es that are used for NetBIOS domain name based DC location. If you disable or do not configure this policy setti
ou enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discove
s. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be trigg
IPv4/IPv6 DC address. This is the default behavior of the DC Locator. If you disable this policy setting, DC Locat
avior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share
e SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the fil
eir local configuration.

rds, click Enabled, and then enter a value. The range of values is from 0 to 2. If you do not configure this policy
tName> GcIpAddress A gc._msdcs.<DnsForestName> DsaCname CNAME <DsaGuid>._msdcs.<Dns
with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured
specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enable
ied to any DCs, and DCs use their local configuration.
e computer. If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for th
to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the
oller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS n
odic DC discoveries may be excessive.

ry long periods to try to find a DC. If the value for this setting is too small and the DC is not available, the frequ
Cs at the higher frequency. To specify this behavior, click Enabled and then enter a value. The range of values is
annot open the remote access connection properties dialog box. Important: If the "Enable Network Connections
ections" setting.) Important: If the "Enable Network Connections settings for Administrators" is disabled or not c
n Operators can enable/disable LAN connections. Note: Administrators can still enable/disable LAN connections
her Enabled or Disabled), this setting does not apply. Note: This setting does not prevent users from using othe
ess connections. Note: When configured, this setting always takes precedence over the "Ability to rename LAN
n", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advan
enabled on the File menu. Note: This setting takes precedence over settings that manipulate the availability o
or administrators and Network Configuration Operators. The Local Area Connection Properties dialog box includ
nts that the connection uses. To view or change the properties of a component, click the name of the componen
ettings dialog box, regardless of this setting.
g from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. W
rk components in the Windows Components Wizard. The Install button opens the dialog boxes used to add netw
disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. If yo
connections available to all users, but you can change the default by using the "Ability to delete all user remot
the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the
connection or by using the File menu. Note: This setting does not prevent users from using other programs, su
connection components. When these policies are set to deny access to the connection properties dialog box or
rators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Inter
e ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addit
ministrators on post-Windows 2000 computers. If you disable this setting or do not configure it, the connection
rectAccess and the Internet is not routed through the internal network.
how the problem can be resolved.
Network Isolation. Example: [3efe:3022::1000];18.0.0.1;18.0.0.2 For more information see: http://go.microsoft.
ion attempts to automatically discover your private network hosts. Example: 3efe:1092::/96,18.1.1.1/10 For m
he Computer Configuration and User Configuration folders. If both settings are configured, the setting in Compu
he Computer Configuration and User Configuration folders. If both settings are configured, the setting in Compu
user selected Work Offline mode. This mode is in effect when a user selects the Work Offline button for a specifi
s) for specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip netw
or automatically cached files is limited to 10 percent of the system drive by default, but users can change it. Tip
und trip latency of the network above which files should be transparently cached in the Offline Files cache. If the
but the associated network copy is not. The user cannot encrypt Offline Files through the user interface. If you
when the server hosting the offline file is reconnected to the network. Note: This setting appears in the Comput
when the server hosting the offline file is reconnected to the network. Note: This setting appears in the Comput
g on again.
n takes precedence over the setting in User Configuration. Tip: To change the synchronization method without c
n takes precedence over the setting in User Configuration. Tip: To change the synchronization method without c
e system performs a quick synchronization by default, but users can change this option. This setting appears in
e system performs a quick synchronization by default, but users can change this option. This setting appears in
puter Configuration and User Configuration folders. If both settings are configured, the setting in Computer Con
puter Configuration and User Configuration folders. If both settings are configured, the setting in Computer Con
enable the setting; insert the fully qualified domain name or IPv6 address of the corporate seed server; and chec
hether it will publish the computer or will use multicast to search for other computers on the local subnet. The m
whether it will publish the computer or will use multicast to search for other computers on the local subnet. Th
whether it will publish the computer or will use multicast to search for other computers on the local subnet. Th
matches the cloud scope. If you disable or do not configure this policy setting, all PNRP clouds are turned on by
y Assistant" policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant S
t computers by this policy. In the circumstance where client computers are domain members but you do not wan
s included with their operating system. - Enabled. With this selection, this policy setting is applied to client com
licy setting can only be applied to client computers that are running at least Windows 8. This policy has no effe
osted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is spe
lient computers. Because the domain Group Policy setting is not configured, it will not over-write the client comp
cy setting, and then configure local computer policy to enable BranchCache on individual client computers. Bec
s but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this d
le BranchCache client computer cache settings on individual client computers. Because the domain Group Polic
chCache on individual client computers. Because the domain Group Policy setting is not configured, it will not ov
will enable Windows Boot Performance for resolution by default. This policy setting takes effect only if the diag
olicy setting, the DPS will enable Windows Shutdown Performance for resolution by default. This policy setting t
you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolut
s policy setting, the DPS will enable Windows System Responsiveness for resolution by default. This policy setti
modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and the
modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and the
ectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to preve
ectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to preve
ure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No
ure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No
d Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On the
disabling it. Note: This policy does not determine whether offline printing will be available to the client. The clie
e Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or t
er does not type a location as a search criterion, the system searches for a nearby printer based on the IP addre
his setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrati
y to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue.
However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Ent
es only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected. -This po
he driver signature of all drivers that are downloaded from print servers. If this setting is disabled, or not config
he driver signature of all drivers that are downloaded from print servers. If this setting is disabled, or not config
nd print to any server. -Windows Vista computers will show a warning and an elevated command prompt when u
nd print to any server. -Windows Vista computers will show a warning and an elevated command prompt when u
e Location field by default. If you disable this setting or do not configure it, Location Tracking is disabled. Printer
missions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, cl
to adjust the contact interval and number of contact attempts.
able this setting, the default values are used. Note: This setting is used only on domain controllers.
event log. If you disable or do not configure this policy setting, the contact events are not recorded in the even
nable this setting to change the default behavior. To use this setting, select one of the following options from th
annot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users
is policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. This policy setting
el) will be unavailable. However, with this policy setting disabled, users can still restore the computer to the orig
orted on" for supported versions.) If you disable this policy setting, the Shutdown Event Tracker is not displaye
he Power Options Control Panel.
the list of users or user groups that are allowed to offer remote assistance. To configure the list of helpers, click
lpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely con
l not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4
ng, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation
to1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. -- "Aut
rror information for all processes. RPC only generates an error code. -- "On with Exceptions" enables extended
d" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. If you
etting is 90 seconds. The maximum is 7200 seconds (2 hours). If you disable this policy setting, the idle connec
the following order for DesktopIT: Within GPO B: B.ps1, B.cmd Within GPO C: C.ps1, C.cmd For DesktopSales
Within GPO C: C.ps1, C.cmd For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for G
Within GPO C: C.ps1, C.cmd For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for G
gon scripts synchronously"" setting to direct the system to wait for the logon scripts to complete before loading
e Microsoft servers that host the Windows Online Troubleshooting Service.

troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take eff
kbar 2) The Desktop Search results search box 3) The WDS search box in Search Companion
http://sitename/_layouts/XXXX/searchresults.aspx?SearchString=$w These additional intranet search locations
metered connections and web results won't be displayed when a user performs a query in Search.
stop indexing of online mailboxes and online delegate mailboxes you must disable both policies.
events them from specifically using Windows Desktop Search-related add-ins. Note: Because of a limitation in th
f you enable this policy setting, Security Center is turned on for all users. If you disable this policy setting, Secu
anager uses the refresh interval settings that are specified in the Server Manager console. Note: The default re
e or do not configure this policy setting, or if the required files cannot be found at the locations specified in this
want to share their writing samples from the handwriting recognition personalization tool with Microsoft.
want to share their writing samples from the handwriting recognition personalization tool with Microsoft.
is policy setting. Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in t
this policy setting. Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, i
re will be shown. Note: This setting will be applied after the following policy: "Allow time invalid certificates" If
ates other than the default will not be available for logon.
takes the Valid Communities configured on the local computer instead. Best practice: For security purposes, it
restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin g
s no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Sp
users see the standard Access Denied message.
Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. Also, see "Remove Logo
ies in this folder. The system only uses this setting when neither of these related settings are selected. This set
ve\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu" and "Clear hist
during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings
hell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" po
Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to s
menu, and system administrators can create a customized Favorites menu for a user group. Note:This setting o
he Tools menu in Internet Explorer. Also, see the "Hide the "Add programs from Microsoft" option" policy setting
d Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. See als
work\Network Connections).
settings.
Note: This setting does not prevent Windows programs from displaying shortcuts to recently opened document
specified interface only. It does not prevent users from using other methods to run programs. Note: It is a requi
d user interface elements only. It does not affect Internet Explorer and does not prevent the user from using othe
Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
be changed. Users cannot customize their Start screen while this setting is enabled. If you disable this setting
be changed. Users cannot customize their Start screen while this setting is enabled. If you disable this setting
Personalized Menus" option.
onfiguration" policy setting is used to determine whether the option to configure System Restore is available.
de text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Pa
de text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Pa
xt entry areas in applications where this behavior is available. Users will be able to configure this setting on the
xt entry areas in applications where this behavior is available. Users will be able to configure this setting on the
ications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input
ications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input
ble this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when
next to text entry areas policy and the Prevent Input Panel tab from appearing policy, and disable the Show
next to text entry areas policy and the Prevent Input Panel tab from appearing policy, and disable the Show
Users will be able to configure this setting on the Text completion tab in Input Panel Options.
Users will be able to configure this setting on the Text completion tab in Input Panel Options.
sword security is set to Medium-Low. At this setting, when users enter passwords from Input Panel they use th
ion. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this polic
ion. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this polic
prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do
guration and User Configuration folders. If both settings are configured, the setting in Computer Configuration ta
guration and User Configuration folders. If both settings are configured, the setting in Computer Configuration ta
hanging the properties of newly created tasks, use the "Remove Advanced Menu" setting.
hanging the properties of newly created tasks, use the "Remove Advanced Menu" setting.
: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configu
: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configu
dress is present, the host will have a 6to4 interface. Policy Enabled State: If a global IPv4 address is present, the
ddress. Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured w
nect. If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additio
to connect. If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate.
efault when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, o
redirection is specified in RDC. If you do not configure this policy setting, Audio recording redirection is not spe
e: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the
not configure this policy setting, automatic logon is not specified at the Group Policy level.
m. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommend
emoteFX vGPU scenarios, Remote Desktop attempts to use hardware encoding for all scenarios except Remote
n encoding mechanism that results in high quality images and consumes moderate network bandwidth. If you
s 1 to 999,999. If you disable or do not configure this policy setting, a keep-alive interval is not set and the serv
unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings
ws Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. 2. This policy settin
ed. If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Vir
entication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host se
ng, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
uter only if it is running Windows Server 2012 R2 and earlier versions. Note: You can disable redirection of spec
er-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session
reated, even if the server administrator specifies otherwise. If you do not configure this policy setting, per-sess
way server address" policy setting, or client connection attempts to any remote computer will fail, if the client c
Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
nnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this
nnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this
avior applies.
either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join
n RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or c
can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the
upported on Windows Server 2003 and Windows XP Professional. 2.The value specified in this policy setting is
atus is set to Enabled, the maximum number of connections is limited to the specified number consistent with t
ted until the size of the entire roaming user profile cache is less than the maximum size specified. If you disabl
xperience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connectio
lient connecting to a Windows Server 2003 terminal server * A client connecting to a Windows 2000 terminal s
or do not configure this policy setting, the version of the operating system on the RD Session Host server will d
ted session remains active on the server by configuring the "Computer Configuration\Administrative Templates\
SL encryption) is not recommended. * RDP: The RDP method uses native RDP encryption to secure communicat
hentication is not required for user authentication before allowing remote connections to the RD Session Host se
es from a low-speed connection, and it will not try to adapt the user experience to varying network quality. If yo
e a certificate enrollment request and will use the current certificate until the request is completed. If more than
nvironments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Client
se Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the spec
efault. If you disable or do not configure this policy setting, the authentication method that is specified by the u
eway server, you must select the "Allow users to change this setting" check box and users will be allowed to sp
ose to specify a local path. If you choose to specify a local path but then type the name of a network share in Ho
ting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
ting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, yo
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, yo
Services to end instead of disconnect a session when the time limit is reached, you can configure the policy set
Services to end instead of disconnect a session when the time limit is reached, you can configure the policy set
ave a console session, disconnected session time limits do not apply. If you disable or do not configure this polic
ave a console session, disconnected session time limits do not apply. If you disable or do not configure this polic
onnection URL. Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from
is not found" - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback
er is a combination of the list defined for the computer and the list defined for the user. This policy setting over
ully qualified path to the starting directory for the program. If you leave Working Directory blank, the program ru
ully qualified path to the starting directory for the program. If you leave Working Directory blank, the program ru
a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their e
ver tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote De
ver tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote De
GPUs are considered secondary adapters and used as hardware renderers. The GPU configuration of the local se
does not specify a license server at the Group Policy level.
p Protocol (.rdp) file. In addition, the client computer must have the necessary hardware to support Windows Ae
mple, a remote user can do this by specifying the program's executable path at connection time by using the Re
o the remote computer. Note: If this policy setting is enabled, then the "Start a program on connection" policy s
nt smoothing is enabled in RDC or in the .rdp file. If you disable or do not configure this policy setting, font sm
If you disable or do not configure this policy setting, when a user closes the last RemoteApp program, the sessi
If you disable or do not configure this policy setting, when a user closes the last RemoteApp program, the sessi
oker load balancing by using the Remote Desktop Session Host Configuration tool or the Remote Desktop Servic
ting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user
to the "Command Management" section, and making visible the "On Default Block List" column. The local list o
ng, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and l
apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requ
two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the
m access to this folder. Note: If the policy setting is enabled after the profile is created, the policy setting has no
ESHARE% stores the fully qualified path to the home directory (such as \\server\share\dir1\dir2\homedir). Users
nd or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned ad
drive when the user logs off. Important: Do not enable this policy setting if you are using the slow link detectio
"Slow network connection timeout for user profiles" policy setting), the system applies the other policy settings
ssions are not correct. By configuring this policy setting, you can alter this behavior. If you enable this policy s
not configure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every
mum value is 0 seconds, and the maximum is 600 seconds. If you disable or do not configure this policy setting
he History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profi
tion during user logon when a user profile is deleted and that user subsequently logs on to the machine. If you
as been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from log
mes the system tries to unload and update the user's registry settings. (You cannot adjust the retry rate.) If you
cal profile. If you disable this setting or do not configure it, the default behavior occurs, as indicated above. If y
ehavior occurs, as indicated above. Note: This policy setting only affects roaming profile users.
oes not consult the user. Instead, the system uses the local copy of the user profile. If you have enabled the "Wa
ocal profile or standard roaming user profile. Note: There are four ways to configure a roaming profile for a user
s uploads the registry file at the same time every day, as long as the user is logged on. For both scheduling op
ignored if you choose On the local computer from the Location list. If you choose On the local computer an
h as Appdata\Roaming, Start Menu, and Documents. You should suspend only the subfolders of these parent fold
N, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or lin
me allowed (as set in the "Timeout for dialog boxes" policy setting). Waiting for the remote profile is appropriate
o Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the
le drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification
ation\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certifica
nced Boot Configuration Data validation profile" group policy setting is ignored and Secure Boot verifies BCD se
ssword in a folder. Note: This policy setting does not prevent the user from saving the recovery password in an
6-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Wind
Server 2008, Windows 7)" policy setting, if it is set. If neither policy is set, BitLocker will use the default encryp
ethod specified by the setup script.
ct "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options w
ery password or a 256-bit recovery key. Select "Omit recovery options from the BitLocker setup wizard" to preve
y key. Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recover
8-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer.
tion, the URL you type in the "Custom recovery URL option" text box will replace the default URL in the default r
ting, the TPM uses the default platform validation profile or the platform validation profile specified by the setup
onfigure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted ope
ocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocke
by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use hardware-b
e used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use hard
used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use hardw
the use of a password, select "Require password for fixed data drive". To enforce complexity requirements on th
fine. To enforce complexity requirements on the password, select "Require complexity". When set to "Require c
Require password for removable data drive". To enforce complexity requirements on the password, select "Requ
data drive.
e are the same but a source is able to define a specific location of a thumbnail that is different than the location
m an administrator before running downloaded unknown software Give user a warning before running downlo
all features. Or, it might appear to complete successfully, but the installed program might not operate correctly
ot find the target file in the current target path.

mmon dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to a
n dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a r
change drive characteristics. If you disable or do not configure this policy setting, all drives are displayed, or se
mmon dialog box style.
network resources, use the "No Entire Network in Network Locations" policy setting.
hird-party applications with Windows 2000 or later certification to adhere to this setting.
ence over Internet search links. The first several links will also be pinned to the Start menu. A total of four links
Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over In
al and network drives. And, it does not prevent them from using the Disk Management snap-in to view and chan
es\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" p
, or it might complete but not include all features. Or, it might appear to complete successfully, but the installe
y open a limited set of folders.

y open a limited set of folders.
do not configure this policy, all default Windows Libraries features will be enabled.
If both policies are enabled, Active Desktop is disabled. Also, see the "Disable Active Desktop" setting in User C
o the same network share, any data contained in the redirected folders is deleted if this policy setting is not ena
the Windows Firewall deployment information at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=
this computer. If you enable this policy setting and allow certain message types, then later disable this policy se
this computer. If you enable this policy setting and allow certain message types, then later disable this policy se
File and Printer Sharing" check box is cleared and administrators cannot select it. If you do not configure this po
File and Printer Sharing" check box is cleared and administrators cannot select it. If you do not configure this po
the computer to receive the unsolicited incoming messages associated with remote administration. You must sp
the computer to receive the unsolicited incoming messages associated with remote administration. You must sp
inistrators cannot select it. If you do not configure this policy setting, Windows Firewall does not open this port.
inistrators cannot select it. If you do not configure this policy setting, Windows Firewall does not open this port.
he Windows Firewall component of Control Panel, the "UPnP framework" check box is cleared and administrator
he Windows Firewall component of Control Panel, the "UPnP framework" check box is cleared and administrator
Settings\Windows Firewall with Advanced Security to specify that local firewall rules should not apply.
Settings\Windows Firewall with Advanced Security to specify that local firewall rules should not apply.
ows Settings\Security Settings\Windows Firewall with Advanced Security to specify that local firewall rules shoul
ows Settings\Security Settings\Windows Firewall with Advanced Security to specify that local firewall rules shoul
ws Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall cre
ws Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall cre
port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Window
port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Window
tents dialog box type a definition string that uses the syntax format. To remove a program, click its definition, an
tents dialog box type a definition string that uses the syntax format. To remove a program, click its definition, an
cannot select it. If you do not configure this policy setting, Windows Firewall applies other policy settings that al
cannot select it. If you do not configure this policy setting, Windows Firewall applies other policy settings that al
tBIOS messages that detect name conflicts.

tBIOS messages that detect name conflicts.
pgrades, and perform license restoration.
TTP is not selected. If you disable this policy setting, the HTTP proxy server cannot be used and the user canno
d users cannot configure the MMS proxy settings. If you do not configure this policy setting, users can configure
P proxy settings.
can display the Player in full or skin mode and have access to all available features of the Player.
sers on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS o
are present, the Computer Configuration version of this policy setting takes precedence.
are present, the Computer Configuration version of this policy setting takes precedence.
he IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available I
s set to None, all requests are accepted (though they are not protected from credential-forwarding attacks).
and Cancel an install. On XP: If you enable this policy setting, users will not see a User Account Control window
his policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
is not notified or interrupted during this process). When the downloads are complete, users will be notified that
ot display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabl
cy is disabled or not configured, this policy has no effect. Note: This policy is not supported on Windows RT. Set
ally return to hibernation in 2 minutes.
is disabled, this policy has no effect.
s setting will show notifications about restarts that are required to complete an installation. On Windows 8 and
in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test
for optional applications. In Windows Vista, this policy setting controls detailed notifications for optional applica
Windows Update" setting. If the "Remove links and access to Windows Update" setting is enabled, the links to W
System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in
at Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not
e and appropriately configure the Remove logon hours expiration warnings setting
s shared by my contacts," and "Enable paid services" will be turned off and users on this device will be prevent
gs" policy setting to determine whether to automatically set up Work Folders for a given user.
%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their
round. No reboots or service restarts are required for this policy setting to take effect.
vices" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Com
installed) programs that are offered on the desktop or on the Start menu. If you disable this setting or do not c
ubsystem runs for all users on this computer. If the status is set to Not Configured, the OS falls back on a local p
plied to applications and their installers and these applications may fail to install or run properly. This option is u
e Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to ru
pecial profile.
not configure this policy setting, Windows sets the default risk level to moderate.
which prefers the file handler over the file type.

tting, Windows Vista or later will prompt the user whether autorun command is to be run.
tting, Windows Vista or later will prompt the user whether autorun command is to be run.
r Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Con
r Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Con
vel. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other
This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from
This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
ring limit (when not roaming or nearing cap) - Transfer only if unconstrained - Custom--allows you to
r work and other schedules.
ble or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfer
edence over the setting in User Configuration.

edence over the setting in User Configuration.
odule name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a C
uld be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its
ng. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style.
his policy setting only applies to domain-joined devices that support connected standby.
al Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The us
ost running on host.humanresources.fabrikam.com machine TERMSRV/* Remote Desktop Session Host running
ated. The use of a single wildcard is permitted when specifying the SPN. For Example: TERMSRV/host.humanre
delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSR
entials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Exam
NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The
ERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresou
es. TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .human
ng on all machines. TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all ma
check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the
mapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Adm
e default is to display Computer as usual. Note: In operating systems earlier than Microsoft Windows Vista, this
th virtualization-based security to help protect credentials. The "Disabled" option turns off Credential Guard rem
specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure
ces from a remote desktop client to the remote desktop server. If you disable or do not configure this policy set
package are installed. To change driver file security without specifying a setting, use System in Control Panel. R
revented by other policy settings.
f the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
changes take effect immediately. This policy setting takes effect only when the DPS is in the running state. Wh
for the NV cache.
e: To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the na
policy setting overrides user settings that enable or disable quota enforcement on their volumes. Note: To spec
his policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, us
r, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
ing, the disk space available to users is not limited. The disk quota management feature uses the physical spac
ain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" fi
ultiple suffixes. If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query
search list is not configured, and the Append primary and connection specific DNS suffixes radio button is select
using Group Policy. If a global suffix search list is not configured, and the Append primary and connection specifi
microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resou
o not configure this policy setting, computers will use locally configured settings.
ter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration re
mpt to replace conflicting A resource records during dynamic update. If you disable this policy setting, existing
or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot C
g, you can configure the following settings in the policy setting: - ""Do not display links to any Microsoft More in
ons that remind the user to check for solutions to problems. A value of 0 disables the reminder. If you disable o
ermines how many reports can be queued before older reports are automatically deleted. The setting for Numb
matically sends the minimum data required to check for an existing solution, as well as data which Windows ha
matically sends the minimum data required to check for an existing solution, as well as data which Windows ha
d if the Configure Error Reporting policy setting is disabled or not configured. For related information, see the C
ee also the Configure Error Reporting policy setting.
epad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdow
ns to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excl
(default), silent, or troubleshooting only state. If you disable this setting, the recovery behavior for corrupted fil
se-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any o
re valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders av
e new location, Windows copies the contents of the local cache to the new network location, then deleted the co
directed on every computer that the user logs on to. Note: If you enable this policy setting in Computer Configu
directed on every computer that the user logs on to. Note: If you enable this policy setting in Computer Configu
vironment.
vironment.
service restart is required for this policy setting to take effect: changes take effect immediately.
ndows does not interpret two-digit year formats using this scheme for the program.
s policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting
s policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting
User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configu
User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configu
s" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user polic
s" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user polic
elp for more information. If you enable this policy setting, automatic learning stops and any stored data is dele
elp for more information. If you enable this policy setting, automatic learning stops and any stored data is dele
d, and a roaming user profile is allowed from the trusted forest. If you disable this policy setting, the behavior is
stem, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local J
hat will cause Group Policy to be processed synchronously even if this policy setting is enabled: 1 - At the first
ions configured for processing across a slow link (slow network connection). If you enable this policy, when Gr
kground while the computer is in use. When background updates are disabled, policy changes will not take effe
r is in use. When background updates are disabled, policy changes will not take effect until the next user logon
delays. The "Process even if the Group Policy objects have not changed" option updates and reapplies the polici
will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 m
s Master for the domain. Note: To change the PDC Operations Master for a domain, in Active Directory Users an
the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Con
the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Con
m updating affected policies in the background while the computer is in use. When background updates are disa
g affected policies in the background while the computer is in use. When background updates are disabled, poli
ntations specify that they are updated only when changed. However, you might want to update unchanged poli
tes are disabled, policy changes will not take effect until the next user logon or system restart. The "Process ev
hanged. Many policy implementations specify that they be updated only when changed. However, you might wa
s can cause significant delays. The "Process even if the Group Policy objects have not changed" option updates
applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Obje
use. When background updates are disabled, policy changes will not take effect until the next user logon or sys
puter is in use. When background updates are disabled, policy changes will not take effect until the next user lo
p Policy will wait for a response from the domain controller before reporting the link speed as slow. The default
click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." In G
updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. The Set Gr
. This setting also lets you specify how much the actual update interval varies. To prevent domain controllers w
d while the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting als
ways treated as Enabled.
ground while the computer is in use. When background updates are disabled, preference item changes do not t
n, no user trace file is created. 2. Computer Configuration tracing: This preference extension is available under
background while the computer is in use. When background updates are disabled, preference item changes do
sion, no user trace file is created. 2. Computer Configuration tracing: This preference extension is available und
the computer is in use. When background updates are disabled, preference item changes do not take effect un
ce file is created. 2. Computer Configuration tracing: This preference extension is available under User Configu
ground while the computer is in use. When background updates are disabled, preference item changes do not ta
no user trace file is created. 2. Computer Configuration tracing: This preference extension is available under Use
nce items in the background while the computer is in use. When background updates are disabled, preference i
on, no user trace file is created. 2. Computer Configuration tracing: This preference extension is available unde
uter is in use. When background updates are disabled, preference item changes do not take effect until the nex
reated. 2. Computer Configuration tracing: This preference extension is available under User Configuration only
e system from updating affected preference items in the background while the computer is in use. When backgr
xtension, no user trace file is created. 2. Computer Configuration tracing: This preference extension is available
he computer is in use. When background updates are disabled, preference item changes do not take effect until
e file is created. 2. Computer Configuration tracing: This preference extension is available under User Configura
e the computer is in use. When background updates are disabled, preference item changes do not take effect u
e file is created. 2. Computer Configuration tracing: This preference extension is available under User Configura
round while the computer is in use. When background updates are disabled, preference item changes do not tak
ce file is created. 2. Computer Configuration tracing: This preference extension is available under User Configu
dating affected preference items in the background while the computer is in use. When background updates are
ms under User Configuration in this extension, no user trace file is created. 2. Computer Configuration tracing:
stem from updating affected preference items in the background while the computer is in use. When backgroun
this extension, no user trace file is created. 2. Computer Configuration tracing: This preference extension is av
s in the background while the computer is in use. When background updates are disabled, preference item chan
s extension, no user trace file is created. 2. Computer Configuration tracing: This preference extension is availa
m updating affected preference items in the background while the computer is in use. When background updates
tension, no user trace file is created. 2. Computer Configuration tracing: This preference extension is available
nts the system from updating affected preference items in the background while the computer is in use. When b
ce file is created. 2. Computer Configuration tracing: This preference extension is available under User Configur
tems in the background while the computer is in use. When background updates are disabled, preference item
n this extension, no user trace file is created. 2. Computer Configuration tracing: This preference extension is av
hile the computer is in use. When background updates are disabled, preference item changes do not take effect
ace file is created. 2. Computer Configuration tracing: This preference extension is available under User Configu
m from updating affected preference items in the background while the computer is in use. When background u
his extension, no user trace file is created. 2. Computer Configuration tracing: This preference extension is ava
le the computer is in use. When background updates are disabled, preference item changes do not take effect u
race file is created. 2. Computer Configuration tracing: This preference extension is available under User Config
while the computer is in use. When background updates are disabled, preference item changes do not take effe
er trace file is created. 2. Computer Configuration tracing: This preference extension is available under User Co
round while the computer is in use. When background updates are disabled, preference item changes do not ta
o user trace file is created. 2. Computer Configuration tracing: This preference extension is available under Use
ference extensions under Control Panel Settings for Computer Configuration. Disabling this policy setting overrid
tensions under Control Panel Settings for User Configuration. Disabling this policy setting overrides any "Permit
efined on the system. For example, %programfiles% is not defined on some early versions of Windows. The "Sh
m Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer".
nt Program for all users.

e on which the add-on is referenced. Value - A number indicating whether Internet Explorer should deny or allow
e on which the add-on is referenced. Value - A number indicating whether Internet Explorer should deny or allow
as appropriate.
as appropriate.
otocol Lockdown security feature is enabled.

ty feature is enabled.
ty feature is enabled.
trictions feature control setting for the process.

ader to any sites granted an exception. By default, this option is turned on.
ader to any sites granted an exception. By default, this option is turned on.
tom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
er. This means that if the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disab
er. This means that if the zone behavior is currently set to prompt, it will be bypassed and enabled. If you disab
onfigure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included i
onfigure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included i
mport and configure settings for certificates from software publishers that haven't already been configured for In
cy is ignored.
cedence over this policy. If it is enabled, this policy is ignored.

ection Wizard from the desktop or the Start menu.
ernet Explorer) takes precedence over this policy. If it is enabled, this policy is ignored.
secure (https://) and nonsecure (http://) content.

d Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that pa
d Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that pa
enabled for the system, it will override this policy setting.

enabled for the system, it will override this policy setting.
users can drag content from one domain to a different domain when the source and destination are in different
y setting or do not configure it, users can drag content from one domain to a different domain when the source
sable or do not configure this policy setting, the user can view and access the navigation bar, the menu bar, an
sable or do not configure this policy setting, the user can view and access the navigation bar, the menu bar, an
open New Tabs.

e any related individual policy settings in a separate GPO. You can then use Group Policy management features (
ntrols, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approv
ws NT Challenge Response is not supported by the server, the user is queried to provide the user name and pas
nd Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings. 3. Select t
evel. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
ntrols and Plug-ins area, click Administrator Approved.
ustom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
he menu bar and the navigation bar.
cks Delete. If you don't configure this policy setting, users can turn this feature on and off, determining whethe
cks Delete. If you don't configure this policy setting, users can turn this feature on and off, determining whethe
ent user preferences and policy settings. If the All Processes policy setting is enabled, the processes configured
ent user preferences and policy settings. If the All Processes policy setting is enabled, the processes configured
ble or do not configure this policy setting, the security feature is allowed.
ble or do not configure this policy setting, the security feature is allowed.
enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or d
enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or d
his box take precedence over that setting. If you disable or do not configure this policy setting, the security fea
his box take precedence over that setting. If you disable or do not configure this policy setting, the security fea
rocesses policy setting is enabled, the processes configured in this box take precedence over that setting. If yo
rocesses policy setting is enabled, the processes configured in this box take precedence over that setting. If yo
the Notification bar is not displayed for the specified processes.
the Notification bar is not displayed for the specified processes.
e the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setti
e the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setti
processes configured in this box take precedence over that setting. If you disable or do not configure this policy
processes configured in this box take precedence over that setting. If you disable or do not configure this policy
r do not configure this policy setting, the user can configure his or her list of search providers.
r do not configure this policy setting, the user can configure his or her list of search providers.
enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy.
you enable this policy setting, you set the rate at which Internet Explorer creates new tab processes to low, me
you enable this policy setting, you set the rate at which Internet Explorer creates new tab processes to low, me
th a zone will ensure that the security settings for the specified zone are applied to the site. For each entry tha
th a zone will ensure that the security settings for the specified zone are applied to the site. For each entry tha
um safety.
um safety.
um safety.
um safety.
"Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is dis
"Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is dis
rer TechNet library.

rer TechNet library.
abling SSL 2.0 impairs the performance and functionality of TLS 1.0.
abling SSL 2.0 impairs the performance and functionality of TLS 1.0.
them through the Favorites Center.
them through the Favorites Center.
default behavior of Internet Explorer. If you do not configure this policy setting, the user can turn on and turn off
default behavior of Internet Explorer. If you do not configure this policy setting, the user can turn on and turn off
Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all loca
Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all loca
options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compo
annot provide information about previous logons, and enabling this policy setting does not affect anything.
or versions.
ed by Group Policy is deleted. If you do not configure this policy setting, the system uses the host name-to-Ker
t parameters. If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group P
he target domain.
purpose object identifier in the EKU extensions which can be issued to any server.
h a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64
add a new one with different parameters. If you disable or do not configure this policy setting, the Kerberos cli
Never will be used. If you do not configure this policy setting, Automatic will be used.
led. With this selection, hash publication is turned on for all file servers where Group Policy is applied. For exam
ata corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest
oaming profile path, home directory, or user object logon script, may take up to two logons to be detected. If a
Programs, point to Accessories, point to System Tools, and then click ""Getting Started."" To suppress the welco
Programs, point to Accessories, point to System Tools, and then click ""Getting Started."" To suppress the welco
pplications at startup"" policy setting. Also, see the ""Do not process the run once list"" policy setting.
pplications at startup"" policy setting. Also, see the ""Do not process the run once list"" policy setting.
setting just before it starts the programs specified in the User Configuration setting. Also, see the ""Do not proc
setting just before it starts the programs specified in the User Configuration setting. Also, see the ""Do not proc
ve Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console
onsole files.
n is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a consol
or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of sn
y permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab. To exp
-in to the Microsoft Management Console.

wnloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. C
environments. It can be used to circumvent errors in an installation program that prevents software from being
you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setti
you must enable it in both folders. Caution: Skilled users can take advantage of the permissions this policy setti
eline file cache maximum size.
d, per-user unmanaged, or per-machine context."
ars in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder
ars in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder
his policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart
le Explorer or Network Locations, to search for installation files. Also, see the "Enable user to browse for source
dows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform
ways" option indicates that Windows Installer is disabled. This policy setting affects Windows Installer only. It d
tion (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. If you disable this
ttp://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/. -A Universal Naming Convention (UNC) path t
rrectly determined that the DirectAccess client computer is connected to its own intranet. To restore the DirectA
figure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC L
e NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavi
scovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets
s policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports bot
s on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Polic
svol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from
not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<DsaGuid>._msdcs.<DnsForestName> Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> KdcAt
resh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer th
SRV records, click Enabled, and then enter the site names in a space-delimited format. If you do not configure t
be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SIT
DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory
puters will not the DNS name resolution in this case, unless the computer is searching for a domain with a single
s not available, the frequent retries may produce excessive network traffic.
ue. The range of values is from 1 to 2. If you do not configure this policy setting, it is not applied to any compute
ble Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to
ators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 compute
disable LAN connections from Device Manager when this setting is disabled.
ent users from using other programs, such as Internet Explorer, to bypass this setting.
e "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. Not
y to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Me
ipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabl
perties dialog box includes a list of the network components that the connection uses. To view or change the pr
e name of the component, and then click the Properties button beneath the component list. Note: Not all netwo
the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in
g boxes used to add network components. Clicking the Uninstall button removes the selected component in the
ws 2000 computers. If you disable this setting or do not configure it, a Properties menu item appears when any
to delete all user remote access connections" setting.) Important: When enabled, this setting takes precedenc
cked from accessing the check boxes for enabling and disabling the components of a LAN connection. Note: No
using other programs, such as Internet Explorer, to bypass this setting.

properties dialog box or Properties button for connection components, users cannot gain access to the Advance
option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet
tion is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the
figure it, the connection status taskbar icon and Status dialog box are available to all users.
see: http://go.microsoft.com/fwlink/p/?LinkId=234043
2::/96,18.1.1.1/10 For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
red, the setting in Computer Configuration takes precedence over the setting in User Configuration. Tip: To con
red, the setting in Computer Configuration takes precedence over the setting in User Configuration. Tip: To con
Offline button for a specific share. When selected, all configured settings will apply to shares in user selected Wo
since the round-trip network latency detection is faster. You can use wildcard characters (*) for specifying UNC p
users can change it. Tip: To change the amount of disk space used for automatic caching without specifying a
Offline Files cache. If the round trip latency of the network is less than 60ms, reads to remote files will not be c
he user interface. If you do not configure this policy setting, encryption of the Offline Files cache is controlled b
g appears in the Computer Configuration and User Configuration folders. If both settings are configured, the sett
g appears in the Computer Configuration and User Configuration folders. If both settings are configured, the sett
ization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click t
ization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click t
. This setting appears in the Computer Configuration and User Configuration folders. If both settings are config
. This setting appears in the Computer Configuration and User Configuration folders. If both settings are config
setting in Computer Configuration takes precedence over the setting in User Configuration. Tip: To display or h
setting in Computer Configuration takes precedence over the setting in User Configuration. Tip: To display or h
ate seed server; and check the checkbox. Using the corporate seed server only will prevent your mobile users fr
n the local subnet. The multicast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). T
s on the local subnet. The multicast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol
s on the local subnet. The multicast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol
clouds are turned on by default, and PNRP creates a cloud if the computer has an IPv6 address compatible with
Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using
mbers but you do not want to configure a BranchCache latency setting on all client computers, you can specify N
g is applied to client computers based on the value of the option setting "Select from the following versions" tha
8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to wh
configuration that is specified manually or by Group Policy. When this policy setting is applied, the client comp
ver-write the client computer cache age setting that you use on individual client computers. - Enabled. With th
ual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enable
Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchC
e the domain Group Policy setting is not configured, it will not over-write the client computer cache setting that
t configured, it will not over-write the enabled setting that you use on individual client computers where you wa
es effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service r
ault. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No
Performance for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario exe
default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be insta
list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be insta
to that directory to prevent users from viewing the transcripts of other users or computers. Note: This policy se
to that directory to prevent users from viewing the transcripts of other users or computers. Note: This policy se
is not configured is "No scripts allowed."
is not configured is "No scripts allowed."
haring settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on
able to the client. The client print spooler can always queue print jobs when not connected to the print server. U
h for shared printers or to connect to network printers.
er based on the IP address and subnet mask of the user's computer.

onfiguration\Administrative Templates\Control Panel\Printers. Web view is affected by the "Turn on Classic Shell
a print queue.
or example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behav
are not affected. -This policy setting is only checked once during the lifetime of a process. After changing the po
is disabled, or not configured, package point and print will not be restricted to specific print servers.
is disabled, or not configured, package point and print will not be restricted to specific print servers.
command prompt when users create a printer connection to any server using Point and Print. -Windows Vista co
command prompt when users create a printer connection to any server using Point and Print. -Windows Vista co
acking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and su
r, right-click a printer, click Properties, and then click the Security tab. If this policy is disabled, or not configure
n controllers.
not recorded in the event log. Note: This setting does not affect the logging of pruning events; the actual prun
ollowing options from the "Prune non-republishing printers" box: -- "Never" specifies that printer objects that a
e does not prevent users from installing programs by using other methods. Users will still be able to view and in
efault. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. N
the computer to the original state or from a user-created system image by restarting the computer and accessi
nt Tracker is not displayed when you shut down the computer. If you do not configure this policy setting, the def
re the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each
w helpers to remotely control the computer." The "Maximum ticket time" policy setting sets a limit on the amou
e with the Windows NT4 Server Endpoint Mapper Service. Note: This policy will not be applied until the system
that ask for delegation and connect to servers using constrained delegation. If you enable this policy setting, t
4 MB of memory. -- "Auto2" directs RPC to maintain basic state information only if the computer has at least 12
tions" enables extended error information, but lets you disable it for selected processes. To disable extended er
his policy setting. If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated
setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. If you do not co
.cmd For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run
herefore, the scripts for GPOs B and C run in the following order for Tamara: Within GPO B: B.cmd, B.ps1 Within
herefore, the scripts for GPOs B and C run in the following order for Tamara: Within GPO B: B.cmd, B.ps1 Within
complete before loading the desktop. An excessively long interval can delay the system and inconvenience use
for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the
intranet search locations are added to the All Locations list in the Desktop Search results.
in Search.
h policies.
cause of a limitation in the Group Policy editor, you must add at least one entry in the allow list, even if you wan
e this policy setting, Security Center is turned off for domain members. Windows XP SP2 ---------------------- In Wi
ole. Note: The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows
ocations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by
ol with Microsoft.
ol with Microsoft.
Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe
ow Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.e
e invalid certificates" If you enable or do not configure this policy setting, filtering will take place. If you disabl
For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidComm

w only the local admin group full control. Note: This policy setting has no effect if the SNMP agent is not installe
r two SNMP settings: "Specify permitted managers" and "Specify Community Name".
Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff.
gs are selected. This setting does not clear the list of recent files that Windows programs display at the bottom
art Menu" and "Clear history of recently opened documents on exit" policies in this folder. If you enable this sett
shortcuts" policy settings.

olving shell shortcuts" policy settings.
essional are required to support this policy setting.
roup. Note:This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Intern
oft" option" policy setting.

k Display Logoff. See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\Syste
cently opened documents. See the "Do not keep history of recently opened documents" setting. This setting al
grams. Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to
the user from using other methods to search. If you disable or do not configure this policy setting, the Search l
ons of the Start menu.
you disable this setting or do not configure it, the Start screen layout won't be changed and users will be able t
you disable this setting or do not configure it, the Start screen layout won't be changed and users will be able t
m Restore is available.
ompletion tab in Input Panel Options in Windows 7 and Windows Vista.
ompletion tab in Input Panel Options in Windows 7 and Windows Vista.
figure this setting on the Opening tab in Input Panel Options. Caution: If you enable both the Prevent Input Pan
figure this setting on the Opening tab in Input Panel Options. Caution: If you enable both the Prevent Input Pan
the Opening tab in Input Panel Options.
the Opening tab in Input Panel Options.
ecognition results when handwriting is converted to typed text. Users will not be able to configure this setting in
, and disable the Show Input Panel taskbar icon policy, the user will then have no way to access Input Panel.
, and disable the Show Input Panel taskbar icon policy, the user will then have no way to access Input Panel.
m Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the
x. If you enable this policy and choose None, users will be able to use both the tolerant scratch-out gestures a
x. If you enable this policy and choose None, users will be able to use both the tolerant scratch-out gestures a
Jump Lists. See the ""Do not allow pinning items in Jump Lists"" policy setting.
omputer Configuration takes precedence over the setting in User Configuration.

omputer Configuration takes precedence over the setting in User Configuration.
both settings are configured, the setting in Computer Configuration takes precedence over the setting in User C
v4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not h
ave ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router t
valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifyi
with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and s
dows 7, Windows Vista, or Windows XP Professional. If you enable this policy setting, audio and video playback r
ing redirection is not specified at the Group Policy level.
rvices by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Compone
h and is only recommended if you are using a hardware device that is designed to optimize network traffic. Eve
scenarios except RemoteFX vGPU.
twork bandwidth. If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses
al is not set and the server will not check the session state.
ver name policy settings are enabled and configured by using Group Policy. 2. For Windows Server 2008, this p
ard. 2. This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. 3. To b
ult, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled.
if the RD Session Host server can be authenticated. If you disable or do not configure this policy setting, the au
Group Policy level.
isable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Adminis
porary folders per session policy setting, this policy setting has no effect.
s policy setting, per-session temporary folders are created unless the server administrator specifies otherwise.
ter will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly re
ou do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specifi
ou do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specifi
vices WMI Provider to join the server to RD Connection Broker. If the policy setting is not configured, the policy
group is not deleted or changed in any way by disabling or not configuring this policy setting. Note: You should
quality configured on the client computer. For example, if the audio playback quality configured on the client co
d in this policy setting is not applied to connections from client computers that are using at least Remote Deskto
number consistent with the version of Windows and the mode of Remote Desktop Services running on the serve
e specified. If you disable or do not configure this policy setting, no restriction is placed on the size of the entire
mote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate an
Windows 2000 terminal server If you enable this policy setting, the license server will only issue a temporary RD
ession Host server will determine when a user is prompted to provide credentials for a remote connection to an
dministrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\S
n to secure communications between the client and RD Session Host server. If you select this setting, the RD Se
o the RD Session Host server. If you do not configure this policy setting, the local setting on the target compute
ing network quality. If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up
s completed. If more than one certificate is found that was created with the specified certificate template, the ce
sktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
file is created. If the specified network share does not exist, Remote Desktop Services displays an error messag
that is specified by the user is used, if one is specified. If an authentication method is not specified, the NTLM p
ers will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway ser
of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the netwo
he user's consent.
he user's consent.
e time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\W
e time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\W
n configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote D
n configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote D
o not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Rem
o not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Rem
Desktop Connections from an untrusted server can compromise the security of a user's account.
Language (PCL) fallback printer driver. "Default to PS if one is not found" - If no suitable printer driver can be fo
This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp s
ory blank, the program runs with its default working directory. If the specified program path, file name, or workin
ory blank, the program runs with its default working directory. If the specified program path, file name, or workin
direct the client to their existing session on the correct RD Session Host server in the farm. Only disable this set
ny reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the
ny reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the
nfiguration of the local session is not affected by this policy setting.
e to support Windows Aero features. Note: Additional configuration might be necessary on the remote compute
ion time by using the Remote Desktop Connection client. If you disable or do not configure this policy setting, r
m on connection" policy setting is ignored.
is policy setting, font smoothing is allowed for remote connections.
eApp program, the session will be disconnected from the RD Session Host server but it is not logged off. Note:
eApp program, the session will be disconnected from the RD Session Host server but it is not logged off. Note:
e Remote Desktop Services WMI provider. Note: If you enable this policy setting, you must also enable the Join R
on blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiri
t" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" o
in the Group Policy and local lists of blocked TPM commands.
and to the TPM that requires authorization. This value is the maximum number of authorization failures each st
ending a command to the TPM that requires authorization. The Standard User Individual Lockout value is the m
the policy setting has no effect. Note: The policy setting must be configured on the client computer, not the se
ir1\dir2\homedir). Users can access the home directory and any of its subdirectories from the home drive letter
DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If th
ng the slow link detection feature. To respond to a slow link, the system requires a local copy of the user's roam
the other policy settings set in this folder to determine how to proceed. By default, when the connection is slow
you enable this policy setting Windows will not check the permissions for the folder in the case where the folde
is downloaded on every computer that the user logs on to.

nfigure this policy setting, Windows waits 30 seconds for user input before applying the default user profile .
m the user's roaming profile by default. If you enable this policy setting, you can exclude additional folders. If yo
n to the machine. If you disable or do not configure this policy setting, Windows will delete the entire profile for
not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize th
ust the retry rate.) If you disable this policy setting or do not configure it, the system repeats its attempt 60 tim
, as indicated above. If you enable both the "Prevent Roaming Profile changes from propagating to the server"
ou have enabled the "Wait for remote user profile" policy setting, the system downloads the remote copy of the
roaming profile for a user. Windows reads profile configuration in the following order and uses the first configure
. For both scheduling options, there is a random one hour delay attached per-trigger to avoid overloading the s
n the local computer and enter a file share, the user's home folder will be placed in the network location withou
lders of these parent folders.
rprise software and/or line of business apps that depend on the domain information protected by this setting to
mote profile is appropriate when users move between computers frequently and the local copy of their profile is
n field specified, or if the drive has the same identification field as specified in the "Provide unique identifiers fo
ot have an identification field specified, or if the drive has the same identification field as specified in the "Provi
Network Unlock Certificate" on the domain controller to distribute this certificate to computers in your organiza
ure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from
recovery password in another folder.
ndows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in t
ll use the default encryption method of AES 128-bit or the encryption method specified by the setup script.
fying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify w
er setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This
from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able t
rd to the default printer. For example, not allowing the 48-digit recovery password will prevent users from being
fault URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Note: N
file specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register
BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in
ng access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocke
cker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encr
g, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-bas
, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-base
lexity requirements on the password, select "Require complexity". When set to "Require complexity" a connecti
. When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled
e password, select "Require complexity". When set to "Require complexity" a connection to a domain controller
different than the location of the item. If you enable this policy setting, users can preview items and get custom
ng before running downloaded unknown software Turn off SmartScreen
ght not operate correctly. If you disable this setting or do not configure it, the "Install Program As Other User" d
ation to are required to adhere to this policy setting.
dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhe
rives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent acc
menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by d
take precedence over Internet search links. The first several links will also be pinned to the Start menu. A tota
snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" se
default context menu" policy setting.
cessfully, but the installed program might not operate correctly. Note: If it is enabled, the "Do not request altern
esktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow F
policy setting is not enabled.
osoft.com/fwlink/?LinkId=25131).
ater disable this policy setting, Windows Firewall deletes the list of message types that you had enabled. If you
ater disable this policy setting, Windows Firewall deletes the list of message types that you had enabled. If you
u do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer can
u do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer can
ministration. You must specify the IP addresses or subnets from which these incoming messages are allowed. If
ministration. You must specify the IP addresses or subnets from which these incoming messages are allowed. If
does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administr
does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administr
eared and administrators cannot select it. If you do not configure this policy setting, Windows Firewall does not
eared and administrators cannot select it. If you do not configure this policy setting, Windows Firewall does not
ould not apply.
ould not apply.
local firewall rules should not apply.
local firewall rules should not apply.
nd Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows
nd Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows
also enable the "Windows Firewall: Allow local port exceptions" policy setting. If you disable this policy setting,
also enable the "Windows Firewall: Allow local port exceptions" policy setting. If you disable this policy setting,
am, click its definition, and then press the DELETE key. To edit a definition, remove the current definition from th
am, click its definition, and then press the DELETE key. To edit a definition, remove the current definition from th
her policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Pane
her policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Pane
used and the user cannot configure the HTTP proxy. If you do not configure this policy setting, users can configu
tting, users can configure the MMS proxy settings.
he Player.
cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is ena
umerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ra
forwarding attacks).
Account Control window and do not need elevated permissions to do either of these update-related tasks. On V
Windows RT PCs.
sers will be notified that they are ready to install. After going to Windows Update, users can install them. 4 = A
icy setting is enabled.

ox policy setting is enabled.
orted on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
ion. On Windows 8 and Windows RT, if this policy is Enabled, then only notifications related to restarts and the
u the opportunity to test updates before deploying them. If the status is set to Disabled or Not Configured, and i
tions for optional applications and updates. If you disable or do not configure this policy setting, Windows 7 use
is enabled, the links to Windows Update on the Start menu are also removed. Note: If you have installed Windo
bles button, and then, in the System variables box, click Path.
herefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain func
is device will be prevented from enabling them. If this policy setting is not configured or is enabled, users can c
ontrol Panel item on their computers to set up Work Folders. If this policy setting is disabled or not configured,
d/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is
e this setting or do not configure it, "Add programs from your network" is available to all users. Note: If the "Hid
OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\D
properly. This option is useful to server administrators who require faster performance and are aware of the co
running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Man
setting in Computer Configuration takes precedence over the policy setting in User Configuration.
setting in Computer Configuration takes precedence over the policy setting in User Configuration.
be enabled for the other two policy settings to have any effect. If you disable or do not configure this policy set
oes affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" p
ot configured.
Custom--allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this
background job transfers.

el item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resou
multiple applets, then its module name and string resource identification number should be entered. For examp
sual style.
an be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TE
op Session Host running on all machines. TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session H
TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources
N. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.h
ifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host runn
cipal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The u
machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow dele
n all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow
on Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combinati
M will always enforce the Activation security check for that DCOM server regardless of local settings. If you disa
n User Configuration\Administrative Templates\Control Panel. Note: This setting does not apply to remote deskt
osoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hid
off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. The "Enabl
sable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent insta
configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devic
ystem in Control Panel. Right-click My Computer, click Properties, click the Hardware tab, and then click the Dri
vices role is not installed.

in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS c
mputer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quo
r volumes. Note: To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Ot
out the logged event, users can detect that they have reached their limit, because their status in the Quota Ent
e Quota tab.
re uses the physical space on each volume as its quota limit and warning level. When you select a limit, remem
query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. If yo
or each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new que
xes radio button is selected, the DNS client appends the following names to a single-label name when it sends D
ry and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to
register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this p
se for the registration refresh interval. For example, 1800 seconds is 30 minutes. If you enable this policy settin
s policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dy
known or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. I
to any Microsoft More information websites"": Select this option if you do not want error dialog boxes to displa
eminder. If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued,
ed. The setting for Number of days between solution check reminders determines the interval time between the
s data which Windows has determined (within a high probability) does not contain personally identifiable data, a
s data which Windows has determined (within a high probability) does not contain personally identifiable data, a
d information, see the Configure Error Reporting and Report Operating System Errors policy settings.
en if the Default dropdown in the Default application reporting policy setting is set to report no application error
g, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to ex
behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. If you do not co
ocol handler app. Any other Windows Runtime application will only be able to revoke access to content it prote
cific redirected folders available offline", that setting will override the configured value of "Do not automatically
ation, then deleted the content from the old network location.
ting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precede
ting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precede
ediately.
red. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy sett
red. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy sett
olicy is set to Not Configured.
olicy is set to Not Configured.
abled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. I
abled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. I
d any stored data is deleted. Users cannot configure this setting in Control Panel. If you disable this policy setti
d any stored data is deleted. Users cannot configure this setting in Control Panel. If you disable this policy setti
y setting, the behavior is the same as if it is not configured.

r snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. I
enabled: 1 - At the first computer startup after the client computer has joined the domain. 2 - If the policy sett
able this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy w
hanges will not take effect until the next user logon or system restart. The "Process even if the Group Policy ob
until the next user logon or system restart. The "Process even if the Group Policy objects have not changed" opt
s and reapplies the policies even if the policies have not changed. Many policy implementations specify that the
low. The default is 500 milliseconds. The timeout value that is defined in this policy setting determines how lo
Active Directory Users and Computers, right-click a domain, and then click "Operations Masters."
nfiguration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies
nfiguration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies
ground updates are disabled, policy changes will not take effect until the next user logon or system restart. The
pdates are disabled, policy changes will not take effect until the next user logon or system restart. The "Process
o update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
restart. The "Process even if the Group Policy objects have not changed" option updates and reapplies the polic
. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a u
hanged" option updates and reapplies the policies even if the policies have not changed. Many policy setting im
uter's Group Policy Objects take precedence over the user's normal settings. If you disable this setting or do no
he next user logon or system restart. The "Process even if the Group Policy objects have not changed" option u
ect until the next user logon or system restart. The "Process even if the Group Policy objects have not changed
eed as slow. The default is 500 milliseconds. The timeout value that is defined in this policy setting determines
hen point to "View." In Group Policy Object Editor, preferences have a red icon to distinguish them from true set
Policy" policy. The Set Group Policy refresh interval for computers policy also lets you specify how much the actu
ent domain controllers with the same update interval from requesting updates simultaneously, the system varie
setting. This setting also lets you specify how much the actual update interval varies. To prevent clients with th
ce item changes do not take effect until the next user logon or system restart. 3. The "Process even if the Grou
nsion is available under User Configuration only, so computer configuration tracing is not applicable. 3. Group
ference item changes do not take effect until the next user logon or system restart. 3. The "Process even if the
xtension is available under User Configuration only, so computer configuration tracing is not applicable. 3. Gro
ges do not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy objec
able under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Modeli
e item changes do not take effect until the next user logon or system restart. 3. The "Process even if the Group
on is available under User Configuration only, so computer configuration tracing is not applicable. 3. Group Pol
re disabled, preference item changes do not take effect until the next user logon or system restart. 3. The "Pro
tension is available under User Configuration only, so computer configuration tracing is not applicable. 3. Group
take effect until the next user logon or system restart. 3. The "Process even if the Group Policy objects have no
r User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Modeling query tr
er is in use. When background updates are disabled, preference item changes do not take effect until the next u
ce extension is available under User Configuration only, so computer configuration tracing is not applicable. 3.
s do not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy objects
ble under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Modeling
nges do not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy obje
ble under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Modeling
item changes do not take effect until the next user logon or system restart. 3. The "Process even if the Group
lable under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Modeli
background updates are disabled, preference item changes do not take effect until the next user logon or syste
er Configuration tracing: This preference extension is available under User Configuration only, so computer confi
in use. When background updates are disabled, preference item changes do not take effect until the next user l
eference extension is available under User Configuration only, so computer configuration tracing is not applicab
ed, preference item changes do not take effect until the next user logon or system restart. 3. The "Process eve
rence extension is available under User Configuration only, so computer configuration tracing is not applicable.
hen background updates are disabled, preference item changes do not take effect until the next user logon or s
ce extension is available under User Configuration only, so computer configuration tracing is not applicable. 3. G
mputer is in use. When background updates are disabled, preference item changes do not take effect until the
able under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Modelin
sabled, preference item changes do not take effect until the next user logon or system restart. 3. The "Process
reference extension is available under User Configuration only, so computer configuration tracing is not applica
anges do not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy ob
ilable under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Model
use. When background updates are disabled, preference item changes do not take effect until the next user logo
ference extension is available under User Configuration only, so computer configuration tracing is not applicabl
nges do not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy obj
ailable under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy Mode
changes do not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy
available under User Configuration only, so computer configuration tracing is not applicable. 3. Group Policy M
e item changes do not take effect until the next user logon or system restart. 3. The "Process even if the Group
on is available under User Configuration only, so computer configuration tracing is not applicable. 3. Group Polic
this policy setting overrides any "Permit use of <extension name> preference extension" policy settings. If you
ng overrides any "Permit use of <extension name> preference extension" policy settings. If you do not configur
ons of Windows. The "Shortcut" command is used to add a link to a Help topic, and runs executables that are ex
ents/Event Viewer".
lorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero)
lorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero)
nd enabled. If you disable this policy setting for an application or process in the list, a script that is running in th
nd enabled. If you disable this policy setting for an application or process in the list, a script that is running in th
ns that are not included in the 'Add-on List' policy setting. Note: If an add-on is listed in the 'Add-on List' policy s
ns that are not included in the 'Add-on List' policy setting. Note: If an add-on is listed in the 'Add-on List' policy s
dy been configured for Internet Explorer.

otected Mode for that particular website. If you enable this policy setting, Internet Explorer will not give the use
otected Mode for that particular website. If you enable this policy setting, Internet Explorer will not give the use
estination are in different windows. Users cannot change this setting.
domain when the source and destination are in the same window. Users cannot change this setting in the Interne
on bar, the menu bar, and the Command bar.
on bar, the menu bar, and the Command bar.
y management features (for example, precedence, inheritance, or enforce) to apply individual settings to specifi
lick Administrator Approved.
e the user name and password. If you disable this policy setting, logon is set to Automatic logon only in Intrane
dify Settings. 3. Select the content zone in which you want to manage ActiveX controls, and then click Custom
off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking D
off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking D
the processes configured in this policy setting take precedence over that setting. If you do not configure this po
the processes configured in this policy setting take precedence over that setting. If you do not configure this po
sses policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configu
sses policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configu
setting, the security feature is allowed.
setting, the security feature is allowed.
e over that setting. If you disable or do not configure this policy setting, the security feature is allowed.
e over that setting. If you disable or do not configure this policy setting, the security feature is allowed.
All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.
All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.
gs" policy.
ab processes to low, medium, or high, or to an integer. If you disable or do not configure this policy setting, the
ab processes to low, medium, or high, or to an integer. If you disable or do not configure this policy setting, the
site. For each entry that you add to the list, enter the following information: Valuename A host for an intrane
site. For each entry that you add to the list, enter the following information: Valuename A host for an intrane
f this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List"
f this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List"
r can turn on and turn off Internet Explorer 7 Standards Mode.
r can turn on and turn off Internet Explorer 7 Standards Mode.
tent. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This op
tent. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This op
upport for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If t
not affect anything.
es the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.
ttings defined by Group Policy are deleted. If you do not configure this policy setting, the system uses the intero
es. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than
y setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
olicy is applied. For example, if Hash Publication for BranchCache is enabled in domain Group Policy, hash public
using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabl
gons to be detected. If a user with a roaming profile, home directory, or user object logon script logs on to a com
"" To suppress the welcome screen without specifying a setting, clear the ""Show this screen at startup"" check
"" To suppress the welcome screen without specifying a setting, clear the ""Show this screen at startup"" check
" policy setting.

" policy setting.
so, see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" settings.
so, see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" settings.
bited snap-in, the console file opens, but the prohibited snap-in does not appear.
en a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-
plicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly
Group Policy tab. To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting is not confi
y setting to take effect. Changes take effect immediately. This policy setting will take effect only when MSDT is
ents software from being installed.
missions this policy setting grants to change their privileges and gain permanent access to restricted files and f
missions this policy setting grants to change their privileges and gain permanent access to restricted files and f
s enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
s enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
mitigate a system restart, when possible.
user to browse for source while elevated" policy setting.

installation, the transform file is available, even if the user is on a different computer or is not connected to the
ndows Installer only. It does not prevent users from using other methods to install and upgrade programs.
Only. If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disa
Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The synta
et. To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks C
ography algorithms.
default behavior of DC Locator.

his is the default behavior. If you disable this policy setting, the DC location algorithm can use NetBIOS-based d
flag. Rediscovery resets the timer on the cached domain controller entries. If you enable this policy setting, DC
n controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain c
might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, a
Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application t
onfiguration.
nsDomainName> KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> Dc
DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS re
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
S_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. If you do not configure
me in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the ev
or a domain with a single label DNS name that exists in the Active Directory forest to which this computer is join
t applied to any computers, and computers use their local configuration.

setting will not apply to administrators on post-Windows 2000 computers. If you do not configure this setting, o
-Windows 2000 computers. If you do not configure this setting, only Administrators and Network Configuration
nnections" settings. Note: This setting does not prevent users from using other programs, such as Internet Exp
tem on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection
ox. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users.
To view or change the properties of a component, click the name of the component, and then click the Propertie
t list. Note: Not all network components have configurable properties. For components that are not configurable
ot appear or disappear in the Network Connections folder until the folder is refreshed. Note: This setting does n
elected component in the components list (above the button). The Install and Uninstall buttons appear in the pr
item appears when any user right-clicks the icon representing a private remote access connection. Also, when a
setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot d
AN connection. Note: Nonadministrators are already prohibited from enabling or disabling components for a LAN
ain access to the Advanced button for TCP/IP configuration. Note: Nonadministrators (excluding Network Configu
In addition, the Internet Connection Firewall is not enabled for remote access connections created through the
onnection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is
onfiguration. Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools men
onfiguration. Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools men
hares in user selected Work Offline mode as well. If you disable or do not configure this policy setting, Windows
s (*) for specifying UNC paths. If you do not specify a Latency or Throughput value, computers running Windows
ing without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline F
remote files will not be cached. If you enable this policy setting, transparent caching is enabled and configurab
iles cache is controlled by the user through the user interface. The current cache state is retained, and if the ca
s are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration
s are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration
ck Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off"
ck Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off"
tion. Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools
tion. Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools
vent your mobile users from being able to use their peer to peer applications at home. 3. In order to use a corpo
ce Discovery Protocol). The SSDP service must be enabled (which it is by default) for this policy to have effect.
ervice Discovery Protocol). The SSDP service must enabled (which it is by default) for this policy to have effect.
ervice Discovery Protocol). The SSDP service must be enabled (which it is by default) for this policy to have effec
address compatible with the clouds scope.
be configured by using the Services snap-in to the Microsoft Management Console.
puters, you can specify Not Configured for this domain Group Policy setting, and then configure local computer
e following versions" that you specify. - Disabled. With this selection, this policy setting is not applied to client c
. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mo
applied, the client computer performs or does not perform automatic hosted cache server discovery under the
uters. - Enabled. With this selection, the BranchCache client computer cache age setting is enabled for all clien
not over-write the enabled setting that you use on individual client computers where you want to enable Branch
policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not co
puter cache setting that you use on individual client computers. - Enabled. With this selection, the BranchCache
computers where you want to enable BranchCache. - Enabled. With this selection, BranchCache is turned on for
ystem restart or service restart is required for this policy to take effect: changes take effect immediately. This po
cy is not configured. No system restart or service restart is required for this policy to take effect: changes take
ostics-wide scenario execution policy is not configured. No system restart or service restart is required for this
policy is not configured. No system restart or service restart is required for this policy to take effect: changes ta
s in the list must be installed on the computer. Note: This policy setting exists under both Computer Configurati
s in the list must be installed on the computer. Note: This policy setting exists under both Computer Configurati
ters. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Po
ters. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Po
ain" arrow, click "turn on network discovery", and then click "Save changes". If you would like to not display prin
ted to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. Note: Som
he "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View ta
to have the same behavior.

ess. After changing the policy, a running application must be relaunched before settings take effect.
print servers.
print servers.
Print. -Windows Vista computers will show a warning and an elevated command prompt when an existing print
Print. -Windows Vista computers will show a warning and an elevated command prompt when an existing print
sed on IP address and subnet mask).
disabled, or not configured, users can add printers using the methods described above.
g events; the actual pruning of a printer is always logged. Note: This setting is used only on domain controllers.
hat printer objects that are not automatically republished are never pruned. "Never" is the default. -- "Only if P
till be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the
olicy is not configured. No system restart or service restart is required for this policy to take effect: changes tak
he computer and accessing the System Recovery Options menu, if it is available.
his policy setting, the default behavior for the Shutdown Event Tracker occurs. Note: By default, the Shutdown E
of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups,
sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer ca
applied until the system is rebooted.
able this policy setting, then: -- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client
computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Serve
s. To disable extended error information for a process while this policy setting is in effect, the command that sta
restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considere
be used. If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the I
pts for GPOs B and C run in the following order for DesktopSales: Within GPO B: B.cmd, B.ps1 Within GPO C: C.
O B: B.cmd, B.ps1 Within GPO C: C.cmd, C.ps1 Note: This policy setting determines the order in which user logo
O B: B.cmd, B.ps1 Within GPO C: C.cmd, C.ps1 Note: This policy setting determines the order in which user logo
m and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the s
nly take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled
llow list, even if you want to enable this policy without an allow list. Create a list entry by putting a space in the
2 ---------------------- In Windows XP SP2, the essential security settings that are monitored by Security Center inc
erver 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012.
ate, if that is allowed by the policy settings for the computer.
Winword.exe, Poledit.exe, Powerpnt.exe).
g., Winword.exe, Poledit.exe, Powerpnt.exe).

take place. If you disable this policy setting, no filtering will take place.
P\Parameters\ValidCommunities key to allow only the local admin group full control. Note: It is good practice to
SNMP agent is not installed on the client computer. Also, see the other two SNMP policy settings: "Specify trap c
on/Logoff.
ms display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting.
er. If you enable this setting but do not enable the "Remove Recent Items menu from Start Menu" setting, the R
File Explorer and in Internet Explorer.
strative Templates\System\Logon/Logoff.
" setting. This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide th
certification to adhere to this setting.
olicy setting, the Search link is available from the Start menu.
d and users will be able to customize it.
d and users will be able to customize it.
th the Prevent Input Panel from appearing next to text entry areas policy and the Prevent Input Panel tab from
th the Prevent Input Panel from appearing next to text entry areas policy and the Prevent Input Panel tab from
o configure this setting in the Input Panel Options dialog box. If you do not configure this policy, rarely used Ch
y to access Input Panel.
y to access Input Panel.
d Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in th
nt scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in
nt scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in
over the setting in User Configuration.
over the setting in User Configuration.
esent, the host will not have a 6to4 interface. Policy Disabled State: 6to4 is turned off and connectivity with 6to
d from the ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved succes
e RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user rece
ning the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the u
dio and video playback redirection is allowed. If you disable this policy setting, audio and video playback redire
plates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user auth
mize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still b
X Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacte
dows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
etting is enabled. 3. To be an active member of an RD Session Host server farm, the computer account for each
is disabled.
his policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file d
er Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy sett

tor specifies otherwise.
curity, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway
out session, unless specified otherwise in local settings. Note: This policy setting only applies to time-out limits
out session, unless specified otherwise in local settings. Note: This policy setting only applies to time-out limits
ot configured, the policy setting is not specified at the Group Policy level. Notes: 1. If you enable this policy set
setting. Note: You should only enable this policy setting when the license server is a member of a domain. You c
onfigured on the client computer is higher than the audio playback quality configured on the remote computer,
g at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32
ces running on the server. If the status is set to Disabled or Not Configured, limits to the number of connection
d on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if th
m screen capture rate and the medium image compression settings were selected (the default behavior).
nly issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not ava
remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user w
ost\Session Time Limits\Set time limit for disconnected sessions" policy setting.
ct this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encr
ng on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentica
top Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and
rtificate template, the certificate that will expire latest and that matches the current name of the RD Session Ho
D Session Host servers. * Client Compatible: The Client Compatible setting encrypts data sent between the clie
displays an error message on the RD Session Host server and will store the user profiles locally on the RD Sessio
not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication.
ernative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If u
directories in the network location. If the status is set to Enabled, Remote Desktop Services creates the user's
ministrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session T

ministrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session T
ws Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when t
ws Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when t
y level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount o
y level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount o
account.
e printer driver can be found, default to the PostScript (PS) fallback printer driver. "Show both PCL and PS if one
and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, i
path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection
path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection
rm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Bro
er is not available for the Remote Desktop Services session. Note: If the "Do not allow client printer redirection
er is not available for the Remote Desktop Services session. Note: If the "Do not allow client printer redirection
y on the remote computer to make Windows Aero features available for remote desktop sessions. For example,
gure this policy setting, remote users can only start programs that are listed in the RemoteApp programs list wh
is not logged off. Note: This policy setting appears in both Computer Configuration and User Configuration. If b
is not logged off. Note: This policy setting appears in both Computer Configuration and User Configuration. If b
ust also enable the Join RD Connection Broker, the Configure RD Connection Broker farm name, and the Configu
the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is app
y by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enf
orization failures each standard user may have before the user is not allowed to send commands requiring auth
al Lockout value is the maximum number of authorization failures each standard user may have before the user
ent computer, not the server, for it to have any effect, because the client computer sets the file share permissio
om the home drive letter, but they cannot see or access its parent directories. %HOMEPATH% stores a final back
nections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting
l copy of the user's roaming profile.
en the connection is slow, the system loads the local copy of the user profile.
the case where the folder exists. If you disable or do not configure this policy setting AND the roaming profile f
e default user profile .

e additional folders. If you disable this policy setting or do not configure it, only the default folders are excluded
lete the entire profile for roaming users, including the Windows Installer and Group Policy software installation d
ws will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specifie
epeats its attempt 60 times. If you set the number of retries to 0, the system tries just once to unload and upda
opagating to the server" setting and the "Only allow local user profiles" setting, roaming profiles are disabled. N
s the remote copy of the user profile without consulting the user. In Microsoft Windows Vista, the system will ign
d uses the first configured policy setting it reads. 1. Terminal Services roaming profile path specified by Termina
o avoid overloading the server with simultaneous uploads. For example, if the settings dictate that the user's reg
e network location without mapping the file share to a drive letter. If you disable or do not configure this policy
tected by this setting to connect with network resources. If you do not configure or disable this policy the user
al copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority.
vide unique identifiers for your organization" policy setting, the user will be prompted to update BitLocker and B
as specified in the "Provide unique identifiers for your organization" policy setting, the user will be prompted to
mputers in your organization. This unlock method uses the TPM on the computer, so computers that do not have
figured separately from BitLocker. Note: If the group policy setting "Configure TPM platform validation profile fo
ngth" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default e
by the setup script.
not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery opti
BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn
hat you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker re
prevent users from being able to print or save recovery information to a folder. If you disable or do not configure
ecovery screen. Note: Not all characters and languages are supported in pre-boot. It is strongly recommended
m Configuration Register (PCR) indices ranging from 0 to 23, The default platform validation profile secures the e
BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the comput
ts change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive
e. If hardware-based encryption is not available BitLocker software-based encryption will be used instead. Note:
he drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead
e drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead.
e complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the compl
hen BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection
n to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When
ew items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. If you disab
Program As Other User" dialog box appears whenever users install programs locally on the computer. By default
later certification to adhere to this setting.

lso, see the "Prevent access to drives from My Computer" policy setting.
k will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned se
o the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pin
rives in My Computer" setting.
he "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enable
p and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" sett
you had enabled. If you do not configure this policy setting, Windows Firewall behaves as if you had disabled it.
you had enabled. If you do not configure this policy setting, Windows Firewall behaves as if you had disabled it.
efore, the computer cannot share files or printers unless an administrator uses other policy settings to open the
efore, the computer cannot share files or printers unless an administrator uses other policy settings to open the
messages are allowed. If you disable or do not configure this policy setting, Windows Firewall does not open TCP
messages are allowed. If you disable or do not configure this policy setting, Windows Firewall does not open TCP
ests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of
ests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of
Windows Firewall does not open these ports. Therefore, the computer cannot receive Plug and Play messages unl
Windows Firewall does not open these ports. Therefore, the computer cannot receive Plug and Play messages unl
policy setting, Windows Firewall leaves the log file intact. If you do not configure this policy setting, Windows F
policy setting, Windows Firewall leaves the log file intact. If you do not configure this policy setting, Windows F
isable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings ca
isable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings ca
current definition from the list and add a new one with different parameters. To allow administrators to add prog
current definition from the list and add a new one with different parameters. To allow administrators to add prog
omponent of Control Panel, the "Block all incoming connections" check box is cleared by default, but administrat
omponent of Control Panel, the "Block all incoming connections" check box is cleared by default, but administrat
setting, users can configure the HTTP proxy settings.

tab" policy setting is enabled, the entire Network tab is hidden. If you do not configure this policy setting, user
within one of the filter ranges. You should use an asterisk (*) to indicate that the service listens on all available
date-related tasks. On Vista: If you enable this policy setting, users will not see a User Account Control window
s can install them. 4 = Automatically download updates and install them on the schedule specified below. Spec
lated to restarts and the inability to detect updates will be shown. The notification options are not supported. No
or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Update
y setting, Windows 7 users will not be offered detailed notification messages for optional applications, and Wind
you have installed Windows XP Service Pack 1 or the update to Automatic Updates that was released after Wind
Server 2008 domain functional level. If you disable or do not configure this setting, messages about the previou
or is enabled, users can choose to enable or disable either "Connect to suggested open hotspots" or "Connect t
sabled or not configured, no Work Folders settings are specified for the affected users, though users can manual
ponents page" setting is enabled, this setting is ignored.
ll users. Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
ontrolSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from
and are aware of the compatibility of the applications they are using. It is particularly useful for a web server w
p-in to the Microsoft Management Console.

nfiguration.
nfiguration.
configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directl
used for Peercaching" policy setting should be used for that purpose. Consider using this setting to prevent BI
ed or disallowed for this priority: (bits described here) 0x1 - The cost is unknown or the connection is unlimited
le name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System
d be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A compl
he SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on
emote Desktop Session Host running on all machines in .humanresources.fabrikam.com
on host.humanresources.fabrikam.com machine TERMSRV/* Remote Desktop Session Host running on all mach
n Host running on host.humanresources.fabrikam.com machine TERMSRV/* Remote Desktop Session Host runn
esktop Session Host running on host.humanresources.fabrikam.com machine TERMSRV/* Remote Desktop Sess
s can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:
tion with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that a
mbination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers th
an be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for
ocal settings. If you disable this policy setting, the appid exemption list defined by Group Policy is deleted, and
ot apply to remote desktop server sessions.
its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into
lock" option. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In
evice, the "Prevent installation of devices not described by other policy settings" policy setting determines whe
vent installation of devices not described by other policy settings" policy setting determines whether the device
ab, and then click the Driver Signing button.
not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. Note
d then click "Enable quota management."

g level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
r status in the Quota Entries window changes. Note: To find the logging option, in My Computer, right-click the
you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume
the first query fails. If you enable this policy setting, suffixes are allowed to be appended to an unqualified mul
d suffix, and this new query is submitted. The values are used in the order they appear in the string, starting wit
bel name when it sends DNS queries: The primary DNS suffix, as specified on the Computer Name tab of the Sy
s the following names to a single-label name when it sends DNS queries: The primary DNS suffix, as specified o
microsoft.com when this policy setting is enabled. Important: This policy setting is ignored on a DNS client comp
u enable this policy setting, registration refresh interval that you specify will be applied to all network connectio
t be replaced during a dynamic update, and an error will be recorded in Event Viewer.
d to be Bad is skipped. If your malware detection application does not include an Early Launch Antimalware boo
or dialog boxes to display links to Microsoft websites. - ""Do not collect additional files"": Select this option if yo
reports are not queued, and users can only send reports at the time that a problem occurs.
nterval time between the display of system notifications that remind the user to check for solutions to problems
onally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. -
onally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. -
olicy settings.
eport no application errors. If the Report all errors in Microsoft applications or Report all errors in Windows comp
n this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these ca
empted. If you do not configure this setting, the recovery behavior for corrupted files will be set to the regular r
ccess to content it protected. Note: File revocation applies to all content protected under the same second lev
of "Do not automatically make all redirected folders available offline".
icy setting takes precedence.

icy setting takes precedence.
d on per-user policy settings. To set this policy setting on a per-user basis, make sure that you do not configure
d on per-user policy settings. To set this policy setting on a per-user basis, make sure that you do not configure
r-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on pe
r-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on pe
u disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Contro
u disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Contro
ministrative Templates. If you disable or do not configure this setting, the Group Policy Object Editor snap-in alw
ain. 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. If you dis
t Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions.
en if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies h
s have not changed" option updates and reapplies the policies even if the policies have not changed. Many poli
entations specify that they are updated only when changed. However, you might want to update unchanged pol
etting determines how long Group Policy will wait for a response from the domain controller before determining
Masters."
es a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow
es a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow
on or system restart. The "Process even if the Group Policy objects have not changed" option updates and reap
em restart. The "Process even if the Group Policy objects have not changed" option updates and reapplies the p
has changed it.

es and reapplies the policies even if the policies have not changed. Many policy implementations specify that th
policy setting in case a user has changed it.
d. Many policy setting implementations specify that they are updated only when changed. However, you might
able this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. No
ve not changed" option updates and reapplies the policies even if the policies have not changed. Many policy im
bjects have not changed" option updates and reapplies the policies even if the policies have not changed. Many
olicy setting determines how long Group Policy will wait for a response from the domain controller before determ
guish them from true settings, which have a blue icon.
pecify how much the actual update interval varies. To prevent clients with the same update interval from reques
neously, the system varies the update interval for each controller by a random number of minutes. The number
To prevent clients with the same update interval from requesting updates simultaneously, the system varies the
Process even if the Group Policy objects have not changed" option updates and reapplies the preference items e
ot applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension
The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference it
is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extens
if the Group Policy objects have not changed" option updates and reapplies the preference items even if the pr
. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you pe
Process even if the Group Policy objects have not changed" option updates and reapplies the preference items e
applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension wh
tem restart. 3. The "Process even if the Group Policy objects have not changed" option updates and reapplies t
not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extensio
up Policy objects have not changed" option updates and reapplies the preference items even if the preference it
Policy Modeling query tracing: To perform tracing for items in this preference extension when you perform a Gr
ke effect until the next user logon or system restart. 3. The "Process even if the Group Policy objects have not c
ing is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference ext
the Group Policy objects have not changed" option updates and reapplies the preference items even if the pref
3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perf
n if the Group Policy objects have not changed" option updates and reapplies the preference items even if the p
3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you per
ocess even if the Group Policy objects have not changed" option updates and reapplies the preference items ev
e. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you pe
next user logon or system restart. 3. The "Process even if the Group Policy objects have not changed" option u
n only, so computer configuration tracing is not applicable. 3. Group Policy Modeling query tracing: To perform
ffect until the next user logon or system restart. 3. The "Process even if the Group Policy objects have not chan
on tracing is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preferen
art. 3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the prefe
tracing is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference
l the next user logon or system restart. 3. The "Process even if the Group Policy objects have not changed" opti
ng is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference ext
not take effect until the next user logon or system restart. 3. The "Process even if the Group Policy objects have
3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you per
restart. 3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the pr
ion tracing is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this prefere
ven if the Group Policy objects have not changed" option updates and reapplies the preference items even if the
e. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you p
ct until the next user logon or system restart. 3. The "Process even if the Group Policy objects have not changed
n tracing is not applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preferen
en if the Group Policy objects have not changed" option updates and reapplies the preference items even if the p
le. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you p
even if the Group Policy objects have not changed" option updates and reapplies the preference items even if t
cable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when yo
rocess even if the Group Policy objects have not changed" option updates and reapplies the preference items ev
applicable. 3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension wh
n" policy settings. If you do not configure this policy setting, you permit use of preference extensions under Co
s. If you do not configure this policy setting, you permit use of preference extensions under Control Panel Settin
s executables that are external to the Help file. The "WinHelp" command is used to add a link to a Help topic, an
denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field
denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field
script that is running in the application or process cannot bypass the prompt for delete, copy, or paste operation
script that is running in the application or process cannot bypass the prompt for delete, copy, or paste operation
the 'Add-on List' policy setting, the user cannot change its state through Add-on Manager (unless its value has
the 'Add-on List' policy setting, the user cannot change its state through Add-on Manager (unless its value has
orer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run
orer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run
this setting in the Internet Options dialog.
ividual settings to specific targets.


atic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon only i
atic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon with c
atic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Prompt for username a
s, and then click Custom Level. 4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
ack data when clicking Delete.
ack data when clicking Delete.
do not configure this policy, processes other than the Internet Explorer processes will not be affected by add-o
do not configure this policy, processes other than the Internet Explorer processes will not be affected by add-o
ed, the processes configured in this box take precedence over that setting. If you disable or do not configure thi
ed, the processes configured in this box take precedence over that setting. If you disable or do not configure thi
ature is allowed.
ature is allowed.
dence over that setting. If you disable or do not configure this policy setting, the security feature is allowed.
dence over that setting. If you disable or do not configure this policy setting, the security feature is allowed.
re this policy setting, the tab process growth is set to the default. The user can change this value by using the r
re this policy setting, the tab process growth is set to the default. The user can change this value by using the r
me A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includ
me A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includ
hrough the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and
hrough the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and
Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content w
Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content w
n supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not us
hey exist.
he system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.
set this value more than 48,000 bytes.
p Policy.
Group Policy, hash publication is turned on for all domain member file servers to which the policy is applied. The
osoft recommends disabling insecure guest logons and configuring file servers to require authenticated access."
on script logs on to a computer, computers always wait for the network to be initialized before logging the user
creen at startup"" check box on the welcome screen.

creen at startup"" check box on the welcome screen.
e list"" settings.
e list"" settings.
but the prohibited snap-in does not appear. Note: If you enable this setting, and you do not enable any setting
in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this po
If this setting is not configured (or enabled), the Group Policy tab is accessible. When the Group Policy tab is in
effect only when MSDT is enabled. This policy setting will only take effect when the Diagnostic Policy Service (D
ss to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed
ss to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed
the other folder.
the other folder.
r is not connected to the network.
upgrade programs.
orrupted files will be disabled. No troubleshooting or resolution will be attempted. If you do not configure this p
do not matter. The syntax is FILE: followed by a UNC path. The ComputerName portion of the UNC path must
tionality, the user clicks Connect. Note If the DirectAccess client computer is on the intranet and has correctly
can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
le this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the c
dress. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail. If you do not config
this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read
enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will
DnsDomainName> Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> DcAtSite SRV _ldap._tcp

desired deletion of DNS resource records. To specify the Refresh Interval of the DC records, click Enabled, and th
If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the
bel name only, in the event that DNS resolution fails. If you disable this policy setting, when the AllowSingleLab
hich this computer is joined. If you do not configure this policy setting, it is not applied to any computers, and c
t configure this setting, only Administrators and Network Configuration Operators can change properties of all-u
d Network Configuration Operators can delete all user remote access connections. Important: When enabled, th
ms, such as Internet Explorer, to rename remote access connections.
emote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling com
on is available to users. Note: Nonadministrators have the right to view the properties dialog box for a connect
d then click the Properties button beneath the component list. Note: Not all network components have configur
that are not configurable, the Properties button is always disabled. Note: When the "Ability to change propertie
Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this se
buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN conn
connection. Also, when any user selects the connection, Properties appears on the File menu. Note: This settin
s" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access
ng components for a LAN connection, regardless of this setting.
xcluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for
ons created through the Make New Connection Wizard. The Network Setup Wizard is disabled. Note: If you enab
Network Setup Wizard is available only in Windows XP Professional.) By default, ICS is disabled when you crea
xplorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an op
xplorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an op
policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interva
puters running Windows Vista or Windows Server 2008 will not use the slow-link mode. If you do not configure
ptions, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use f
enabled and configurable. If you disable or do not configure this policy setting, remote files will be not be trans
is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted. The
ing in User Configuration.
ing in User Configuration.
files before logging off" option.
files before logging off" option.
over the setting in User Configuration. Tip: To change the synchronization method without setting a setting, in
over the setting in User Configuration. Tip: To change the synchronization method without setting a setting, in
ws Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds
ws Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds
3. In order to use a corporate seed server and the global seed server, enable the setting; insert the fully qualifie
his policy to have effect.

is policy to have effect.
r this policy to have effect.
onfigure local computer policy to enable BranchCache latency settings on individual client computers. Because
g is not applied to client computers, and the clients run the version of BranchCache that is included with their op
Cache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting
ver discovery under the following circumstances: If no other BranchCache mode-based policy settings are appl
ng is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in
u want to enable BranchCache. - Enabled. With this selection, BranchCache distributed cache mode is enabled
up Policy setting is not configured, it will not over-write the enabled setting that you use on individual client com
lection, the BranchCache client computer cache setting is enabled for all client computers where the policy is a
chCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled i
ect immediately. This policy setting will only take effect when the Diagnostic Policy Service is in the running sta
ake effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy
start is required for this policy to take effect: changes take effect immediately. This policy setting will only take
to take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Pol
th Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration polic
th Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration polic
figuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User
figuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User
uld like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
ding print jobs. Note: Some printer drivers require a custom print processor. In some cases the custom print pro
ons button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Com
take effect.
pt when an existing printer connection driver needs to be updated. -Windows Server 2003 and Windows XP clie
pt when an existing printer connection driver needs to be updated. -Windows Server 2003 and Windows XP clie
y on domain controllers.
the default. -- "Only if Print Server is found" prunes printer objects that are not automatically republished only
on the desktop or on the Start menu. If this setting is disabled or is not configured, the "Install a program from
take effect: changes take effect immediately. This policy setting will only take effect when the Diagnostic Policy
y default, the Shutdown Event Tracker is only displayed on computers running Windows Server.
per user or user groups, use the following format: <Domain Name>\<User Name> or <Domain Name>\<Grou
g email or file transfer can remain open. The "Select the method for sending email invitations" setting specifies
_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. --
ws 2000 Advanced Server, or Windows 2000 Datacenter Server. -- "Server" directs RPC to maintain basic state
t, the command that starts the process must begin with one of the strings in the Extended Error Information Exc
A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if i
nnection timeout on the IIS server running the RPC HTTP proxy will be used. If you enable this policy setting, an
B.ps1 Within GPO C: C.cmd, C.ps1 Note: This policy setting determines the order in which computer startup a
order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy sett
order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy sett
ht not be done, and the system can appear to be ready prematurely. If you disable or do not configure this setti
ce is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be config
by putting a space in the name field and a space in the value field and then save it. This will create a placeholde
ed by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not b
te: It is good practice to use a cryptic community name. Note: This policy setting has no effect if the SNMP age
y settings: "Specify trap configuration" and "Specify Community Name".
ned documents" setting. This policy setting also does not hide document shortcuts displayed in the Open dialog
tart Menu" setting, the Recent Items menu appears on the Start menu, but it is empty. If you enable this setting
alog box. See the "Hide the dropdown list of recent files" setting.
event Input Panel tab from appearing policy, and disable the Show Input Panel taskbar icon policy, the user w
event Input Panel tab from appearing policy, and disable the Show Input Panel taskbar icon policy, the user w
his policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when hand
onfigure this setting in the Input Panel Options dialog box. If you enable this policy and choose Medium from
configure this setting in the Input Panel Options dialog box. If you disable this policy, users will be able to use b
configure this setting in the Input Panel Options dialog box. If you disable this policy, users will be able to use b
and connectivity with 6to4 will not be available.
me is not resolved successfully, the host will have an ISATAP interface configured with a link-local address. Policy
DP session, the user receives a message that the publisher has been blocked. Note: You can define this policy s
art an RDP session, the user receives a message that the publisher has been blocked. Note: You can define this
and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video pla
ecurity\Require user authentication for remote connections by using Network Level Authentication. You can lim
e graphics data will still be compressed. If you disable or do not configure this policy setting, the default RDP co
phics data is not impacted. However, this setting results in a significant increase in network bandwidth consump
omputer account for each RD Session Host server in the farm must be a member of one of the following local gro
ection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server w
on Restrictions policy settings.

ng the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method
pplies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-ou
pplies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-ou
ou enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configu
ember of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Serve
n the remote computer, the lower level of audio playback quality will be used. Audio playback quality can be co
ows Server 2012). The 32-bit color depth format is always used for these connections. 3.For connections from c
he number of connections are not enforced at the Group Policy level. Note: This setting is designed to be used o
cy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting loca
default behavior).
on Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RD
ws 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. F
(as opposed to SSL encryption) is not recommended. * SSL (TLS 1.0): The SSL method requires the use of TLS 1
etwork Level Authentication is enforced by default. Important: Disabling this policy setting provides less securi
or to the connection, and it will continuously try to adapt the user experience to varying network quality.
ame of the RD Session Host server will be selected. If you disable or do not configure this policy, the certificate
ata sent between the client and the server at the maximum key strength supported by the client. Use this encry
locally on the RD Session Host server. If you disable or do not configure this policy setting, user profiles are sto
ed for authentication.
using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this
rvices creates the user's home directory in the specified location on the local computer or the network. The hom
p Session Host\Session Time Limits\End session when time limits are reached. Note: This policy setting appears
p Session Host\Session Time Limits\End session when time limits are reached. Note: This policy setting appears
imits\End session when time limits are reached. Note: This policy setting appears in both Computer Configurati
imits\End session when time limits are reached. Note: This policy setting appears in both Computer Configurati
or an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User Con
or an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User Con
w both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback
certificate thumbprint, it is ignored.
n Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services s
n Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services s
se of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD S
client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" poli
client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" poli
p sessions. For example, the Desktop Experience feature must be installed on the remote computer, and the ma
oteApp programs list when they start a Remote Desktop Services session.
d User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes prec
d User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes prec
m name, and the Configure RD Connection Broker server name policy settings.
value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPManti-hamm
ed policy settings to enforce or ignore the default and local lists of blocked TPM commands.
ommands requiring authorization to the TPM. The Standard User Lockout Total Threshold value is the maximum
may have before the user is not allowed to send commands requiring authorization to the TPM. This value is the
s the file share permissions for the roaming profile at creation time. Note: In the default case, administrators ha
PATH% stores a final backslash and is included for compatibility with earlier systems.
nabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enab
ND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Wind
fault folders are excluded. Note: You cannot use this policy setting to include the default folders in a roaming us
cy software installation data when those profiles are deleted. Note: If this policy setting is enabled for a machin
m profile size limit specified here is exceeded.
once to unload and update the user's registry settings. It does not try again. Note: This policy setting is particu
g profiles are disabled. Note: This setting only affects roaming profile users.
Vista, the system will ignore the user choice made on the logon screen. Note: This policy setting and related po
path specified by Terminal Services policy 2. Terminal Services roaming profile path specified by the user object
dictate that the user's registry file is to be uploaded at 6pm, it will actually upload at a random time between 6p
not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory D
able this policy the user will have full control over this setting and can turn it off and on. Selecting this option m
k logging on is a priority. Important: If the "Do not detect slow network connections" policy setting is enabled, t
o update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation, for the fixed driv
user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situ
mputers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Un
form validation profile for native UEFI firmware configurations" is enabled and has PCR 7 omitted, Bitlocker will
cker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup
d BitLocker recovery options for the drive are determined by the policy setting. In "Save BitLocker recovery info
on to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the po
cker, instead BitLocker recovery options for the drive are determined by the policy setting. In "Save BitLocker re
sable or do not configure this policy setting, the BitLocker setup wizard will present users with ways to store rec
strongly recommended that you test that the characters you use for the custom message or URL appear correc
ation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS
he drive and the computer will instead display the BitLocker Recovery console and require that either the recov
key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that e
l be used instead. Note: The Choose drive encryption method and cipher strength policy setting does not app
ption will be used instead. Note: The Choose drive encryption method and cipher strength policy setting does
on will be used instead. Note: The Choose drive encryption method and cipher strength policy setting does n
ed to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller
omplexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rule
xity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to vali
File Explorer. If you disable this policy setting, users will be prevented from previewing items and get custom th
he computer. By default, users are not prompted for alternate logon credentials when installing programs from
nternet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom
re results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" lin
hen that setting is enabled, users are not prompted for alternate logon credentials on any installation.
w tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer.
as if you had disabled it. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo
as if you had disabled it. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo
olicy settings to open the required ports. In the Windows Firewall component of Control Panel, the "File and Print
olicy settings to open the required ports. In the Windows Firewall component of Control Panel, the "File and Print
rewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and Windows Serv
rewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and Windows Serv
s Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administrators can change t
s Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administrators can change t
g and Play messages unless an administrator uses other policy settings to open the required ports or enable the
g and Play messages unless an administrator uses other policy settings to open the required ports or enable the
policy setting, Windows Firewall behaves as if the policy setting were disabled.
policy setting, Windows Firewall behaves as if the policy setting were disabled.
t other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored
t other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored
dministrators to add programs to the local program exceptions list that is defined by the Windows Firewall comp
dministrators to add programs to the local program exceptions list that is defined by the Windows Firewall comp
y default, but administrators can change it.
y default, but administrators can change it.
e this policy setting, users can select the protocols to use on the Network tab. If you disable this policy setting,
ce listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If
Account Control window and do not need elevated permissions to do either of these tasks. If you do not enable
ule specified below. Specify the schedule using the options in the Group Policy Setting. If no schedule is specifie
ons are not supported. Notifications on the login screen will always show up.
ce, the Automatic Updates client connects directly to the Windows Update site on the Internet. Note: If the "Con
al applications, and Windows Vista users will not be offered detailed notification messages for optional applicati
was released after Windows XP was originally shipped, then you should use the new Automatic Updates setting
ssages about the previous logon or logon failures are not displayed.
hotspots" or "Connect to networks shared by my contacts".

hough users can manually set up Work Folders by using the Work Folders Control Panel item.
16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also no
useful for a web server where applications may be launched several hundred times a second, and the performa
will download files directly from the origin server.
his setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fas
connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints. 0x2 - T
stemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module nam
Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by
Session Host running on host.humanresources.fabrikam.com machine TERMSRV/* Remote Desktop Session Hos
Host running on all machines. TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running
esktop Session Host running on all machines. TERMSRV/*.humanresources.fabrikam.com Remote Desktop Sessi
V/* Remote Desktop Session Host running on all machines. TERMSRV/*.humanresources.fabrikam.com Remote D
the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running o
or specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating defaul
ns for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fre
to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Al
up Policy is deleted, and the one defined by local computer administrators is used. If you do not configure this p
the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting
t be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as rem
y setting determines whether the device can be installed.

mines whether the device can be installed.
nagement Console. Note: For Windows Server systems, this policy setting applies only if the Desktop Experienc
the quota limit.

Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
ardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of
ed to an unqualified multi-label name if the original name query fails. If you disable this policy setting, no suffix
in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixe
puter Name tab of the System control panel. Each connection-specific DNS suffix, assigned either through DHCP
DNS suffix, as specified on the Computer Name tab of the System control panel. Each connection-specific DNS
ed on a DNS client computer if dynamic DNS registration is disabled. If you disable this policy setting, or if you
to all network connections used by computers that receive this policy setting. If you disable this policy setting,
Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, t
"": Select this option if you do not want additional files to be collected and included in error reports. - ""Do not c
or solutions to problems. A value of 0 disables the reminder. If you disable or do not configure this policy settin
equested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. If you disable
equested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. If you disable
errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windo
check boxes for these categories are filled in the Default application reporting settings policy setting. If you dis
will be set to the regular recovery behavior. No system or service restarts are required for changes to this policy
nder the same second level domain as the provided enterprise identifier. So, revoking an enterprise ID of mail.co
hat you do not configure the per-machine policy setting.

hat you do not configure the per-machine policy setting.
strictions are based on per-user policies.
strictions are based on per-user policies.
s policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personal
s policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personal
Object Editor snap-in always loads all ADM files from the actual GPO. Note: If the ADMs that you require are not
n" is enabled. If you disable or do not configure this policy setting, detecting a slow network connection will no
all client side extensions. If you disable this setting or do not configure it, Group Policy will evaluate the networ
cies even if the policies have not changed. Many policy implementations specify that they are updated only whe
e not changed. Many policy implementations specify that they are updated only when changed. However, you m
o update unchanged policies, such as reapplying a desired setting in case a user has changed it.
oller before determining that there is no network connectivity. This stops the current Group Policy processing. G
figuration defines a slow link for settings in the User Configuration folder. Also, see the "Do not detect slow netw
figuration defines a slow link for settings in the User Configuration folder. Also, see the "Do not detect slow netw
option updates and reapplies the policies even if the policies have not changed. Many policy implementations s
dates and reapplies the policies even if the policies have not changed. Many policy implementations specify tha
entations specify that they are updated only when changed. However, you might want to update unchanged po
ged. However, you might want to update unchanged policy settings, such as reapplying a desired policies in cas
h user settings apply. Note: This setting is effective only when both the computer account and the user accoun
changed. Many policy implementations specify that they are updated only when changed. However, you might
have not changed. Many policy implementations specify that they are updated only when changed. However, y
n controller before determining that there is no network connectivity. This stops the current Group Policy process
date interval from requesting updates simultaneously, the system varies the update interval for each client by a
of minutes. The number you type in the random time box sets the upper limit for the range of variance. For exa
sly, the system varies the update interval for each client by a random number of minutes. The number you type
es the preference items even if the preference items have not changed. Many policy implementations specify th
his preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Plan
applies the preference items even if the preference items have not changed. Many policy implementations spec
n this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "P
ence items even if the preference items have not changed. Many policy implementations specify that they are u
e extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" b
s the preference items even if the preference items have not changed. Many policy implementations specify tha
preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Plannin
n updates and reapplies the preference items even if the preference items have not changed. Many policy imple
this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Pla
even if the preference items have not changed. Many policy implementations specify that they are updated on
n when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the l
Policy objects have not changed" option updates and reapplies the preference items even if the preference item
ms in this preference extension when you perform a Group Policy Modeling query, you must provide a path in th
ce items even if the preference items have not changed. Many policy implementations specify that they are upd
extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box
rence items even if the preference items have not changed. Many policy implementations specify that they are
extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" bo
the preference items even if the preference items have not changed. Many policy implementations specify tha
e not changed" option updates and reapplies the preference items even if the preference items have not chang
uery tracing: To perform tracing for items in this preference extension when you perform a Group Policy Modelin
cy objects have not changed" option updates and reapplies the preference items even if the preference items ha
for items in this preference extension when you perform a Group Policy Modeling query, you must provide a pat
s and reapplies the preference items even if the preference items have not changed. Many policy implementatio
items in this preference extension when you perform a Group Policy Modeling query, you must provide a path i
s have not changed" option updates and reapplies the preference items even if the preference items have not c
ms in this preference extension when you perform a Group Policy Modeling query, you must provide a path in th
Group Policy objects have not changed" option updates and reapplies the preference items even if the preferenc
ates and reapplies the preference items even if the preference items have not changed. Many policy implement
g for items in this preference extension when you perform a Group Policy Modeling query, you must provide a pa
ference items even if the preference items have not changed. Many policy implementations specify that they ar
ce extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace"
objects have not changed" option updates and reapplies the preference items even if the preference items have
or items in this preference extension when you perform a Group Policy Modeling query, you must provide a path
erence items even if the preference items have not changed. Many policy implementations specify that they are
ce extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace"
reference items even if the preference items have not changed. Many policy implementations specify that they
erence extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning tra
s the preference items even if the preference items have not changed. Many policy implementations specify tha
preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Plannin
nce extensions under Control Panel Settings for Computer Configuration unless restricted by the "Restrict users
under Control Panel Settings for User Configuration unless restricted by the "Restrict users to the explicitly perm
a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinHelp" comm
er a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the
er a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the
copy, or paste operations from the Clipboard. If you do not configure this policy setting, current values of the U
copy, or paste operations from the Clipboard. If you do not configure this policy setting, current values of the U
ger (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
ger (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
d Mode websites will run in Enhanced Protected Mode. If you disable or do not configure this policy setting, Inte
d Mode websites will run in Enhanced Protected Mode. If you disable or do not configure this policy setting, Inte
to Automatic logon only in Intranet zone.
to Automatic logon with current username and password.
to Prompt for username and password.
dministrator Approved.
not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
le or do not configure this policy setting, the security feature is allowed.

le or do not configure this policy setting, the security feature is allowed.
ty feature is allowed.
ty feature is allowed.
this value by using the registry key. Note: On Terminal Server, the default value is the integer 1.
this value by using the registry key. Note: On Terminal Server, the default value is the integer 1.
uename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuenam
uename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuenam
n List" policy settings and not through this policy setting, all applications that use Internet Explorer technology t
n List" policy settings and not through this policy setting, all applications that use Internet Explorer technology t
es, but newer content written to common Internet standards may be displayed incorrectly. This option matches
es, but newer content written to common Internet standards may be displayed incorrectly. This option matches
tion messages will not use these features. If you configure "Supported", the domain controller supports claims,
al registry, if they exist.

the policy is applied. The file servers are then able to create content information for all content that is stored in
e authenticated access."
before logging the user on. If a user has never logged on to this computer before, computers always wait for th
o not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.
s policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is p
he Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheet
gnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenari
setting is not guaranteed to be secure.

setting is not guaranteed to be secure.
ou do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recover
n of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\mysh
tranet and has correctly determined its network location, the Disconnect option has no effect because the rules
dically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid e
fail. If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the def
gon share with only read permission will be able to deny Group Policy clients from reading the files, and in gene
only read permission will be able to deny Group Policy clients from reading the files, and in general the availabil
Site SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> Rfc1510Kdc SRV _kerberos._

rds, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC re
used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site
when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only
to any computers, and computers use their local configuration.
change properties of all-user remote access connections. Note: This setting takes precedence over settings that
ortant: When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this s
t Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote acces
dialog box for a connection but not to make changes, regardless of this setting.
mponents have configurable properties. For components that are not configurable, the Properties button is alwa
bility to change properties of an all user remote access connection" or "Prohibit changing properties of a private
xplorer, to bypass this setting.
General tab for LAN connections and on the Networking tab for remote access connections. Note: When the "Pro
menu. Note: This setting takes precedence over settings that manipulate the availability of features in the Rem
te all user remote access connections" setting is ignored. Note: LAN connections are created and deleted autom
vanced configuration for a LAN connection, regardless of this setting. Tip: To open the Advanced TCP/IP Setting d
sabled. Note: If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit u
disabled when you create a remote access connection, but administrators can use the Advanced tab to enable
ed, and then select an option in the "When a network connection is lost" section. Also, see the "Non-default ser
ed, and then select an option in the "When a network connection is lost" section. Also, see the "Non-default ser
mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7
If you do not configure this policy setting, computers running Windows Vista or Windows Server 2008 will not t
unt of disk space to use for temporary offline files" option.
e files will be not be transparently cached on client computers.

t it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on
out setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, an
out setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, an
This setting corresponds to the "Enable reminders" check box.

This setting corresponds to the "Enable reminders" check box.
g; insert the fully qualified domain name or IPv6 address of the corporate seed server, leave the checkbox unch
ent computers. Because the domain Group Policy setting is not configured, it will not over-write the latency sett
t is included with their operating system. In circumstances where this setting is enabled, you can also select an
fied in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set Bra
d policy settings are applied, the client computer performs automatic hosted cache server discovery. If one or m
licy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in t
d cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enable
e on individual client computers where you want to enable BranchCache. - Enabled. With this selection, BranchC
ers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is e
if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client comput
rvice is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed.
en the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scen
licy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is s
when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic s
puter Configuration policy setting takes precedence over the User Configuration policy setting.
puter Configuration policy setting takes precedence over the User Configuration policy setting.
ecedence over the User Configuration policy setting.

ecedence over the User Configuration policy setting.
f printers to display to 0.
ses the custom print processor may not be installed on the client machine, such as when the print server does n
Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configu
003 and Windows XP client computers can create a printer connection to any server in their forest using Point an
003 and Windows XP client computers can create a printer connection to any server in their forest using Point an
atically republished only when the print server responds, but the printer is unavailable. -- "Whenever printer is
e "Install a program from the network" task to the "Get Programs" page will be available to all users. Note: If th
hen the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic sce
Server.
<Domain Name>\<Group Name> If you enable this policy setting, you should also enable firewall exceptions t
tations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on you
support delegation. -- "On" directs the RPC Runtime to accept security contexts that do not support delegatio
C to maintain basic state information on the computer, regardless of its capacity. -- "Full" directs RPC to maintai
ded Error Information Exception field. -- "Off with Exceptions" disables extended error information, but lets you
ate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by
ble this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection t
hich computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy sett
override this policy setting for specific script types within a specific GPO by configuring the following policy set
override this policy setting for specific script types within a specific GPO by configuring the following policy set
o not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes).
uler service can be configured with the Services snap-in to the Microsoft Management Console.
s will create a placeholder entry that is ignored by the program.

urity Center might not be available following a change to this policy setting until after the computer is restarted
no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Spec
played in the Open dialog box. See the "Hide the dropdown list of recent files" setting. This policy also does not
If you enable this setting, but then later disable it or set it to Not Configured, the document shortcuts saved be
r icon policy, the user will then have no way to access Input Panel.
r icon policy, the user will then have no way to access Input Panel.
nition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink
choose Medium from the drop-down box, password security is set to Medium. At this setting, when users e
users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will
users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will
link-local address. Policy Disabled State: No ISATAP interfaces are present on the host.
ou can define this policy setting in the Computer Configuration node or in the User Configuration node. If you co
Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If
ified in RDC, or video playback is specified in the .rdp file. If you do not configure this policy setting audio and v
hentication. You can limit the number of users who can connect simultaneously by configuring the policy settin
etting, the default RDP compression algorithm will be used.
work bandwidth consumption. We recommend that you set this for very specific cases only. If you disable or do
of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker
D Session Host server when the client cannot authenticate the RD Session Host server.
authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a s
does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in b
does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in b
r farm name and Configure RD Connection Broker server name policy settings. 2. For Windows Server 2008, thi
the RDS Endpoint Servers group when the license server is a member of a domain.
layback quality can be configured on the client computer by using the audioqualitymode setting in a Remote De
3.For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are
is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop S
erver" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles i
AL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server
or a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the
requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection f
ting provides less security because user authentication will occur later in the remote connection process.
network quality.
his policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certifi
the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
ting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the
r that you specify in this policy setting is used by default. Note: If you disable or do not configure this policy set
or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias.
his policy setting appears in both Computer Configuration and User Configuration. If both policy settings are con
his policy setting appears in both Computer Configuration and User Configuration. If both policy settings are con
th Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configu
th Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configu
nfiguration and User Configuration. If both policy settings are configured, the Computer Configuration policy set
nfiguration and User Configuration. If both policy settings are configured, the Computer Configuration policy set
S and PCL-based fallback printer drivers. If you disable this policy setting, the RD Session Host server fallback d
mote Desktop Services sessions automatically run the specified program and use the specified Working Directo
mote Desktop Services sessions automatically run the specified program and use the specified Working Directo
ect by IP address to RD Session Host servers in the load-balanced farm. If you do not configure this policy settin
t printer driver first" policy setting is ignored.

t printer driver first" policy setting is ignored.
te computer, and the maximum color depth on the remote computer must be set to 32 bits per pixel. Also, the T
policy setting takes precedence.

policy setting takes precedence.
et of the TPManti-hammering logic or changing the TPM owner authorization value. Some TPM-based applicat
old value is the maximum total number of authorization failures all standard users may have before all standard
e TPM. This value is the maximum total number of authorization failures all standard users may have before all
lt case, administrators have no file access to the user's profile, but they may still take ownership of this folder to
es" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slo
owner of the folder, Windows will not copy files to or from the roaming folder. The user will be shown an error me
lt folders in a roaming user profile.

g is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Polic
s policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop
cy setting and related policy settings in this folder define the system's response when roaming user profiles are
cified by the user object 3. A per-computer roaming profile path specified in this policy 4. A per-user roaming p
random time between 6pm and 7pm. Note: If "Run at set interval" is selected, the "Time of day" option is disre
user's Active Directory Domain Services account. If the "Set Remote Desktop Services User Home Directory" p
. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps t
olicy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" poli
uation, for the fixed drive to be unlocked on computers running Windows Server 2008, Windows Vista, Windows
om the drive. In this situation, for the removable drive to be unlocked on computers running Windows Server 20
unlock with Network Unlock. If you disable or do not configure this policy setting, BitLocker clients will not be a
7 omitted, Bitlocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) inte
d specified by the setup script.
e BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery informa
are determined by the policy setting. In "Save BitLocker recovery information to Active Directory Domain Servic
ng. In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recov
ers with ways to store recovery options. Note: If Trusted Platform Module (TPM) initialization is needed during th
age or URL appear correctly on the pre-boot recovery screen.

asurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Reco
uire that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not
onsole and require that either the recovery password or recovery key be provided to unlock the drive. If you di
olicy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based en
ngth policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-b
th policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-ba
on to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, bu
exity adheres to the rules set by the policy, but if no domain controllers are found the password will still be acce
will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers
items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. If you do not
installing programs from a network share. If enabled, this setting overrides the "Request credentials for network
d by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Polic
"Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by defau
ny installation.
omponents\File Explorer.
wall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would blo
wall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would blo
Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box. Note: If an
Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box. Note: If an
st SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
st SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
ministrators can change this check box."
ministrators can change this check box."
uired ports or enable the required programs. In the Windows Firewall component of Control Panel, the "UPnP fra
uired ports or enable the required programs. In the Windows Firewall component of Control Panel, the "UPnP fra
ns list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting. I
ns list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting. I
e Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local program exceptio
e Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local program exceptio
sable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not ava
n the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if yo
sks. If you do not enable this policy setting, then users will always see an Account Control window and require e
If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If any updates
nternet. Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. Note: This
ges for optional applications or updates. By default, this policy setting is disabled. If you are not using the Micr
utomatic Updates settings located at: 'Computer Configuration / Administrative Templates / Windows Update'
un. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support c
econd, and the performance of the loader is essential. NOTE: Many system processes cache the value of this se
client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
acity constraints. 0x2 - The usage of this connection is unrestricted up to a certain data limit 0x4 - The usage o
nonical and module names can be found in MSDN by searching "Control Panel items". If both the "Hide specifie
can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setti
ote Desktop Session Host running on all machines. TERMSRV/*.humanresources.fabrikam.com Remote Desktop
top Session Host running on all machines in .humanresources.fabrikam.com

m Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
s.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
p Session Host running on host.humanresources.fabrikam.com machine TERMSRV/* Remote Desktop Session Ho
"Allow delegating default credentials" server list.
he "Allow delegating fresh credentials" server list.
ard characters in the "Allow delegating saved credentials" server list.
ou do not configure this policy setting, the appid exemption list defined by local computer administrators is used
here, even if this setting is enabled.

"Disabled" as well as remove the security functionality from each computer, with a physically present user, in o
if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed
n click the Quota tab.

sonable for the range of volumes in the group. This policy setting is effective only when disk quota managemen
is policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fai
is successful or all suffixes are tried. If you disable this policy setting, or if you do not configure this policy settin
ned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced
connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection b
s policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and P
isable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supp
iver has been disabled, this setting has no effect and all boot-start drivers are initialized.
rror reports. - ""Do not collect additional computer data"": Select this if you do not want additional information
onfigure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at
matically. If you disable or do not configure this policy setting, then the default consent settings that are applie
matically. If you disable or do not configure this policy setting, then the default consent settings that are applie
setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to
policy setting. If you disable or do not configure this policy setting, the Default application reporting settings po
or changes to this policy to take immediate effect after a Group Policy refresh. Note: This policy setting will tak
n enterprise ID of mail.contoso.com will revoke the users access to all content protected under the contoso.com
, if handwriting personalization is turned on. If you do not configure this policy, users can choose to enable or d
, if handwriting personalization is turned on. If you do not configure this policy, users can choose to enable or d
that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the
etwork connection will not affect whether Group Policy processing will be synchronous or asynchronous.
will evaluate the network connection as a slow link and process only those client side extensions configured to
ey are updated only when changed. However, you might want to update unchanged policies, such as reapplying
hanged. However, you might want to update unchanged policies, such as reapplying a desired setting in case a
hanged it.
oup Policy processing. Group Policy will run in the background the next time a connection to a domain controller
"Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templ
"Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templ
policy implementations specify that they are updated only when changed. However, you might want to update u
lementations specify that they are updated only when changed. However, you might want to update unchange
to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
a desired policies in case a user has changed it.

unt and the user account are in at least Windows 2000 domains.
ed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user
hen changed. However, you might want to update unchanged policies, such as reapplying a desired setting in ca
rent Group Policy processing. Group Policy will run in the background the next time a connection to a domain co
erval for each client by a random number of minutes. The number you type in the random time box sets the upp
ange of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing
es. The number you type in the random time box sets the upper limit for the range of variance. For example, if y
plementations specify that they are updated only when changed. However, you might want to update unchang
rovide a path in the "Planning trace" box to the location where a planning trace file can be created on the comp
cy implementations specify that they are updated only when changed. However, you might want to update unc
t provide a path in the "Planning trace" box to the location where a planning trace file can be created on the co
ns specify that they are updated only when changed. However, you might want to update unchanged preference
in the "Planning trace" box to the location where a planning trace file can be created on the computer where yo
plementations specify that they are updated only when changed. However, you might want to update unchange
ide a path in the "Planning trace" box to the location where a planning trace file can be created on the compute
nged. Many policy implementations specify that they are updated only when changed. However, you might wan
provide a path in the "Planning trace" box to the location where a planning trace file can be created on the com
that they are updated only when changed. However, you might want to update unchanged preference items, su
nning trace" box to the location where a planning trace file can be created on the computer where you run mod
ven if the preference items have not changed. Many policy implementations specify that they are updated only w
must provide a path in the "Planning trace" box to the location where a planning trace file can be created on the
specify that they are updated only when changed. However, you might want to update unchanged preference i
the "Planning trace" box to the location where a planning trace file can be created on the computer where you
ns specify that they are updated only when changed. However, you might want to update unchanged preferenc
n the "Planning trace" box to the location where a planning trace file can be created on the computer where you
ementations specify that they are updated only when changed. However, you might want to update unchanged
ce items have not changed. Many policy implementations specify that they are updated only when changed. Ho
m a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the location where a pl
f the preference items have not changed. Many policy implementations specify that they are updated only whe
y, you must provide a path in the "Planning trace" box to the location where a planning trace file can be created
any policy implementations specify that they are updated only when changed. However, you might want to upd
ou must provide a path in the "Planning trace" box to the location where a planning trace file can be created on
erence items have not changed. Many policy implementations specify that they are updated only when change
must provide a path in the "Planning trace" box to the location where a planning trace file can be created on the
ems even if the preference items have not changed. Many policy implementations specify that they are updated
d. Many policy implementations specify that they are updated only when changed. However, you might want to
y, you must provide a path in the "Planning trace" box to the location where a planning trace file can be created
tions specify that they are updated only when changed. However, you might want to update unchanged prefere
h in the "Planning trace" box to the location where a planning trace file can be created on the computer where y
he preference items have not changed. Many policy implementations specify that they are updated only when c
, you must provide a path in the "Planning trace" box to the location where a planning trace file can be created
ons specify that they are updated only when changed. However, you might want to update unchanged preferen
h in the "Planning trace" box to the location where a planning trace file can be created on the computer where
tations specify that they are updated only when changed. However, you might want to update unchanged prefe
path in the "Planning trace" box to the location where a planning trace file can be created on the computer whe
lementations specify that they are updated only when changed. However, you might want to update unchanged
de a path in the "Planning trace" box to the location where a planning trace file can be created on the computer
ed by the "Restrict users to the explicitly permitted list of snap-ins" policy setting or any "Permit use of <extens
ers to the explicitly permitted list of snap-ins" policy setting or any "Permit use of <extension name> preference
cut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on th
the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. If you disable this polic
the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. If you disable this polic
g, current values of the URL action for an application or process in the list prevail.
g, current values of the URL action for an application or process in the list prevail.
icy for more details).
icy for more details).
e this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible A
e this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible A
Processes" is enabled).
Processes" is enabled).
nteger 1.
nteger 1.
oso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protoco
oso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protoco
net Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settin
net Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settin
ctly. This option matches the default behavior of Internet Explorer.
ctly. This option matches the default behavior of Internet Explorer.
ntroller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to
content that is stored in BranchCache-enabled file shares. - Disabled. With this selection, hash publication is tu
mputers always wait for the network to be initialized. If you enable this policy setting, computers wait for the ne
any MMC snap-ins.
ted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a
onal unit property sheets.
abled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Micro
set to the default recovery behavior. No system or service restarts are required for changes to this policy setting
es: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. You must configure this setting t
effect because the rules for DirectAccess are already removed from the NRPT. If this setting is not configured, u
conds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 42949
C address. This is the default behavior of the DC Locator.
ng the files, and in general the availability of the Netlogon share on the domain will be decreased. If you enabl
d in general the availability of the SYSVOL share on the domain will be decreased. If you enable this policy setti
Kdc SRV _kerberos._tcp.<DnsDomainName> Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<

resh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes). If you do not configure
tly, the Next Closest Site behavior will be used.
olicy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Activ
edence over settings that manipulate the availability of features inside the Remote Access Connection Properties
es precedence over this setting. Users (including administrators) cannot delete any remote access connections,
an all user remote access connection", "Prohibit changing properties of a private remote access connection", "P
Properties button is always disabled. Note: When the "Prohibit access to properties of a LAN connection" settin
ng properties of a private remote access connection" settings are set to deny access to the Remote Access Conn
ons. Note: When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all u
ity of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within t
eated and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Conn
Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Pr
cy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no
Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators
see the "Non-default server disconnect actions" setting.
see the "Non-default server disconnect actions" setting.
al minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 a
ws Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Wind
st be an administrator on the local computer to encrypt or decrypt the Offline Files cache. Note: By default, this
k the Offline Files tab, and then select the "Synchronize all offline files before logging on" option.
k the Offline Files tab, and then select the "Synchronize all offline files before logging on" option.
leave the checkbox unchecked. This is the setting which will allow your mobile users to use peer to peer applica
er-write the latency setting that you use on individual client computers. - Enabled. With this selection, the Bran
d, you can also select and configure the following option: Select from the following versions - Windows Vista w
he policy setting "Set BranchCache Hosted Cache Mode." If you do not configure this policy setting, or if you di
er discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache
age that you specify in the policy is turned on for all domain member client computers to which the policy is ap
le, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all dom
th this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applie
ient computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that yo
n member client computers to which the policy is applied. - Disabled. With this selection, BranchCache is turne
ios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Co
disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the
te. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configur
d or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to
en the print server does not support transferring print processors during point-and-print. In the case of a print pr
p" setting in User Configuration\Administrative Templates\Desktop\Active Desktop.
their forest using Point and Print. If you disable this policy setting: -Windows Vista client computers can create
their forest using Point and Print. If you disable this policy setting: -Windows Vista client computers can create
-- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the
e to all users. Note: If the "Hide Programs Control Panel" setting is enabled, this setting is ignored.
r disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to th
able firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer
tions. Depending on your email program, you can use either the Mailto standard (the invitation recipient connec
do not support delegation even if delegation was asked for. Note: This policy setting will not be applied until the
ll" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because th
information, but lets you enable it for selected processes. To enable extended error information for a process wh
sted to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selecte
a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is
n override this policy setting for specific script types within a specific GPO by configuring the following policy set
g the following policy settings for the GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff
g the following policy settings for the GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff
0 seconds (10 minutes). This is the default.
he computer is restarted for Windows XP SP2 computers. Windows Vista --------------------- In Windows Vista, thi
wo SNMP settings: "Specify permitted managers" and "Specify trap configuration".
This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the applicat
ment shortcuts saved before the setting was enabled reappear in the Recent Items menu and program File men
re this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
his setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switc
h-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do no
h-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do no
figuration node. If you configure this policy setting for the computer, all users on the computer are affected.
er Configuration node. If you configure this policy setting for the computer, all users on the computer are affecte
policy setting audio and video playback redirection is not specified at the Group Policy level.
figuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote D
nly. If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mecha
mputers, Session Broker Computers, or RDS Endpoint Servers.

abled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow
This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the
This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the
Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
e setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. If you d
earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the min
ws with Remote Desktop Session Host role service installed).
es\System\User Profiles is enabled.
e RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired.
will be prompted on the client computer to provide credentials for a remote connection.
pported, the connection fails. This is the recommended setting for this policy. If you disable or do not configure
onnection process.
fault, a self-signed certificate is used to authenticate the RD Session Host server. Note: If you select a specific c
pport 128-bit encryption. * Low: The Low setting encrypts only data sent from the client to the server by using 5
user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. Not
configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client co
Path and the user's alias. If the status is set to Disabled or Not Configured, the user's home directory is as speci
th policy settings are configured, the Computer Configuration policy setting takes precedence.
th policy settings are configured, the Computer Configuration policy setting takes precedence.
d, the Computer Configuration policy setting takes precedence.
d, the Computer Configuration policy setting takes precedence.
Configuration policy setting takes precedence.
Configuration policy setting takes precedence.
on Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback pri
pecified Working Directory (or the program default directory, if Working Directory is not specified) as the workin
pecified Working Directory (or the program default directory, if Working Directory is not specified) as the workin
onfigure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group polic
bits per pixel. Also, the Themes service must be started on the remote computer. If you disable or do not confi
ome TPM-based applications may require this setting be changed before features which depend on the TPMant
have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM
sers may have before all standard users are not allowed to send commands requiring authorization to the TPM.
wnership of this folder to grant themselves file permissions. Note: The behavior when this policy setting is ena
the system detects a slow connection.
will be shown an error message and an entry will be written to the event log. The user's cached profile will be us
ws Installer or Group Policy software installation data stored in the registry and file system of roaming users' profi
ecause Remote Desktop Services edits the users' registry settings when they log off, the system's first few atte
oaming user profiles are slow to download. To adjust the time within which the user must respond to this notice
y 4. A per-user roaming profile path specified in the user object

me of day" option is disregarded. Likewise, if "Run at set time of day" is chosen, the "Interval (hours)" option is d
User Home Directory" policy setting is enabled, the Set user home folder policy setting has no effect.
or line of business apps that depend on the domain information protected by this setting to connect with netwo
of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the syst
Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the
nning Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Rea
ocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security, compu
figuration Data (BCD) integrity validation. Warning: Disabling this policy may result in BitLocker recovery when
tLocker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password an
Directory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system
se which BitLocker recovery information to store in AD DS for removable data drives. If you select "Backup reco
ation is needed during the BitLocker setup, TPM owner information will be saved or printed with the BitLocker re
2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the
If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the
nlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validati
ed by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm c
ithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algo
hm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algori
ules set by the policy, but if no domain controllers are found the password will still be accepted regardless of act
password will still be accepted regardless of actual password complexity and the drive will be encrypted using th
if no domain controllers are found the password will still be accepted regardless of actual password complexity
e Explorer. If you do not configure this policy setting, users can preview items and get custom thumbnails from
e Explorer. If you do not configure this policy setting, users cannot preview items or get custom thumbnails from
st credentials for network installations" setting.

arch provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared
link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provid
" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow fi
" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow fi
his check box. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo reque
his check box. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo reque
T.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening
T.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening
ntrol Panel, the "UPnP framework" check box is cleared. Administrators can change this check box."
ntrol Panel, the "UPnP framework" check box is cleared. Administrators can change this check box."
eptions" policy setting. If you do not configure this policy setting, Windows Firewall uses only the local port exce
eptions" policy setting. If you do not configure this policy setting, Windows Firewall uses only the local port exce
w local program exceptions" policy setting. If you disable this policy setting, the program exceptions list defined
w local program exceptions" policy setting. If you disable this policy setting, the program exceptions list defined
Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media ser
sses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. Ranges
rol window and require elevated permissions to do either of these tasks. On Windows 7 : This policy setting has
3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer autom
has no effect. Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on W
ou are not using the Microsoft Update service, then the Software Notifications policy setting has no effect. If the
tes / Windows Update'
-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 an
cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to en
slow link (56Kbs).
a limit 0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 8
f both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting
ontrol Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show on
am.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
es.fabrikam.com
mote Desktop Session Host running on all machines. TERMSRV/*.humanresources.fabrikam.com Remote Deskto
ter administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is s
ysically present user, in order to clear configuration persisted in UEFI. The "Enabled without lock" option allows
rvices role is not installed.

n disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the
e original name query fails. If you do not configure this policy setting, computers will use their local DNS client s
onfigure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended
NS tab in the Advanced TCP/IP Settings dialog box for each connection. For example, when a user submits a qu
uffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. For
not register any A and PTR resource records using a connection-specific DNS suffix.
se the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to
nt additional information about the computer to be collected and included in error reports. - ""Force queue mod
can only send reports at the time that a problem occurs.

t settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent p
t settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent p
categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the W
tion reporting settings policy setting takes precedence.

his policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the
d under the contoso.com hierarchy.
an choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Cont
an choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Cont
not be able to see all the settings that have been configured in the GPO that you are editing.
or asynchronous.
extensions configured to process over a slow link.
licies, such as reapplying a desired setting in case a user has changed it.
desired setting in case a user has changed it.
on to a domain controller is established. Setting this value too high might result in longer waits for the user at b
on\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection s
on\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection s
u might want to update unchanged policies, such as reapplying a desired policy setting in case a user has chang
ant to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
er has changed it.
ed setting in case a user has changed it.

ng a desired setting in case a user has changed it.
onnection to a domain controller is established. Setting this value too high might result in longer waits for the us
om time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system sele
0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests
ariance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large n
want to update unchanged preference items, such as reapplying a desired preference setting in case a user has
be created on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not
might want to update unchanged preference items, such as reapplying a desired preference setting in case a use
can be created on the computer where you run modeling, and you must turn on the "Tracing" option. If you are n
te unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
n the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing G
want to update unchanged preference items, such as reapplying a desired preference setting in case a user has
created on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not per
However, you might want to update unchanged preference items, such as reapplying a desired preference sett
n be created on the computer where you run modeling, and you must turn on the "Tracing" option. If you are no
ged preference items, such as reapplying a desired preference setting in case a user has changed it.
puter where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy
t they are updated only when changed. However, you might want to update unchanged preference items, such
file can be created on the computer where you run modeling, and you must turn on the "Tracing" option. If you a
unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Gro
ate unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Gr
ant to update unchanged preference items, such as reapplying a desired preference setting in case a user has c
d only when changed. However, you might want to update unchanged preference items, such as reapplying a d
o the location where a planning trace file can be created on the computer where you run modeling, and you mu
ey are updated only when changed. However, you might want to update unchanged preference items, such as r
trace file can be created on the computer where you run modeling, and you must turn on the "Tracing" option. I
r, you might want to update unchanged preference items, such as reapplying a desired preference setting in ca
ce file can be created on the computer where you run modeling, and you must turn on the "Tracing" option. If y
dated only when changed. However, you might want to update unchanged preference items, such as reapplying
le can be created on the computer where you run modeling, and you must turn on the "Tracing" option. If you a
ify that they are updated only when changed. However, you might want to update unchanged preference items
ever, you might want to update unchanged preference items, such as reapplying a desired preference setting in
g trace file can be created on the computer where you run modeling, and you must turn on the "Tracing" option.
pdate unchanged preference items, such as reapplying a desired preference setting in case a user has changed
on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing
are updated only when changed. However, you might want to update unchanged preference items, such as reap
race file can be created on the computer where you run modeling, and you must turn on the "Tracing" option. If
date unchanged preference items, such as reapplying a desired preference setting in case a user has changed it
on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing
update unchanged preference items, such as reapplying a desired preference setting in case a user has change
ted on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not perform
ant to update unchanged preference items, such as reapplying a desired preference setting in case a user has c
created on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not per
y "Permit use of <extension name> preference extension" policy settings.

ension name> preference extension" policy settings.
leave the text box on the Settings tab of the Policy Properties dialog box blank. If you disable or do not configu
If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Ad
If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Ad
ites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.
ites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.
oso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be e
oso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be e
see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
controller advertises to Kerberos client computers that the domain is capable of claims and compound authent
on, hash publication is turned off for all file servers where Group Policy is applied. In circumstances where this p
omputers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the for
w in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but
ices snap-in to the Microsoft Management Console.

nges to this policy setting to take immediate effect after a Group Policy refresh. Note: This policy setting will ta
st configure this setting to have complete NCA functionality.
etting is not configured, users do not have Connect or Disconnect options.
ed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be trea
decreased. If you enable this policy setting, domain administrators should ensure that the only applications us
u enable this policy setting, domain administrators should ensure that the only applications using the exclusive
cp.<SiteName>._sites.<DnsDomainName> GenericGc SRV _gc._tcp.<DnsForestName> GenericGcAtSite

If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
ontroller hosting an Active Directory domain specified with a single-label name. The computers will not attempt
ess Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a rem
ote access connections, and this setting is ignored. Note: LAN connections are created and deleted automatica
te access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote acces
a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connectio
the Remote Access Connection Properties dialog box, the Properties button for remote access connection comp
nge properties of an all user remote access connection", or "Prohibit changing properties of a private remote ac
enabled, nothing within the properties dialog box for a remote access connection will be available to users. Not
ot use the Network Connections folder to create or delete a LAN connection. Note: This setting does not preven
nection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components
rk" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connec
p Wizard, administrators can choose to enable ICS. Note: Internet Connection Sharing is only available when tw
minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes.
nning Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitio
he. Note: By default, this cache is protected on NTFS partitions by ACLs. This setting is applied at user logon. If
n" option.
n" option.
use peer to peer applications at both work and home seamlessly. 4. In order to not use any seed server, enabl
h this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where
sions - Windows Vista with BITS 4.0 installed, Windows 7, or Windows Server 2008 R2. If you select this version
olicy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode
figures for hosted cache mode. If the policy setting "Set BranchCache Distributed Cache Mode" is applied in ad
to which the policy is applied. - Disabled. With this selection, BranchCache client computers use the default cli
e is turned on for all domain member client computers to which the policy is applied. - Disabled. With this sele
where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted ca
ter cache setting that you specify in the policy is turned on for all domain member client computers to which th
on, BranchCache is turned off for all client computers where the policy is applied. * This policy setting is suppor
icrosoft Management Console.

e Services snap-in to the Microsoft Management Console.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
h the Services snap-in to the Microsoft Management Console.
. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rende
nt computers can create a printer connection to any server using Point and Print. -Windows Vista computers wil
nt computers can create a printer connection to any server using Point and Print. -Windows Vista computers wil
epublished whenever the host computer does not respond, just as it does with Windows 2000 printers. Note: Th
g is ignored.
he Services snap-in to the Microsoft Management Console.
ptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. W
vitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attac
ll not be applied until the system is rebooted.
its capacity. Because this level can degrade performance, it is recommended for use only while you are investi
ormation for a process while this policy setting is in effect, the command that starts the process must begin with
depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Serve
rovided timeout value is used. The timeout is given in seconds. Note: This policy setting will not be applied un
g the following policy settings for the GPO: Computer Configuration\Policies\Windows Settings\Scripts (Startup
ngs\Scripts (Logon/Logoff)\Logon User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff Th
ngs\Scripts (Logon/Logoff)\Logon User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff Th
--- In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antisp
or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" sett
nu and program File menus, and Jump Lists. This setting does not hide or prevent the user from pinning files, fo
nd Windows Vista).
ard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Use
dialog box. If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures a
dialog box. If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures a
mputer are affected.
the computer are affected.
s Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connection
uses an encoding mechanism that results in medium quality images.

setting, select the "Allow users to change this setting" check box. When you do this, users on the client can cho
ttings are configured, the Computer Configuration setting takes precedence.

ttings are configured, the Computer Configuration setting takes precedence.
Standard.
set to Dynamic. If you disable or do not configure this policy setting, audio playback quality will be set to Dyna
ows Server 2012, the minimum of the following values is used as the color depth format: a.Value specified by th
server has not expired. If you disable or do not configure this policy setting, the license server will exhibit the d
able or do not configure this policy setting, the security method to be used for remote connections to RD Sessio
: If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will ta
t to the server by using 56-bit encryption. If you disable or do not configure this setting, the encryption level to
operties dialog box. Notes: 1. The roaming user profiles enabled by the policy setting apply only to Remote De
" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly
ome directory is as specified at the server.
pt to use the fallback printer driver. If you do not configure this policy setting, the fallback printer driver behavi
t specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote
t specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote
at the group Group policy Policy level and the default will be used. This setting is enabled by default. Notes: 1
u disable or do not configure this policy setting, desktop composition is not allowed for remote desktop sessions
h depend on the TPManti-hammering logic can be used. Choose the operating system managed TPM authentic
on to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardwar
uthorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering
this policy setting is enabled is exactly the same behavior as in Windows NT 4.0.
cached profile will be used, or a temporary profile issued if no cached profile exists. Note: The policy setting m
m of roaming users' profiles on the machine.
he system's first few attempts to unload the user settings are more likely to fail. This policy setting does not affe
ust respond to this notice in operating systems earlier than Microsoft Windows Vista, use the "Timeout for dialog
erval (hours)" option is disregarded. If you enable this policy setting, Windows uploads the registry file of the u
ing has no effect.
g to connect with network resources if users choose to turn the setting off.
file to load when the system detects a slow connection.
must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on
SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go
ility and security, computers should also have a TPM startup PIN that can be used when the computer is disconn
BitLocker recovery when firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmw
up recovery password and key package", both the BitLocker recovery password and key package are stored in A
D DS for operating system drives. If you select "Backup recovery password and key package", both the BitLocke
you select "Backup recovery password and key package", both the BitLocker recovery password and key packag
ted with the BitLocker recovery information. Note: The 48-digit recovery password will not be available in FIPS-c
S Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). The descriptions of
m validation profile or the platform validation profile specified by the setup script. A platform validation profile co
default platform validation profile or the platform validation profile specified by the setup script. A platform val
cker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms and cip
t, BitLocker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms
BitLocker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms a
ccepted regardless of actual password complexity and the drive will be encrypted using that password as a prot
will be encrypted using that password as a protector. When set to "Do not allow complexity", no password compl
ual password complexity and the drive will be encrypted using that password as a protector. When set to "Do no
custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may
t custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting ma
ing link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Searc
m Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s)
Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exce
Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exce
nbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exc
nbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exc
ed services from opening additional dynamically-assigned ports. Because disabling this policy setting does not b
ed services from opening additional dynamically-assigned ports. Because disabling this policy setting does not b
check box."
check box."
s only the local port exceptions list that administrators define by using the Windows Firewall component in Cont
s only the local port exceptions list that administrators define by using the Windows Firewall component in Cont
am exceptions list defined by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless
am exceptions list defined by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless
om a Windows Media server.
Pv6 filter empty. Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma
7 : This policy setting has no effect. Users will always see an Account Control window and require elevated perm
tart the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the us
not have any effect on Windows RT PCs.
ting has no effect. If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the
ecision; on windows 7 and downlevel, the OS will allow 16-bit applications to run. Note: This setting appears in
tting, please reboot to ensure that your system accurately reflects those changes.
plan usage is less than 80 percent of the limit. 0x8 - Usage of this connection is unrestricted up to a certain dat
ntrol Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. Note: T
re enabled, the "Show only specified Control Panel items" setting is ignored. Note: The Display Control Panel ite
rikam.com
kam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com

DCOM server process is started, but before an object activation request is dispatched to the server process. Th
thout lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use t
ed, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries
se their local DNS client settings to determine the query behavior for unqualified multi-label names.
S suffixes are appended to the unqualified queries.
when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as
for each connection. For example, when a user submits a query for a single-label name such as "example," the
atic IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt
rts. - ""Force queue mode for application errors"": Select this option if you do not want users to report errors. W
nfigure Default Consent policy setting.

nfigure Default Consent policy setting.
s category includes the Windows components category.) If you disable this policy setting or do not configure it,
e running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS ca
he Tablet Settings in Control Panel or from the opt-in dialog. This policy setting is related to the "Turn off handwr
he Tablet Settings in Control Panel or from the opt-in dialog. This policy setting is related to the "Turn off handwr
er waits for the user at boot or logon. The default is 5000 milliseconds. If you disable this policy setting, the G
ectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing
ectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing
in case a user has changed it.
user has changed it.
in longer waits for the user at boot or logon. The default is 5000 milliseconds. If you disable or do not configure
minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range an
ely that update requests overlap. However, updates might be delayed significantly. Note: This setting is used o
minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. H
etting in case a user has changed it.

g" option. If you are not performing Group Policy Modeling or there are no preference items in this extension, no
nce setting in case a user has changed it.
acing" option. If you are not performing Group Policy Modeling or there are no preference items in this extension
e a user has changed it.
you are not performing Group Policy Modeling or there are no preference items in this extension, no planning tra
etting in case a user has changed it.
option. If you are not performing Group Policy Modeling or there are no preference items in this extension, no p
a desired preference setting in case a user has changed it.
ing" option. If you are not performing Group Policy Modeling or there are no preference items in this extension,
as changed it.
t performing Group Policy Modeling or there are no preference items in this extension, no planning trace file is c
d preference items, such as reapplying a desired preference setting in case a user has changed it.
"Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this exten
a user has changed it.
u are not performing Group Policy Modeling or there are no preference items in this extension, no planning trace
se a user has changed it.
ou are not performing Group Policy Modeling or there are no preference items in this extension, no planning trac
tting in case a user has changed it.
you are not performing Group Policy Modeling or there are no preference items in this extension, no planning tra
s, such as reapplying a desired preference setting in case a user has changed it.
n modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there
eference items, such as reapplying a desired preference setting in case a user has changed it.
on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this
preference setting in case a user has changed it.
the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this ex
tems, such as reapplying a desired preference setting in case a user has changed it.
"Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this extens
hanged preference items, such as reapplying a desired preference setting in case a user has changed it.
ou are not performing Group Policy Modeling or there are no preference items in this extension, no planning tra
red preference setting in case a user has changed it.
on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in thi
ase a user has changed it.
you are not performing Group Policy Modeling or there are no preference items in this extension, no planning tr
rence items, such as reapplying a desired preference setting in case a user has changed it.
on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this
se a user has changed it.
f you are not performing Group Policy Modeling or there are no preference items in this extension, no planning t
n case a user has changed it.
n. If you are not performing Group Policy Modeling or there are no preference items in this extension, no plannin
tting in case a user has changed it.
option. If you are not performing Group Policy Modeling or there are no preference items in this extension, no pla
disable or do not configure this policy setting, these commands are fully functional for all Help files. Note: Only
ifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed
ifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed
ehavior.
ehavior.
n. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creat
n. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creat
and compound authentication for Dynamic Access Control and Kerberos armoring. Domain functional level req
rcumstances where this policy setting is enabled, you can also select the following configuration options: - Allow
olicy is applied in the foreground, synchronously. On servers running Windows Server 2008 or later, this policy
e console file opens, but the prohibited snap-in does not appear.
This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When th
ds (~49 days) will be treated as infinity. If you disable this policy setting, Force Rediscovery will be used by defa
the only applications using the exclusive read capability in the domain are those approved by the administrato
tions using the exclusive read capability in the domain are those approved by the administrator.
Name> GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName> Rfc1510UdpKdc SRV _kerber

mputers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a
erties dialog box for a remote access connection will be available to users. Note: This setting does not prevent u
and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Netw
ete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "A
button for LAN connection components. Note: Network Configuration Operators only have permission to change
access connection components is blocked. Note: This setting does not prevent users from using other programs
es of a private remote access connection" settings are set to deny access to the connection properties dialog bo
e available to users. Note: This setting does not prevent users from using other programs, such as Internet Exp
s setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Pro
replaces Internet Connection Firewall when you install Windows XP Service Pack 2. If you disable this setting or
s only available when two or more network connections are present. Note: When the "Prohibit access to propert
lliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server
s applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this s
e any seed server, enable the setting; do not insert a seed server name; and check the check box. If this settin
l client computers where the policy is applied. For example, if Configure BranchCache for network files is enable
If you select this version, later versions of Windows run the version of BranchCache that is included in these op
with hosted cache mode still function correctly. Policy configuration Select one of the following: - Not Configure
he Mode" is applied in addition to this policy, the client computer performs automatic hosted cache server disco
puters use the default client computer cache age setting of 28 days on the client computer. In circumstances w
Disabled. With this selection, BranchCache distributed cache mode is turned off for all client computers where
, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is a
nt computers to which the policy is applied. - Disabled. With this selection, BranchCache client computers use t
s policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate ed
he print server for rendering. Disabling the above policy setting does not override this behavior. Note: In cases
ows Vista computers will not show a warning or an elevated command prompt when users create a printer conn
ows Vista computers will not show a warning or an elevated command prompt when users create a printer conn
s 2000 printers. Note: This setting applies to printers published by using Active Directory Users and Computers
dows you are running. Windows Vista and later Enable the Remote Assistance exception for the domain profile.
rd (the invitation is attached to your email message). This policy setting is not available in Windows Vista since
nly while you are investigating an RPC problem. Note: To retrieve the RPC state information from a system that
process must begin with one of the strings in the Extended Error Information Exception field. -- "On" enables e
to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" al
ng will not be applied until the system is rebooted.
Settings\Scripts (Startup/Shutdown)\Startup Computer Configuration\Policies\Windows Settings\Scripts (Startup

Logon/Logoff)\Logoff This policy setting appears in the Computer Configuration and User Configuration folders.
Logon/Logoff)\Logoff This policy setting appears in the Computer Configuration and User Configuration folders.
firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Window
items in Jump Lists" setting.
ser from pinning files, folders, or websites to the Jump Lists. See the "Do not allow pinning items in Jump Lists"
hich keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you
nt scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the
nt scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the
mit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Des
sers on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD
uality will be set to Dynamic.

: a.Value specified by this policy setting b.Maximum color depth supported by the client c.Value requested by
e server will exhibit the default behavior noted earlier.
connections to RD Session Host servers is not specified at the Group Policy level.
er, that certificate will take precedence over this policy setting.
g, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Gr
apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile con
t cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client conn
ack printer driver behavior is off by default. Note: If the "Do not allow client printer redirection" setting is enabl
Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator o
Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator o
led by default. Notes: 1. For Windows Server 2008, this policy setting is supported on at least Windows Server
remote desktop sessions, even if desktop composition is enabled in RDC or in the .rdp file.
managed TPM authentication setting of "Delegated" to store only the TPM administrative delegation blob and
ks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization v
sing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect autho
ote: The policy setting must be configured on the client computer not the server for it to have any effect becaus
olicy setting does not affect the system's attempts to update the files in the user profile. Tip: Consider increasin
e the "Timeout for dialog boxes" policy setting. Important: If the "Do not detect slow network connections" setti
s the registry file of the user's roaming user profile in the background according to the schedule set here while t
ader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Serv
selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on
n the computer is disconnected from the wired network or the server at startup.
er prior to applying firmware updates.
y package are stored in AD DS. Storing the key package supports recovering data from a drive that has been phy
kage", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package sup
password and key package are stored in AD DS. If you select "Backup recovery password only" only the recovery
not be available in FIPS-compliance mode. Important: This policy setting provides an administrative method of
R 11). The descriptions of PCR settings for computers that use an Extensible Firmware Interface (EFI) are differen
tform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. Th
up script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging
yption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict the en
ct encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restric
encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict
g that password as a protector. When set to "Do not allow complexity", no password complexity validation will be
xity", no password complexity validation will be done. Passwords must be at least 8 characters. To configure a g
ctor. When set to "Do not allow complexity", no password complexity validation will be done. Passwords must b
nges to this setting may not be applied until the user logs off from Windows.
hanges to this setting may not be applied until the user logs off from Windows.
nnectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. If you en
u. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intrane
mote administration exception," and "Windows Firewall: Define inbound port exceptions." Note: Other Windows
mote administration exception," and "Windows Firewall: Define inbound port exceptions." Note: Other Windows
s Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 in
s Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 in
policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer
policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer
ewall component in Control Panel. Other policy settings can continue to open or block ports. Note: If you type a
ewall component in Control Panel. Other policy settings can continue to open or block ports. Note: If you type a
exists, it is ignored unless you enable the "Windows Firewall: Allow local program exceptions" policy setting. If y
exists, it is ignored unless you enable the "Windows Firewall: Allow local program exceptions" policy setting. If y
arated using "," (comma) as the delimiter. Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 Example
nd require elevated permissions to do either of these tasks. On Windows 8 and Windows RT: This policy setting h
s ready to restart, the user will be notified and given the option to delay the restart.) On Windows 8 and later, y
not configured, then the Software Notifications policy setting has no effect.
This setting appears in only Computer Configuration.
ricted up to a certain data limit and plan usage is between 80 percent and 100 percent of the limit. 0x10 - Usag
tting is ignored. Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using
Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Disp
brikam.com
o the server process. This access check is done against the DCOM server's custom launch permission security d
y. The devices that use this setting must be running at least Windows 10 (Version 1511).
atus in the Quota Entries window changes, but users can continue to write to the volume.
label names.
attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the qu
e such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.m
DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
users to report errors. When this option is selected, errors are stored in a queue directory, and the next adminis
ng or do not configure it, the Default application reporting settings policy setting takes precedence. Also see the
e attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
d to the "Turn off handwriting personalization" policy setting. Note: The amount of stored ink is limited to 50 MB
d to the "Turn off handwriting personalization" policy setting. Note: The amount of stored ink is limited to 50 MB
this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within th
nectivity, the SMB timing is used.

nectivity, the SMB timing is used.
sable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings th
blishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed
te: This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or cus
client requests overlap. However, updates might be delayed significantly. Important: If the "Turn off background
ems in this extension, no planning trace file is created.
e items in this extension, no planning trace file is created.
xtension, no planning trace file is created.
ms in this extension, no planning trace file is created.
items in this extension, no planning trace file is created.
no planning trace file is created.

hanged it.
rence items in this extension, no planning trace file is created.
ension, no planning trace file is created.
tension, no planning trace file is created.
Policy Modeling or there are no preference items in this extension, no planning trace file is created.
preference items in this extension, no planning trace file is created.
eference items in this extension, no planning trace file is created.
ence items in this extension, no planning trace file is created.

r has changed it.
o preference items in this extension, no planning trace file is created.
extension, no planning trace file is created.
preference items in this extension, no planning trace file is created.

extension, no planning trace file is created.
this extension, no planning trace file is created.
s in this extension, no planning trace file is created.
all Help files. Note: Only folders on the local computer can be specified in this policy setting. You cannot use thi
t in this list are assumed to be denied.
t in this list are assumed to be denied.
0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as tr
0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as tr
main functional level requirements For the options "Always provide claims" and "Fail unarmored authentication
figuration options: - Allow hash publication for all shared folders. With this option, BranchCache generates conte
2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy
e running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS c
very will be used by default for the machine at every 12 hour interval. If you do not configure this policy setting
ved by the administrator.
nistrator.
0UdpKdc SRV _kerberos._udp.<DnsDomainName> Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainNam

ching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
etting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
You cannot use the Network Connections folder to create or delete a LAN connection. Note: This setting does n
te access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wiz
ve permission to change TCP/IP properties. Properties for all other components are unavailable to these users.
om using other programs, such as Internet Explorer, to bypass this setting.
ction properties dialog box, the Install and Uninstall buttons for connections are blocked. Note: Nonadministrato
ms, such as Internet Explorer, to bypass this setting.
o bypass this setting.
ocol (TCP/IP), click the Properties button, and then click the Advanced button. Note: Changing this setting from E
ou disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection
Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access con
ws 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to
ogon is required for this setting to take effect.

check box. If this setting is disabled or not configured, the protocol will revert to using a public registry key to d
or network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the polic
at is included in these operating systems rather than later versions of BranchCache. - Windows 8. If you select t
ollowing: - Not Configured. With this selection, BranchCache settings are not applied to client computers by this
osted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures
uter. In circumstances where this setting is enabled, you can also select and configure the following option: - S
client computers where the policy is applied. * This policy setting is supported on computers that are running W
s to which the policy is applied. - Disabled. With this selection, BranchCache hosted cache mode is turned off fo
e client computers use the default client computer cache setting of five percent of the total disk space on the c
terprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
behavior. Note: In cases where the client print driver does not match the server print driver (mismatched conne
sers create a printer connection to any server using Point and Print. -Windows Vista computers will not show a w
sers create a printer connection to any server using Point and Print. -Windows Vista computers will not show a w
ry Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel
on for the domain profile. The exception must contain: Port 135:TCP %WINDIR%\System32\msra.exe %WINDIR
e in Windows Vista since SMAPI is the only method supported. If you enable this policy setting you should also e
ation from a system that maintains it, you must use a debugging tool. Note: This policy setting will not be appli
n field. -- "On" enables extended error information for all processes. Note: For information about the Extended
ed. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Serve
Settings\Scripts (Startup/Shutdown)\Shutdown
er Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting se
er Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting se
tomatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect.
ing items in Jump Lists" setting. This policy also does not hide Tasks that the application has provided for their J
Options dialog box. If you enable this policy and choose to Medium-High from the drop-down box, password se
figure this setting on the Gestures tab in Input Panel Options.
figure this setting on the Gestures tab in Input Panel Options.
by using the Remote Desktop Session Host WMI Provider.
g the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring setting
nt c.Value requested by the client If the client does not support at least 16 bits, the connection is terminated.
not enforced through Group Policy. Important FIPS compliance can be configured through the System cryptogr
roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in
by the user, a client connection attempt will be made through that RD Gateway server.
irection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled.
e server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\Syste

e server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\Syste
at least Windows Server 2008 Standard.
tive delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use w
incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administr
s with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including
o have any effect because the client computer sets the file share permissions for the roaming profile at creation
. Tip: Consider increasing the number of retries specified in this policy setting if there are many user profiles st
etwork connections" setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roamin
schedule set here while the user is logged on. Regular profiles are not affected. If this setting is disabled or not
rs running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not hav
rs to unlock the drive on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Wi
a drive that has been physically corrupted. If you select "Backup recovery password only," only the recovery pas
ring the key package supports recovering data from a drive that has been physically corrupted. If you select "Ba
d only" only the recovery password is stored in AD DS. Select the "Do not enable BitLocker until recovery inform
dministrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key informa
nterface (EFI) are different than the PCR settings described for computers that use a standard BIOS. Warning: C
s ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the
er (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against
bles you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm s
on enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the alg
n enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algor
mplexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum lengt
aracters. To configure a greater minimum length for the password, enter the desired number of characters in the
done. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter
et search links. If you enable this policy setting, the specified Internet sites will appear in the "Search again" lin
d pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet s
." Note: Other Windows Firewall policy settings affect only incoming messages, but several of the options of the
." Note: Other Windows Firewall policy settings affect only incoming messages, but several of the options of the
can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows F
can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows F
wall: Allow file and printer sharing exception" policy setting. Note: Malicious users often attempt to attack netwo
wall: Allow file and printer sharing exception" policy setting. Note: Malicious users often attempt to attack netwo
ports. Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for error
ports. Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for error
tions" policy setting. If you do not configure this policy setting, Windows Firewall uses only the local program ex
tions" policy setting. If you do not configure this policy setting, Windows Firewall uses only the local program ex
0.0.1-24.0.0.22 Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:
s RT: This policy setting has no effect. Users will always see an Account Control window and require elevated pe
n Windows 8 and later, you can set updates to install during automatic maintenance instead of a specific sched
of the limit. 0x10 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded
context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying th
s setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settin
nch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server'
m," before sending the query to a DNS server. If a DNS suffix search list is not specified, the DNS client attaches
in the query "example.microsoft.com," before sending the query to a DNS server. If a DNS suffix search list is n
anted or renewed.
ry, and the next administrator to log on to the computer can send the error reports to Microsoft. - ""Corporate fi
precedence. Also see the ""Default Application Reporting"" and ""Application Exclusion List"" policies. This sett
agement Console.
ed ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are rea
ed ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are rea
at are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the
cable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads
dates might be delayed significantly. This setting establishes the update rate for computer Group Policy. To set
zational unit (OU), or customized group. If you are establishing policy for a local computer only, the system igno
the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. Note: This setting e
le is created.
etting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that a
er the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www
er the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www
narmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlie
chCache generates content information for all content in all shares on the file server. - Allow hash publication o
startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized dur
be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
nfigure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, u
d._tcp.<DnsDomainName> Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName> If you disable this po

e Active Directory forest.
bypass this setting.

Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this s
the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Re
vailable to these users. Note: Nonadministrators are already prohibited from accessing properties of componen
d. Note: Nonadministrators are already prohibited from adding and removing connection components, regardles
anging this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off.
d when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection p
l user remote access connection," or "Prohibit changing properties of a private remote access connection" settin
n transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may b
a public registry key to determine the seed server to bootstrap from.
t you specify in the policy is turned on for all domain member client computers to which the policy is applied. -
Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the opera
client computers by this policy setting. - Enabled. With this selection, the policy setting is applied to client com
computer self-configures for hosted cache mode only. If the policy setting "Set BranchCache Hosted Cache Mod
the following option: - Specify the age in days for which segments in the data cache are valid.
puters that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent T
che mode is turned off for all client computers where the policy is applied. In circumstances where this setting
total disk space on the client computer. In circumstances where this setting is enabled, you can also select and
nstalled.
river (mismatched connection), the client will always process the print job, regardless of the setting of this polic
mputers will not show a warning or an elevated command prompt when an existing printer connection driver nee
mputers will not show a warning or an elevated command prompt when an existing printer connection driver nee
Printers in Control Panel. Tip: If you disable automatic pruning, remember to delete printer objects manually w
m32\msra.exe %WINDIR%\System32\raserver.exe Windows XP with Service Pack 2 (SP2) and Windows XP Profe
setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
y setting will not be applied until the system is rebooted.
tion about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). N
to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are grant
ence over the setting set in User Configuration.

ence over the setting set in User Configuration.
ng to take effect.
n has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog b
p-down box, password security is set to Medium-High. At this setting, when users enter passwords from Input
od by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a conn
onnection is terminated.
ugh the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Gro
ways takes precedence in a Remote Desktop Services session. 2. To configure a mandatory Remote Desktop Ser
is disabled.
strative Templates\System\Logon\Run these programs at user logon" setting.) Note: This setting appears in bot
strative Templates\System\Logon\Run these programs at user logon" setting.) Note: This setting appears in bot
is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. External or r
users including administrators and Windows features like BitLocker Drive Encryption. The number of authorizati
bal for all users including administrators and Windows features like BitLocker Drive Encryption. The number of a
aming profile at creation time. Note: The behavior when this policy setting is enabled is exactly the same beha
are many user profiles stored in the computer's memory. This indicates that the system has not been able to un
cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to loa
etting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the backg
with SP2 that do not have BitLocker To Go Reader installed. If this policy setting is disabled, fixed data drives fo
dows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed. If this policy sett
y," only the recovery password is stored in AD DS. Select the "Do not enable BitLocker until recovery informatio
rrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS. Select t
cker until recovery information is stored in AD DS for removable data drives" check box if you want to prevent u
ue to lack of key information. If you do not allow both user recovery options you must enable the "Store BitLocke
andard BIOS. Warning: Changing from the default platform validation profile affects the security and manageab
y against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the
e encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable
ryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encry
are encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-base
e encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based
a greater minimum length for the password, enter the desired number of characters in the "Minimum password
mber of characters in the "Minimum password length" box. If you disable or do not configure this policy setting
h for the password, enter the desired number of characters in the "Minimum password length" box. If you disabl
in the "Search again" links and the Start menu links. If you disable or do not configure this policy setting, no cu
e over Internet/intranet search links. If you enable this policy setting, the specified Libraries or Search Connecto
veral of the options of the "Windows Firewall: Allow ICMP exceptions" policy setting affect outgoing communicati
veral of the options of the "Windows Firewall: Allow ICMP exceptions" policy setting affect outgoing communicati
g exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define
g exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define
attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufa
attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufa
without checking for errors, and therefore you can accidentally create multiple entries for the same port with con
without checking for errors, and therefore you can accidentally create multiple entries for the same port with con
only the local program exceptions list that administrators define by using the Windows Firewall component in Co
only the local program exceptions list that administrators define by using the Windows Firewall component in Co
E:FFFF:7654:FEDA:1245:BA98:3210:4562
and require elevated permissions to do either of these tasks. If you disable this policy setting, then only admin
stead of a specific schedule. Automatic maintenance will install updates when the computer is not in use, and a
which has been exceeded. Surcharge applied or unknown. 0x20 - Usage of this connection is unrestricted up to
users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
computer's display settings use the "Disable Display Control Panel" setting instead.
ults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object a
, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specifi
DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If t
Microsoft. - ""Corporate file path"": Type a UNC path to enable Corporate Error Reporting. All errors are stored a
List"" policies. This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured
When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
the latest version of the policy from the network and uses bandwidth estimates to determine slow link threshold
chronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to dete
uter Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" se
er only, the system ignores this setting.
red. Note: This setting establishes the update rate for user Group Policies. To set an update rate for computer G
ands for .chm files that are stored on mapped drives or accessed using UNC paths. For additional options, see t
w.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, an
w.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, an
Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the d
Allow hash publication only for shared folders on which BranchCache is enabled. With this option, content inform
work to be initialized during computer startup). If the server is configured as follows, this policy setting takes eff
nagement Console.
every 12 hour interval, unless the local machine setting in the registry is a different value.
e> If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records
Explorer, to bypass this setting.
"Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for a
properties of components for a LAN connection, regardless of this setting.
n components, regardless of this setting.
n until the user logs off.

d tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the con
access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab fo
roadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network
h the policy is applied. - Disabled. With this selection, BranchCache client computers use the default latency se
at is included in the operating system.
g is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache
Cache Hosted Cache Mode" is applied, the client computer does not perform automatic hosted cache discovery.
e valid.
Background Intelligent Transfer Service (BITS) 4.0 installed.
ances where this setting is enabled, you can also select and configure the following option: - Type the name of t
, you can also select and configure the following option: - Specify the percentage of total disk space allocated f
f the setting of this policy.
ter connection driver needs to be updated. -Windows Server 2003 and Windows XP client computers can create
ter connection driver needs to be updated. -Windows Server 2003 and Windows XP client computers can create
inter objects manually whenever you remove a printer or print server.

2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) Port 135:TCP %WINDIR%\PCHealth\HelpC
nce communications.
evelopment Kit (SDK). Note: Extended error information is formatted to be compatible with other operating sys
d. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allow
yed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. Note: It is a requirement fo
er passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input
ers do not specify a connection method, the connection method that you specify in this policy setting is used by
nd signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Pol
tory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host ser
his setting appears in both Computer Configuration and User Configuration. If both settings are configured, the C
his setting appears in both Computer Configuration and User Configuration. If both settings are configured, the C
mering logic. External or remote storage of the full TPM owner authorization value, for example by backing up th
he number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. So
yption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufa
is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional.
has not been able to unload the profile. Also, check the Application Log in Event Viewer for events generated b
he roaming profile to load when the system detects a slow connection.
e uploaded in the background while the user is logged on.

bled, fixed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on co
stalled. If this policy setting is disabled, removable data drives formatted with the FAT file system that are BitLo
until recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from
stored in AD DS. Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating
if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the
nable the "Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and
security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or aut
m Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot
), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR
of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example: - A
he use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For examp
e use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For exampl
the "Minimum password length" box. If you disable this policy setting, the user is not allowed to use a password
figure this policy setting, the default length constraint of 8 characters will apply to operating system drive pass
ength" box. If you disable this policy setting, the user is not allowed to use a password. If you do not configure
this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu
aries or Search Connectors will appear in the "Search again" links and the Start menu links. If you disable or do
ct outgoing communication.
ct outgoing communication.
Windows Firewall: Define inbound port exceptions."
Windows Firewall: Define inbound port exceptions."
you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LS
you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LS
or the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If
or the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If
Firewall component in Control Panel. Note: If you type an invalid definition string, Windows Firewall adds it to th
Firewall component in Control Panel. Note: If you type an invalid definition string, Windows Firewall adds it to th
setting, then only administrative users will receive update notifications. Note: On Windows 8 and Windows RT
puter is not in use, and avoid doing so when the computer is running on battery power. If automatic maintenanc
tion is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speeds are lik
Panel" setting instead.
may mean that object activations that would have previously succeeded for such specified users, once the DCO
ls, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the clie
a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none o
g. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next adminis
isabled or not configured.

om for more recent data. Note: Handwriting personalization works only for Microsoft handwriting recognizers, an
om for more recent data. Note: Handwriting personalization works only for Microsoft handwriting recognizers, an
rmine slow link thresholds. (See the Configure Group Policy Slow Link Detection policy setting to configure asy
dwidth estimates to determine slow link thresholds. (See the Configure Group Policy Slow Link Detection polic
esh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy). Th
date rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in C
additional options, see the "Restrict these programs from being launched from Help" policy.
by Internet Explorer, and would therefore be in conflict. Value - A number indicating the zone with which this s
by Internet Explorer, and would therefore be in conflict. Value - A number indicating the zone with which this s
is selected. When the domain functional level is set to Windows Server 2012 then the domain controller adver
his option, content information is generated only for shared folders on which BranchCache is enabled. If you use
his policy setting takes effect during Group Policy processing at user logon: The server is configured as a term
f DC Locator DNS records register all DC Locator DNS resource records. If you do not configure this policy settin
bit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows
ed by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access co
box, the Advanced tab for the connection is blocked. Note: Nonadministrators are already prohibited from confi
n the round-trip network latency. In Windows Vista or Windows Server 2008, once transitioned to slow-link mod
se the default latency setting of 80 milliseconds. In circumstances where this policy setting is enabled, you can
at use the hosted cache servers that you specify in "Hosted cache servers." - Disabled. With this selection, this
hosted cache discovery. This is also true in cases where the policy setting "Configure Hosted Cache Servers" is
on: - Type the name of the hosted cache server. Specifies the computer name of the hosted cache server. Beca
tal disk space allocated for the cache. Specifies an integer that is the percentage of total client computer disk s
ent computers can create a printer connection to any server using Point and Print. -The "Users can only point an
ent computers can create a printer connection to any server using Point and Print. -The "Users can only point an
WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe %WINDIR%
with other operating systems and older Microsoft operating systems, but only newer Microsoft operating system
without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers
te: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this sett
ng is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to co
s policy setting is used by default. If you disable or do not configure this policy setting, clients will not use the R
ecurity Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from
the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session
ngs are configured, the Computer Configuration setting overrides.
ngs are configured, the Computer Configuration setting overrides.
xample by backing up the value to Active Directory Domain Services (AD DS), is recommended when using thi
by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer a
out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time wit
Professional.
er for events generated by Userenv. The system records an event whenever it tries to unload the registry portio
annot be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windo
file system that are BitLocker-protected cannot be unlocked on computers running Windows Server 2008, Windo
nt to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of
d in AD DS for operating system drives" check box if you want to prevent users from enabling BitLocker unless t
d to the domain and the backup of BitLocker recovery information to AD DS succeeds. Note: If the "Do not enab
indows Server 2008 and Windows Vista)" policy setting to prevent a policy error.
cations (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively)
e (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLo
ocker access control (PCR 11). Warning: Changing from the default platform validation profile affects the securit
(OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840
entifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2
ntifiers (OID). For example: - AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.1
llowed to use a password. If you do not configure this policy setting, passwords will be supported with the defa
rating system drive passwords and no complexity checks will occur. Note: Passwords cannot be used if FIPS-com
. If you do not configure this policy setting, passwords will be supported with the default settings, which do not
links or the Start menu links.
inks. If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "
d by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not en
d by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not en
ed for multiple entries. If entries have different Status values, any definition with the Status set to "disabled" ov
ed for multiple entries. If entries have different Status values, any definition with the Status set to "disabled" ov
ows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not in
ows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not in
dows 8 and Windows RT this policy setting is enabled by default. In all prior versions of windows, it is disabled b
If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right awa
applies, but speeds are likely reduced. 0x40 - The connection is costed on a per-byte basis. 0x80 - The connect
ified users, once the DCOM server process was up and running, might now fail instead. The proper action in th
ies are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the prim
or a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the compute
oft, and the next administrator to log onto the computer can send the error reports to Microsoft. - ""Replace ins
ndwriting recognizers, and not with third-party recognizers.
ndwriting recognizers, and not with third-party recognizers.
y setting to configure asynchronous foreground behavior.)
low Link Detection policy setting to configure asynchronous foreground behavior.)
System\Group Policy). This setting is only used when the "Turn off background refresh of Group Policy" setting is
ters" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). Tip: Consider
he zone with which this site should be associated for security settings. The Internet Explorer zones described ab
he zone with which this site should be associated for security settings. The Internet Explorer zones described ab
domain controller advertises to Kerberos client computers that the domain is capable of claims and compound
che is enabled. If you use this setting, you must enable BranchCache for individual shares in Share and Storage
er is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the s
onfigure this policy setting, DCs use their local configuration.
at exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. I
ddition, remote access connections created through the Make New Connection Wizard have the Internet Connec
ady prohibited from configuring Internet Connection Sharing, regardless of this setting. Note: Disabling this sett
sitioned to slow-link mode, users will continue to operate in slow-link mode until the user clicks the Work Online
tting is enabled, you can also select and configure the following option: - Type the maximum round trip networ
With this selection, this policy is not applied to client computers. In circumstances where this setting is enable
Hosted Cache Servers" is applied. This policy setting can only be applied to client computers that are running at
osted cache server. Because the hosted cache server name is also specified in the certificate enrolled to the hos
al client computer disk space to use for the BranchCache client computer cache. * This policy setting is support
"Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and W
"Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and W
s\Helpctr.exe %WINDIR%\System32\Sessmgr.exe For computers running Windows Server 2003 with Service Pa
icrosoft operating systems can read and respond to the information. Note: The default policy setting, "Off," is d
connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allow
on to adhere to this setting.
ers will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and
clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" pol
d decrypts data sent from the client to the server and from the server to the client, with the Federal Information
profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Template
mmended when using this setting. Choose the operating system managed TPM authentication setting of "None"
ods of time with fewer authorization failures depending on past failures. Some TPMs may require a system rest
onger periods of time with fewer authorization failures depending on past failures. Some TPMs may require a sy
nload the registry portion of the user profile. The system also records an event when it fails to update the files i
ws XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed. Note: This policy setting does n
ows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be in
main and the backup of BitLocker recovery information to AD DS succeeds. Note: If the "Do not enable BitLocke
nabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery informa
Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check bo
r exclusion (respectively) of the PCRs.

er (PCR 10), and the BitLocker Access Control (PCR 11). Warning: Changing from the default platform validation
profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications
CBC mode OID: 2.16.840.1.101.3.4.1.42
256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
supported with the default settings, which do not include password complexity requirements and require only 8
annot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encr
lt settings, which do not include password complexity requirements and require only 8 characters. Note: Passw
ctors will appear in the "Search again" links or the Start menu links.
ey do not, then do not enable this policy setting. Note: If any policy setting opens TCP port 445, Windows Firew
ey do not, then do not enable this policy setting. Note: If any policy setting opens TCP port 445, Windows Firew
atus set to "disabled" overrides all definitions with the Status set to "enabled," and the port does not receive m
atus set to "disabled" overrides all definitions with the Status set to "enabled," and the port does not receive m
ams that you have not installed yet, but be aware that you can accidentally create multiple entries for the same
ams that you have not installed yet, but be aware that you can accidentally create multiple entries for the same
windows, it is disabled by default. If the "Configure Automatic Updates" policy setting is disabled or is not confi
install updates right away. Users will then be notified about an upcoming restart, and that restart will only take
asis. 0x80 - The connection is roaming. 0x80000000 - Ignore congestion.
The proper action in this situation is to re-configure the DCOM server's custom launch permission settings for
leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, a
NS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary D
Microsoft. - ""Replace instances of the word Microsoft with"": You can specify text with which to customize you
f Group Policy" setting is not enabled. Note: Consider notifying users that their policy is updated periodically so
up Policy). Tip: Consider notifying users that their policy is updated periodically so that they recognize the signs
lorer zones described above are 1-4. If you disable or do not configure this policy, users may choose their own
lorer zones described above are 1-4. If you disable or do not configure this policy, users may choose their own
of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and: - If you set the
res in Share and Storage Management on the file server. - Disallow hash publication on all shared folders. With
d and configured on the server); and The Allow asynchronous user Group Policy processing when logging on
ame for administrators. If you disable this setting or do not configure it, Windows XP settings that existed in Win
ave the Internet Connection Firewall enabled.

Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP s
er clicks the Work Online button on the toolbar in Windows Explorer. Data will only be synchronized to the serve
ximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in mi
ere this setting is enabled, you can also select and configure the following option: - Hosted cache servers. To ad
uters that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 o
ficate enrolled to the hosted cache server, the name that you enter here must match the name of the hosted ca
policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate ed
ndows Server 2003 and Windows XP SP1 (and later service packs).
ndows Server 2003 and Windows XP SP1 (and later service packs).
ver 2003 with Service Pack 1 (SP1) Port 135:TCP %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe %WINDIR%
policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, an
No exceptions are allowed. Note: This policy setting will not be applied until the system is rebooted.
u enable this policy and choose High from the drop-down box, password security is set to High. At this settin
eway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attemp
h the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptograph
n\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path s
tication setting of "None" for compatibility with previous operating systems and applications or for use with sce
may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough
me TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on s
fails to update the files in a user profile.
This policy setting does not apply to drives that are formatted with the NTFS file system.
kertogo.exe will not be installed. Note: This policy setting does not apply to drives that are formatted with the N
e "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is selec
tLocker recovery information to AD DS succeeds. Note: If the "Do not enable BitLocker until recovery informatio
xed data drives" check box is selected, a recovery password is automatically generated. If you enable this polic
fault platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity
o platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclus
ments and require only 8 characters. Note: Passwords cannot be used if FIPS-compliance is enabled. The "Syste
pliant algorithms for encryption, hashing, and signing" policy setting in Computer Configuration\Windows Setting
characters. Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS
port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility),
port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility),
port does not receive messages. Therefore, if you set the Status of a port to "disabled," you can prevent admin
port does not receive messages. Therefore, if you set the Status of a port to "disabled," you can prevent admin
iple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for m
iple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for m
s disabled or is not configured, then the Elevate Non-Admin policy setting has no effect.
hat restart will only take place if there is no potential for accidental data loss. Automatic maintenance can be fu
permission settings for correct security settings, but this policy setting may be used in the short-term as an ap
the single-label name, and submits this new query to a DNS server. For example, if the primary DNS suffix ooo.
this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. For exa
which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text.
s updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the W
they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it
s may choose their own site-to-zone assignments.
s may choose their own site-to-zone assignments.
ing, and: - If you set the "Always provide claims" option, always returns claims for accounts and supports the R
all shared folders. With this option, BranchCache does not generate content information for any shares on the c
cessing when logging on through Terminal Services policy setting is enabled. This policy setting is located unde
ttings that existed in Windows 2000 will not apply to administrators. Note: This setting is intended to be used i
he ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the
ynchronized to the server if the user manually initiates synchronization by using Sync Center. In Windows 7, Win
he amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally.
sted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then c
are running Windows 7 or Windows Vista. If you disable, or do not configure this setting, a client will not attem
he name of the hosted cache server that is specified in the server certificate. Hosted cache clients must trust th
terprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
s\Helpsvc.exe %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe Allow Remote Desktop Exception
dered to be sensitive, and it should not be made available remotely. Note: This policy setting will not be applied
m is rebooted.
et to High. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by d
client connection attempt will be made through that RD Gateway server.
ng Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Se
Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting sh
ations or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting mi
stem to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the
ire the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator
are formatted with the NTFS file system.
rives" check box is selected, a recovery password is automatically generated. If you enable this policy setting,
until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery pas
. If you enable this policy setting, you can control the methods available to users to recover data from BitLocke
r. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending

upon inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR 7 omitted, will o
ce is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" p
guration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is
m cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer
sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them.
sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them.
" you can prevent administrators from using the Windows Firewall component in Control Panel to enable the por
" you can prevent administrators from using the Windows Firewall component in Control Panel to enable the por
eters are combined for multiple entries. Note: If you set the Status parameter of a definition string to "disabled
eters are combined for multiple entries. Note: If you set the Status parameter of a definition string to "disabled
c maintenance can be further configured by using Group Policy settings here: Computer Configuration->Admini
the short-term as an application compatibility deployment aid. DCOM servers added to this exemption list are
e primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example,"
to a DNS server. For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-term
with the specified text. If you do not configure this policy setting, users can change Windows Error Reporting se
Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions
ws desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, su
ounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you
on for any shares on the computer and does not send content information to client computers that request conte
y setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. If th

is intended to be used in a situation in which the Group Policy object that these settings are being applied to co
ork Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box.
enter. In Windows 7, Windows Server 2008 R2, Windows 8 or Windows Server 2012, when operating in slow-lin
cache content locally.
click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the comput
g, a client will not attempt to discover hosted cache servers by service connection point. Policy configuration S
ache clients must trust the server certificate that is issued to the hosted cache server. Ensure that the issuing C
nstalled.
p Exception
etting will not be applied until the system is rebooted.
on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or whi
etween clients and RD Session Host servers requires the highest level of encryption.
r Profile" policy setting should contain the mandatory profile.
lly. Using this setting might cause issues with some TPM-based applications. If this policy setting is disabled o
n administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Ma
mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using th
nable this policy setting, you can control the methods available to users to recover data from BitLocker-protected
selected, a recovery password is automatically generated. If you enable this policy setting, you can control the
cover data from BitLocker-protected removable data drives. If this policy setting is not configured or disabled, th
d or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

with PCR 7 omitted, will override the "Allow Secure Boot for integrity validation" group policy, preventing BitLock
, hashing, and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Polic
hether FIPS-compliance is enabled.
olicy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options speci
etting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file
etting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file
l Panel to enable the port. Note: The only effect of setting the Status value to "disabled" is that Windows Firewa
l Panel to enable the port. Note: The only effect of setting the Status value to "disabled" is that Windows Firewa
nition string to "disabled," Windows Firewall ignores port requests made by that program and ignores other defi
nition string to "disabled," Windows Firewall ignores port requests made by that program and ignores other defi
r Configuration->Administrative Templates->Windows Components->Maintenance Scheduler 5 = Allow local ad
o this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch,
e-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves th
hed to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft
ndows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers th
menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might
sed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progre
unneling (FAST). - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos m
puters that request content.
stem\Group Policy\. If this configuration is not implemented on the server, this policy setting is ignored. In this
gs are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and i
works" check box.

hen operating in slow-link mode Offline Files synchronizes the user's files in the background at regular intervals,
nd then type the computer names of the hosted cache servers.
t. Policy configuration Select one of the following: - Not Configured. With this selection, BranchCache settings
Ensure that the issuing CA certificate is installed in the Trusted Root Certification Authorities certificate store on
display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Op
licy setting is disabled or not configured and the "Turn on TPM backup to Active Directory Domain Services" po
ut logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware
ware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's h
from BitLocker-protected fixed data drives. If this policy setting is not configured or disabled, the default recov
ting, you can control the methods available to users to recover data from BitLocker-protected operating system
configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is all
olicy, preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity valid
urity Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
es\Security Options specifies whether FIPS-compliance is enabled.

rewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administrati
rewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administrati
d" is that Windows Firewall ignores other definitions for that port that set the Status to "enabled." If another poli
d" is that Windows Firewall ignores other definitions for that port that set the Status to "enabled." If another poli
m and ignores other definitions that set the Status of that program to "enabled." Therefore, if you set the Statu
m and ignores other definitions that set the Status of that program to "enabled." Therefore, if you set the Statu
eduler 5 = Allow local administrators to select the configuration mode that Automatic Updates should notify an
ain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users o
he DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and s
ample.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till
eporting on computers that are running Windows XP, and Report to Queue on computers that are running Windo
ms users can run, might interfere with tasks in progress.
rfere with tasks in progress.
ts unarmored Kerberos messages. Warning: When "Fail unarmored authentication requests" is set, then client c
etting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the n
ssional computers, and identical Network Connections policy behavior is required between all Windows 2000 Pr
ound at regular intervals, or as configured by the "Configure Background Sync" policy. While in slow-link mode, W
n, BranchCache settings are not applied to client computers by this policy setting, and client computers do not
ities certificate store on all hosted cache client computers. * This policy setting is supported on computers that
ting in the Input Panel Options dialog box. If you disable this policy, password security is set to Medium-High.
ory Domain Services" policy setting is also disabled or not configured, the default setting is to store the full TPM
sets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing sta
strator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; all
sabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recov
tected operating system drives. If this policy setting is disabled or not configured, the default recovery options
y. By default a DRA is allowed, the recovery options can be specified by the user including the recovery passwo
ata (BCD) integrity validation. Setting this policy may result in BitLocker recovery when firmware is updated. If y
und remote administration exception," and "Windows Firewall: Define inbound port exceptions."
und remote administration exception," and "Windows Firewall: Define inbound port exceptions."
enabled." If another policy setting opens a port, or if a program in the program exceptions list asks Windows Fir
enabled." If another policy setting opens a port, or if a program in the program exceptions list asks Windows Fir
fore, if you set the Status to "disabled," you prevent administrators from allowing the program to ask Windows F
fore, if you set the Status to "disabled," you prevent administrators from allowing the program to ask Windows F
Updates should notify and install updates. With this option, local administrators will be allowed to use the Wind
y entries for any users or groups. Also note, exemptions for DCOM Server Appids added to this list will apply to
d devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffi
ps the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If t
rs that are running Windows Server 2003. If you disable this policy setting, configuration settings in the policy s
ests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the doma
ese servers wait for the network to be initialized during user logon). If you disable or do not configure this polic
een all Windows 2000 Professional and Windows XP Professional computers.
While in slow-link mode, Windows periodically checks the connection to the folder and brings the folder back onl
client computers do not perform hosted cache server discovery. - Enabled. With this selection, the policy setting
ported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Backgroun
is set to Medium-High. At this setting, when users enter passwords from Input Panel they use the on-screen ke
ng is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured an
are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured,
n failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not co
DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery
default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options
ing the recovery password and recovery key, and recovery information is not backed up to AD DS
n firmware is updated. If you set this policy to include PCR 0, suspend BitLocker prior to applying firmware updat
eptions."
eptions."
ons list asks Windows Firewall to open a port, Windows Firewall opens the port. Note: If any policy setting opens
ons list asks Windows Firewall to open a port, Windows Firewall opens the port. Note: If any policy setting opens
rogram to ask Windows Firewall to open additional ports. However, even if the Status is "disabled," the program
rogram to ask Windows Firewall to open additional ports. However, even if the Status is "disabled," the program
allowed to use the Windows Update control panel to select a configuration option of their choice. Local administ
d to this list will apply to both 32-bit and 64-bit versions of the server if present.
ils, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.mi
le.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolu
on settings in the policy setting are left blank. See related policy settings Display Error Notification (same folder
uthenticate to the domain controller. To ensure this feature is effective, deploy enough domain controllers that
o not configure this policy setting and users log on to a client computer or a server running Windows Server 200
rings the folder back online if network speeds improve. In Windows 8 or Windows Server 2012, set the Latency
lection, the policy setting is applied to client computers, which perform automatic hosted cache server discover
editions with Background Intelligent Transfer Service (BITS) 4.0 installed.

hey use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the curs
bled or not configured and the "Turn on TPM backup to Active Directory Domain Services" group policy setting
s value is not configured, a default value of 4 is used. A value of zero means the OS will not allow standard user
ely. If this value is not configured, a default value of 9 is used. A value of zero means the OS will not allow stan
y password and recovery key, and recovery information is not backed up to AD DS
ed, the recovery options can be specified by the user including the recovery password and recovery key, and re
p to AD DS
applying firmware updates.

any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the mes
any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the mes
"disabled," the program can still receive unsolicited incoming messages through a port if another policy setting
"disabled," the program can still receive unsolicited incoming messages through a port if another policy setting
eir choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. If the sta
nd the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified
s under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolut
Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration
domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerb
ning Windows Server 2008 or later and that is configured as described earlier, the computer typically does not w
er 2012, set the Latency threshold to 1ms to keep users always working offline in slow-link mode. If you disable
ed cache server discovery and which are configured as hosted cache mode clients. - Disabled. With this selecti
does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input
es" group policy setting is enabled, then only the administrative delegation and the user delegation blobs are s
l not allow standard users to send commands to the TPM which may cause an authorization failure.
he OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
and recovery key, and recovery information is not backed up to AD DS.
uest messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" po
uest messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" po
t if another policy setting opens that port. Note: Windows Firewall opens ports for the program only when the p
t if another policy setting opens that port. Note: Windows Firewall opens ports for the program only when the p
matic Updates. If the status for this policy is set to Disabled, any updates that are available on Windows Update
es if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a
f this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.
n Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Com
ess Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain
puter typically does not wait for the network to be fully initialized. In this case, users are logged on with cached
link mode. If you disable this policy setting, computers will not use the slow-link mode.
isabled. With this selection, this policy is not applied to client computers.
e this setting in the Input Panel Options dialog box. If you do not configure this policy, password security is set
er delegation blobs are stored in the local registry. Note: If the operating system managed TPM authentication
ation failure.
authorization failure.
low ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Wind
low ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Wind
program only when the program is running and "listening" for incoming messages. If the program is not running
program only when the program is running and "listening" for incoming messages. If the program is not running
lable on Windows Update must be downloaded and installed manually. To do this, search for Windows Update us
mitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devoluti
uery example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix ca
anagement/Internet Communication settings.
fficient number of domain controllers that support this policy result in authentication failures whenever Dynamic
e logged on with cached credentials. Group Policy is applied asynchronously in the background. Notes: -If you w
password security is set to Medium-High by default. At this setting, when users enter passwords from Input P
ged TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value w
P port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow
P port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow
e program is not running, or is running but not listening for those messages, Windows Firewall does not open its
e program is not running, or is running but not listening for those messages, Windows Firewall does not open its
h for Windows Update using Start. If the status is set to Not Configured, use of Automatic Updates is not specifi
Status Policy Path
Computer Configuration\Windows Settings\Account Policies\Password Policy

Computer Configuration\Windows Settings\Account Policies\Account Lockout Policy
Computer Configuration\Windows Settings\Local Policies\Kerberos Policy
Computer Configuration\Windows Settings\Local Policies\Audit Policy
Computer Configuration\Windows Settings\Local Policies\User Rights Assignment
Computer Configuration\Windows Settings\Local Policies\Security Options
Computer Configuration\Windows Settings\Security Settings\Event Log
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Computer Configuration\Windows Settings\Security Settings\System Services
Computer Configuration\Windows Settings\Security Settings\Registry
Computer Configuration\Windows Settings\Security Settings\File System
Policy Name
Enforce password history

Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirement
Store passwords using reversible encryption for all users in the domain
Account lockout duration
Account lockout threshold
Reset lockout counter after
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Access this computer from the network
Access Credential Manager as a trusted caller
Act as part of the operating system
Add workstations to a domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Backup files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create Symbolic Links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Log on locally
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the accesss of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy categ
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Devices: Unsigned driver installation behavior
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name
Interactive Logon: Display user information when session is locked
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to logon
Interactive logon: Message title for users attempting to logon
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Allow LocalSystem NULL session fallback
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow PKU2U authentication requests to this computer to use online identities.
Network security: Configure encryption types allowed for Kerberos
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System cryptography: Force strong key protection for user keys stored on the computer
System objects: Default owner for objects created by members of the Administrators group
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure
Maximum application log size
Maximum security log size
Maximum system log size
Prevent local guests group from accessing application log
Prevent local guests group from accessing security log
Prevent local guests group from accessing system log
Retain application log
Retain security log
Retain system log
Retention method for application log
Retention method for security log
Retention method for system log
Restricted Groups
System Services
Registry
File System
Supported On
At least Windows XP SP2, Windows Server 2003

At least Windows Vista, Windows Server 2008
Only Windows XP SP2
Windows XP SP2, Windows Server 2003
Windows 8, Windows Server 2012
Only Windows XP SP2, Windows Server 2003
At least Windows 7, Windows Server 2008 R2
Windows XP SP2, Windows Server 2003
Registry Settings
Password Policy security settings are not registry keys.

Account Lockout Policy security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
User Rights security settings are not registry keys
Not a registry key
Not a registry key
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Not a registry key
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
MACHINE\SOFTWARE\policies\Microsoft\windows
NT\DCOM\MachineAccessRestriction
MACHINE\SOFTWARE\policies\Microsoft\windows
NT\DCOM\MachineLaunchRestriction
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWitho
utLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print
Services\Servers\AddPrinterDrivers
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateCDRoms
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
MACHINE\Software\Microsoft\Driver Signing\Policy
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrit
y
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePassword
Change
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrS
eal
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChan
nel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChan
nel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswor
dChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPassw
ordAge
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKe
y
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayL
Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System,
value=DontDisplayLockedUserId
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
Not a registry key
Not a registry key
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeT
ext
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeC
aption
NT\CurrentVersion\Winlogon\CachedLogonsCount
NT\CurrentVersion\Winlogon\PasswordExpiryWarning
NT\CurrentVersion\Winlogon\ForceUnlockLogon
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOptio
n
NT\CurrentVersion\Winlogon\ScRemoveOption
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Requi
reSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
eSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
ePlainTextPassword
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisco
nnect
Not a registry key
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSe
curitySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSec
uritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableFor
cedLogOff
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServer
NameHardeningLevel
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessio
nPipes
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPath
s\Machine
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPath
s\Machine
nShares
nShares
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffi
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraff
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInD
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDom
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMS
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Par
ameters\SupportedEncryptionTypes
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWit
houtLogon
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management\ClearPageFileAtShutdown
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner
MACHINE\System\CurrentControlSet\Control\Session
Manager\Kernel\ObCaseInsensitive
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEn
abled
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorTo
ken
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBeha
viorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBeha
viorUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetec
tion
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCode
Signatures
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPa
ths
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDe
sktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopT
oggle
Event Log security settings are not registry keys.
Restricted Groups policy settings are not registry keys.
System Services policy settings are not registry keys.
not a registry key
File System policy settings are not registry keys.
Help Text
Enforce password history

Maximum
This security password age
setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. T
Minimum
This policy security password age
settingadministrators
determines thetoperiod of time (in days) that a password can be used
This enables enhance security by ensuring that old passwords arebefore
not reused the system requires the user to change it. You can set passwo
continually.
can
Minimum be any value between
password 0 and 998 days.
This security setting length
determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 9
Default:
Password
Note:
This It is amust
security securitymeetbest
setting complexity
practicethe
determines requirements
to least
have passwords expire every that30a to 90 days,for depending on yourmay environment. This way, an attacker has a limited1 andamount charo
The minimum password age must be lessnumber than theofMaximum characters password password
age, unless athe
user account
maximum password contain.ageYou is set canto set a value
0, indicating ofthat
between
passwords 14 neve
will
24
Store on domain
passwords controllers.
using reversiblewhether encryption
This
0 on security
Default:
Default: 42. setting
stand-alone determines
servers. passwords must meet complexity requirements.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cy
Account
This
a this newsecurity lockout
password. duration
settingFordetermines reason,whether
thispasswords Enforce the operating
password system
history is setstores to 1passwords
by default. using reversible encryption.
If
Note:
7 policy
on domain
By default, iscontrollers.
enabled,
member computers must
followmeet thethe following
configuration minimum
of their domain requirements:controllers.
Account
This
0 on
To maintain lockout
security
stand-alone threshold
setting determines
servers.
the effectiveness the number
of applications
password of minutes
history, a locked-out
do not allow account
passwords remains locked
to be changed out before
immediately automatically
afterfor they becoming
were unlocked.
just changed The enabling
by also available range
the Miu
This
Default: policy provides support for that use
Not contain the user's account name or parts of the user's full name that exceed two consecutive protocols that require knowledge of the user's password
characters authentication purposes. Storing passwords
Reset
This
Be at account
security
least six lockout
setting
characters counter
determines in after
length the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it i
If
1 an
Note:
This account
By default,
on policy
domain lockoutmember
is controllers.
required threshold
when computersis defined,
using followthe theaccount
Challenge-Handshake configuration lockout ofduration
their domain
Authentication must
Protocolbe greater
controllers.
(CHAP) than or equal to the
authentication resetremote
through time. access or Internet Authentication Serv
Contain
Enforce characters
user logon from three
restrictions of the following four categories:
This
0
Failed on security
stand-alone
password setting determines
servers.
attempts against (Athe number of minutes
workstations or member that must elapse afterbeena failed logon attempt before the failed logon attempt counter is reset screen to 0 badsav lo
English
Default:
Default:
uppercase
None,
Disabled. becausecharactersthis policy through
settingZ) only has meaningservers when an that have
Account lockoutlocked using
threshold either CTRL+ALT+DELETE
is specified. or password-protected
Maximum
English
This lifetime
lowercase for service
characters ticket
(a through z)
If
Note:
Default:
Base an security
account
By0.
10 default,
digits
setting
lockout
(0 member
determines
through threshold computers
9) iswhether
defined,
follow the
thisKerberos
the reset time
configuration V5mustKeyofDistribution
be thanCenter
lessdomain
their (KDC)
orcontrollers.
equal to thevalidates
Accountevery lockout request
duration. for a session ticket against the user rights pol
Maximum
This security
Non-alphabetic lifetime
setting fordetermines
charactersuser ticket (for the
example, maximum !, $, #, amount
%) of time (in minutes) that a granted session ticket can be used to access a particular service. The setting
Default:
Default: Enabled.
None, because this policy setting only has meaning when an Account lockout threshold is specified.
Complexity
Maximum requirements
lifetime for user are
ticket enforced
renewal when passwords are changed or created.
This
If a client security presentssettingandetermines
expired session the maximumticket when amountit requestsof timea(in hours) that
connection toaauser's
server,ticket-granting
the server returns ticketan (TGT)
errormay be used.
message. The client must request a new ses
Maximum
connection
This security tolerance
expires
setting for
during computer
determines the theclock
connection.
periodsynchronization
of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed.
Default: 10 hours.
Audit
This security
Default: account
600 logon events
minutes
setting determines
(10 hours).the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the
Default: 7 days.
Auditsecurity
This accountsetting management determines whether
To
Enabled prevent on"replay
domainattacks,"controllers. Kerberos V5 theusesOS timeaudits
stamps eachastime partthis of itscomputer
protocolvalidates
definition. anFor accounts
time stamps credentials.
to work properly, the clocks of the client and the do
Audit
difference
Disabled
This directory
security between service
on stand-alone
setting a access
client clock and the domain controller clock is
servers.whether to audit each event of account management on a computer. Examples
determines less than the maximum time difference that isofspecified in this policy, any
account management events timeinclude:
stamp that is
Account logon events are generated whenever a computer validates the credentials of an account for which it is authoritative. Domain members and non-dom
Audit
so
This
Important
Note: there logonis
security
By noevents
default, corresponding
setting determines logoff event
whether forthe
the account
OS audits logon
userevents.
attempts to access Active Directory objects. Audit is only generated for objects that have system a
A user account ormember
group iscomputers
created, follow
changed, orconfiguration
deleted. of their domain controllers.
Audit
A
This user object
account
security accessis
setting renamed,
isdetermines disabled,
whether or enabled.
If thisadministrator
The
This
A password
policy is
setting setting
is not
set or can defined,
specifyonwhether
persistent
changed.
the
pre Vista to the
administrator
audit OS
platforms. audits
can
only each
Ifspecify
successes,
you instance
whether
configure only this toofaudit
failures,a user
setting only
both attempting
and successes,
successes
then restart to and
log
only on
the to or toor
failures,
failures,
computer, log
both off
tothis
not to
successes this these
audit
setting computer.
andevents
reverts failures, orallto(i.e.
to theatdefault not audit these
neither
value. succes ev
Audit
This
If you policy
security
define change
setting
this policydetermines
setting, whether
you can the
specify OS audits
whether user
to attempts
audit successes, to access audit non-Active
failures, orDirectory
not audit objects.
the event Audit type is only
at all.generated
Success for objects
audits generatethat have
an syste
audit
Log
Default:
If
Default: off events
Success Success.
auditing
5 minutes. are generated
is enabled,whenever an audit entry a logged on user account's
is generated each timelogon any session
account is terminated.accesses
successfully If this policy setting isobject
a Directory defined, thatthehasadministrator
a matching SACL can specify
specifie we
Audit
This privilege
security setting use determines whether
Default:
The
Default: administrator
Success. can specify whether to the
audit OS audits
only each instance
successes, of attempts
only failures, both to change user
successes and rights
failures, assignment
or to not audit policy, auditevents
these policy,ataccount
all (i.e. policy,
neitherorsucces
trust
If
Audit Failure auditing
process is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a Directory object that has a matching SACL sp
tracking
This
The security setting
administrator can determines
specify whether whether to audit each instance only of a user exercising a user right.
If
Success Success onauditing
domain iscontrollers.
enabled, an audittoentry audit isonly successes,
generated each timefailures, any account both successfully
successes and failures,a or
accesses to not audit these
non-Directory objectevents
that has at aallmatching
(i.e. neitherSACL succes
spec
Audit
Default:
This
Noyou system
security
auditing on events
setting
member determines
servers.you whether the OSwhetheraudits process-related events such as process creation, process termination, handle duplication, and indirect
If
If Success define this policy
auditingisisenabled, setting,
enabled,ananaudit can
auditentryspecify
entryisisgenerated
generatedeach to audit
when successes,
an anyattempted audit failures,
change to user or not audit this
rights assignment type of event at all. Success audits generate an aud
If
Access Failurethis auditing
computer from the network time user unsuccessfully attempts to access apolicy, audit policy,
non-Directory object or trust
that haspolicy is successfu
a matching SAC
This
Success
If this securityon
policy setting
domain
setting determines
controllers.
is defined, thewhether the
administrator OS audits
can any
specify of the
whether following
to audit events:
only successes, only failures, both successes and box failures, or to not audit these ev
To
If set
Failure this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check and clear the Success and
Undefined
Note
This that auditing
user
setting youfor can
right
is used
is
a member
set
determines
enabled,
by
computer.
aCredential
SACL which
an
onaudit file entry
aManager
users system
and
is generated
object
groups
during are using when
allowed
Backup/Restore.
an attempted
the Security
to connect
No tabtoinchange
accounts thatcomputer
the should
to user
object's have
rights assignment
Properties
over the
this dialog as
network.
privilege, box. policy, audit policy, or trust policy is attempted b
Remote
it is only Desktop
assigned Services
to are
Winlogon. not affected
Users by
saved this
cre
If Attempted
Success system is time change
Default:
Act
Default: as part
Attempted Noauditing
auditing.
of the operating
security
enabled,
systemsystem
an audit entry is generated each time the OS performs one of these process-related activities.
startup or shutdown
Default:
Note: No
Remote auditing.
Desktop Services was calledcomponents
Terminal Services in previous versions of Windows Server.
If Attempt
Failure to load
auditing extensible
is enabled, authentication
an audit
Add
Audits
This
Success
Lossworkstations
userareon
of not
right
audited to
generated
allows
domain eventsdomain for use
a process
due
controllers. to
to auditingtheentry
ofimpersonate is generated
following
system any useruser
failure
each
rights,
withouteventimeif the OS fails
success
authentication.
to perform
auditsTheorprocess
failure one of these
audits activities.for Audit privilege use. Enabling auditing of th
are specified
can therefore gain access to the same local resources as that us
Default
No Security
auditing on workstations
log onsize exceeding
member and
servers. servers:
a configurable warning threshold level.
Adjust
Default:
This memory
Administrators
Bypass No
security
traverse quotas
auditing
setting
checking for
determines a process which groups or users can add workstations to a domain.
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with
Backup
Debug
passwords
Allow
If log Operators
programs
thisprivilege
policyoninsetting
locally
plaintext.is defined, the administrator can specify whether tocan audit
This
This
Users
Create security
a token determines
setting
objectis valid who onlycan onchange
domainthe maximum
controllers. Bymemory
default,that beonly
any authenticated
successes,
consumed user byhas a only failures, both successes and failures, or to not audit these ev
process.
this right and can create up to 10 computer accounts in the dom
Allow
Everyone
Replace
This logprocess
logon onauditing
through
right isRemote
level tokenwhich Desktop auditServices
Caution
If Success
This
Adding
Generateuser right
a computer
security isdetermines
defined enabled,
account
audits in the an
to the
users
Default
domain
can interactively
entry
Domain is generatedlog
allowsController
the computer
each
Groupon to time
toPolicy
thisthe computer.
participate
OS performs
object in(GPO)
Logons
Active and
oneinitiated
inofthe
Directorybased
these byactivities
local pressing
security
networking.
CTRL+ALT+DEL
successfully.
policy of workstations
For
sequence
example, adding
on the attached keyb
and servers.
a workstation to a dom
Back
This up files
security and
setting directories
determines
Back
Default
Default
Assigning
If upon
Failure
Note: This
on
filesdomain
auditing and
userdirectories
workstations
this
privilege iscontrollers:
right and
can servers:
enabled,
is useful beanawhich
security
audit users
entry isorgenerated
Administrators
risk. groups have
Only
but itassign
can eachbethis
permission
userthe
time rightOStotolog on asusers.
trusted
attempts a Remote
inand fails toDesktop
perform Services
one of these client. activities.
Default:
Restore
Administrators
Bypass
Backup Authenticated
files
traverse
Operators andchecking Users for
directories on system
domaintuning, controllers. misused, for example, a denial-of-service attack.
This
Default:user
Authenticated right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system
Users.
Default:
Default: None.Users
Administrators
Change
Note:
Enterprise
Caution
This user the
Users system
who
Domain
right have time the
Controllers
determines Create
which Computer
users Objects
can traverse permission
directorypermissions on the
trees even though Active Directory
the user computers
mayinnot container
have permissions can also oncreate
the computerdirectory.
traversed accountsThis in the domain
privilege d
Specifically,
Local
On
permissions
Everyone Service
workstation this
on and user
the right is
servers:
computers similar to granting
Administrators,
container have thecreator
Remote
the following
Desktop as the Users. owner oftothe thecomputer
user or group
account. question
If a useron has allpermissions
files and folders
on the oncontainer
the system: and also has the A
Default
Success
Change
Network onon
the domain
domain
Time
Service. controllers:
Zone controllers. Account Operators
This
On
This user
domain
Pre-Windows
Incorrectly right
user Folder/Execute
Administrators
No auditing right determines
controllers:
on2000
editing is defined
member registry
in which
Administrators.
Compatible
the servers.themay users
Accessseverely
Default and groups
Domain damage can
Controlleryour change
Groupthe
system. timeobject
Before
Policy and
makingdate on the
changes
(GPO) andinternal
intothe clock
thelocal
registry, of the
youcomputer.
security should
policy of backUsers
up any
workstations thatvalued
areandassigned
data onthis
servers. theuser right
computer
Traverse File
Create
Backup a pagefile
Operators
List Folder/Read
This user rightright is determines
Data inwhich users Domain
and groups can change
This user
Important
Default
Print on workstations
Operators defined andthe Default
servers: Controller Groupthe timeobject
Policy zone used (GPO) byand
the in computer
the localfor displaying
security policy theoflocal time, which
workstations andisservers.
the computer's syste
Read
Create Attributes
a token object
Administrators
This
Server
This user
user right
Operators.
right determines
isAttributes
defined which
inany the users
Default and groups can call an internal application programming interface (API) to create and change the size of a page file. Th
Read
Default
This
Backup
Extended
on
setting workstations
does
Operators not have and servers:
effect onDomain
Windows Controller
2000 computers Group Policy that object
have not (GPO)
beenand in the to
updated local security
Service Pack policy
2. of the workstations and servers.
Create
Read
This global
Permissions
Administrators
security setting objects
For
Users information
Default: Administrators,aboutdetermines
how Users to specifywhicha accounts
paging filecan size befor used by processes
a given drive, seetoTocreate change a token
the size thatofcanthe then
virtual bememory
used to paging get access file. to any local resources when t
Local
Create
Everyone Service
permanent shared objects
This
Caution
This security rightsetting determines
internally whether users can createUnless global objects that aredo available to allthis sessions. Users
to a can user,still create or objects
processthat arethan
specific
LocaltoSyst
thei
Localuser
Default: is used
Administrators.
Service by the operating system. it is necessary, not assign user right group, other
Create
Default Symbolic
on
This userService domain
right Links
controllers:
determines which
Network
Caution
Assigning
Caution
Administrators this user right can be aaccounts
security risk. can Since
be used thereby processes
is no way to tobe create
sure athat directory
a userobject is backing usingup the object
data, stealingmanager. data, or copying data to be distributed,
Debug
This
Server programs
privilege
Operators determines if the user can create a symbolic link from the computer he is logged on to.
This
Default user
Assigning onright
on domain
this is used
user internally
controllers:
right can be aby the operating system and is right
useful to kernel-mode components that extend the object namespace. Because components th
Default
Assigning
Local access
Deny Service
Administrators
workstations
this touser
thisright
computer
and
can servers: a security
befrom security
the network
risk.
risk. Assign
Administrators Do not this assign user this user onlyrightto to
trusted
any user,users. group, or process that you do not want to take over the system.
This
Backup
Default:user right
Operators.
Administrator
None determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not ne
Default:
Authenticated
Default: None.Users
Deny
This
Everyone log on as
security a batch
setting job
determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this compu
Caution
Default
WARNING: on domain controllers:Administrators
This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that arent designed to hand
Local
Deny Service
log
Administrators
Backup on
Operatorsas a service
This security
Default:
Network Guest
Service setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch jo
Assigning
Local
Server
Note Service this user right can be a security risk. Only assign this user right to trusted users.
Operators
Pre-Windows
This security 2000 Compatible
setting determines Access
which service accounts are prevented
Network
This setting
Default: Service
None. can be used in conjunction a symlink filesystem setting thatfrom can registering
be manipulated a process with the as command
a service. This policytosetting
line utility controlsupersedes
the kinds ofthe Log onthat
symlinks as aa
Default:
Service Administrators
Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
Default: None.
Deny log on locally
Deny log on through
This security setting determines Remote Desktop which Services users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy settin
Enable
This computer
security setting anddetermines
user accounts which tousers
be trusted and groups for delegation are prohibited from logging on as a Remote Desktop Services client.
Important
Force
This shutdown
security from a remote system
setting determines which users can set the Trusted for Delegation setting on a user or computer object.
Default:
If you apply None. this security policy to the Everyone group, no one will be able to log on locally.
Generate
This security security
setting auditsdetermines
The user
Important or object that is grantedwhich users are
this privilege mustallowed havetowrite shutaccessdown atocomputerthe account fromcontrol
a remote flagslocation
on the on user the ornetwork.
computerMisuse object.ofAthis serveruserprocess
right can result on
running in
Default:
Impersonate None. a client after authentication
This user
This security right setting
is determines which accounts can be used by a process to add entries
andto the security log. The security log is usedand to trace unauthorized syst
This
log
This user
security
setting right
audits
does is defined
defined haveinany
notworking
in the Default
the effect
Default Domain Controller
onDomain
Windows Controller
2000 computers
Group
Group Policy Policy object
that object
have not
(GPO)
(GPO) beenand
in
in the
updated the to local
local security
security
Service Pack
policy
policy of workstations
2. of workstations and servers.
servers.
Increase
Assigning athis
process privilege to a userset allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation
Default:
Caution
Increase
Default:
This privilegescheduling
Local Service
determines priority which user accounts can increase or decrease the size of a processs working set.
Caution
Network Service.
Increase
On
Load
Misuse of a
workstations
and process
unload
this user and working
device servers:
right, set
drivers
or of Administrators.
thewhichTrusted for Delegation
This securitycontrollers:
On domain setting determines accounts can use setting, a process could
withmakeWritethe network
Property vulnerable
access to anotherto sophisticated
process to increaseattacks using Trojan horse
the execution programs
priority assigned thatto
Assigning this user rightAdministrators, can be a security Server risk.Operators.
Only assign this user right to trusted users.
This
Lock
This
Default:privilege
pages
user indetermines
right memory
Administratorsdetermines onwhich whichuser
domain users accounts
controllers.can dynamicallycan increase load or and decrease the sizedrivers
unload device of a processs
or other code working in toset.
kernel mode. This user right does not apply to Plug
Default: Administrators.
Default:
Log on as a batch jobdetermines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual
This
Default:
Caution security
Users setting
Log on as a service
Administrators
This security setting allows a user toset beoflogged on by means of a batch-queue facility andinisphysical
provided onlymemory.
for compatibilitypages with olderresident
versionsand of Windows.
Default:
The
Localworking
Assigning None.
Service thisset user of aright process can be is the
a security memory
risk. Do pages not assign currently
this user visiblerightto totheany process
user, group, RAM
or process that you Thesedo not want toare take over the available for
system.
Log
This
Network on locally
securityService setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Networkuse Se
For example,
Warning: when athe
Increasing user submits
working setasize job by formeans
a process of the task scheduler,
decreases the amount the task scheduler
of physical memorylogs that user on
available toasthea rest
batch of user rather than as an interactive
the system.
Default
Service
Manage on workstations
auditing and and
security servers:
log Administrators.
Determines
Default setting:which None. users can log on to the computer.
Modify
Default
Note:
This
Default: By an
on
security object
domain
default, setting
Administrators label
controllers:
services determines that are whichstarted users by can
the Service
specify object Controlaccess Manager have options
auditing the built-in Service group
for individual added such
resources, to theiras access tokens.
files, Active Component
Directory objects, Object Mo
and reg
Important
Administrators
Backupfirmware
Modify Operators. environment values
This
Print
In
This privilege
Operators
addition,
security a userdetermines can also which usera accounts
impersonate antoaccess can modify token ifthe
any integrity
of the labelauditing
following of objects,
conditions such asFor
exist. files, registry keys, or
beprocesses owned byobject
otheraccess
users. Proces
Modifying thissetting
settingdoes may not affect allowcompatibilityuser enable
with clients, file and object
services, access
and applications. in For
general.
compatibility such auditing
information toabout enabled, the
this setting, Audit
see Allow setting
log on locally (h
Perform
This securityvolume setting maintenance
determines taskswho can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of n
Default:
The can
You access None
view token
audited thatevents is being in impersonated
the security log is of
forthe thisEventuser.Viewer. A user with this privilege can also view and clear the security log.
Default:
Profile
The single
user, in this process logon session, created the access tokencan by logging on to the network withvolume,
explicit such credentials.
Thisx86-based
On security setting
computers, determines which users and groups runthat maintenance tasks on by a as remote
right is defragmentation.
The
Default:requested
Administrators.level is lessthe than only firmware
Impersonate, environment
such as Anonymous value orcan be modified
Identify. assigning this user the Last Known Good Configuration setting,
Profile
On
Because
This system
OnItanium-based
workstations
security of performance
setting
these computers,
and servers:
determines
factors, users bootwhich
do information
Administrators,
not users
usually can is use
Backup
need stored in
performance
this user nonvolatile
Operators, right. Power RAM.
monitoring Users, Users
tools must
Users,to be assigned
and
monitor Guest.
the this user right
performance of to run bootcfg.exe
nonsystem processes. and to change the Defa
Use
On
Onallcaution
computers,
domain when
controllers: assigning
this user this is
right
Account user required
Operators, right. Users with
toAdministrators,
install orthisupgrade user
Backup right
Windows. can exploreand
Operators, disks and
Print extend files in to memory that contains
Operators. other data. When the exten
Remove
This securitycomputer from
setting determines docking station
which users can use performance monitoring tools toSDK. monitor the performance of system processes.
Default:
For more
Default: Administrators,
information,
Administrators Powerfor
search users.
"SeImpersonatePrivilege" in the Microsoft Platform
Note:
Replace This a security setting
process level does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanc
token
This security setting determines whether a user can undock a portable computer from its docking station without logging on.
Default:
WarningAdministrators.
Restore
Default:
This files and directories
Administrators.
If thissecurity
policy issetting enabled, determines
the user which must log user onaccounts
before removing can call the the CreateProcessAsUser()
portable computer from its application
docking station. programming interface
If this policy (API) so the
is disabled, thatuserone mayservice can star
remove the
If you enable
Shut security
down thesetting this
system setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
This
Default: Network Service, determines LocalUsers, which
Service. users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and di
Default: Administrators, Power Users
Synchronize
This securitythis directory
setting service data
Specifically, userdetermines
right is similar which users who
to granting theare loggedpermissions
following on locally to to thethe computer
user or group can shut down theon
in question operating
all files andsystem
folders using onthetheShut
system: Down command. M
Take
This ownership
security of files
setting determines or other objects
which users and Operators,
groups have the authority to synchronize all directory service data. This is also known as Active Directory syn
Default
Traverse onFolder/Execute
Workstations: Administrators,
File Backup Users.
Accounts:
This
Writesecurity Administrator account status
setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, prin
Defaults:
Default onNone. Servers: Administrators, Backup Operators.
Accounts:
This security Block setting Microsoft determines accounts whether the local Administrator account is enabled or disabled.
Caution
Default on Guest
Accounts: Domain controllers:
account status Administrators, Backup Operators, Server Operators, Print Operators.
This
Notes policy setting prevents users from adding new Microsoft accounts on this computer.
Assigning this user right can be a security risk. Since owners users with of objects
this userhave rightfullcan control
overwrite of them,
registryonlysettings,
assign this hideuser
data, right
andtogain trusted users. of system objects,
ownership
Accounts:
This security Limit settinglocaldetermines
account useif of theblank Guest passwords
account isoption, toenabled
consoleor logon only
disabled.
If
If you
you select
try to the
reenable Users the cant add Microsoft
Administrator account accounts
after it has been users will notand
disabled, be able
if the tocurrent
createAdministrator
ne Microsoft accounts password on thisnot
does computer,
meet the switch
password a local account to
requirements
Default:
Accounts: Administrators.
Rename administrator account
This security
Disabling
Default: the
Disabled. setting
Administrator determines account whether can become local accounts a maintenance that are not issue password
under certain protected can be used to log on from locations other than the physical computer
circumstances.
If you select the Users cant add or log on with Microsoft accounts option, existing Microsoft account users will not be able to log on to Windows. Selecting thi
Accounts:
Workstations
This security Rename and servers:
setting guest
determines account
Administrators,
whether a Backup
differentOperators.
accountwill name
Default:
Under
Note: Enabled.
Safe Mode boot, theisdisabled Administrator account onlyisbe associated
enabledSharing ifwith
the the security
machine identifier (SID)
is non-domain for the
forjoined andaccount
thereisare Administrator.
setno toother
Guestlocal
Renaming
active the w
adminis
If you If
Domain
Audit:
the
disable
Audit
Guest
controllers:
the doaccount
oraccess Administrators,
not configure
of global
disabled this
system
Backup and the
policyobjects
security
Operators,
(recommended), option
Serverusers Network willAccess:
Operators. be able to use Microsoft and Security accounts Modelwith local accounts
Windows. Only, network logo
This security
Default: setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-kn
Administrator.
Default: Disabled.
Audit:
This Audit the
security
Warning: settinguse of Backup and
determines whetherRestore privilege
to audit the access of global system objects.
Default: Guest.
Audit:
This Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
If thissecurity
Computerspolicythat issetting
enabled,
are not determines
it causes
in physically whether
system secure to audit
objects,
locations the
such use asofmutexes,
should allalways
user privileges,
events,
enforcesemaphores including
strong passwordBackup
and DOS anddevices,
policies Restore,
for all to when
be user
local theaccounts.
created Auditwithprivilege
a default use
Otherwise, systempolicy is inwith
access
anyone effect.
control
physi E
Audit:
Windows Shut
If you apply down
thisand
Vista system
securitylater immediately
policy
versions to theof if unableallow
Everyone
Windows to
group,logauditsecurity one audits
no policy willto bebe able
managed to log in onathrough
more Remote
precise wayDesktop
using Services.
audit policy subcategories. Setting audit policy at
If you disableconfiguring
Note: this policy,this thensecurity
use of the Backup or Restore notprivilege is not audited even Windows.
when Audit privilege use is enabled.
using When
DCOM: subcategories
Machine Access without requiringsetting,
Restrictions a change
in Security
changes
toDescriptor
Group will Policy, take
Definition
effect
there is auntil
new you restart
registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPo
This
Notessecurity setting determines whether the system shuts down if it isLanguage
unable to log (SDDL) syntax
security events.
Note: OnDisabled.
Default: Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting
DCOM:
If
This Machine
the category level Launch audit Restrictions
policy set here in Security
is or notgroups Descriptor
consistent withDefinition
the events Language
that are(SDDL) currently syntax
being generated, the cause might to be that this registry key is set.
If thispolicy
This security
setting setting
does setting determines
not is enabled,
affect which
logons it that users
causes usethe domainsystem can
to stop
accounts. access if a DCOM
securityapplication
audit cannot remotely
be logged or locally.
for anyThis reason.setting is used
Typically, an control
event fails the to attack surface
be logged of the
when the
Default:
Devices:
It is possibleDisabled.
Allow for undock
applications without having
that use to
remote log on
interactive logons to bypass this setting.
Default:
This
You policy
can Disabled
use setting
this determines
policy setting which
to specify users or groups
access permissions can launch to allorthe
activate
computers DCOMtoapplications
particular remotely
users for or locally.
DCOM This setting
applications in is used
the to control
enterprise. When theyouattack su
specif
If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:
Devices:
Denysecurity
This Allowed
privileges settingontoboth format local
determines and eject
access was removable
and remote media
access.
Note:
You can Remote
use this Desktopsetting to grant whether
Services access calledtoa all
portable
Terminal
the computerscomputer
Services tocan
inusers be undocked
previousof DCOM versions without having
of Windows
applications. Whento log
Server.you on.define
If this thispolicy is enabled,
setting, and specifylogon the is not required
users and an
or groups thate
STOP: C0000244
Devices:
launch, Prevent
remote {Auditlocal
users
launch, Failed}
from installing
activation, printer
and drivers
remote when
activation. connecting to shared printers
The
This registry
security
Default:
An attempt tosettings
Enabled. setting
generate determines
thata are created
security whoaudit is
asallowed
a resulttoofformat
failed. enabling andthe ejectDCOM:removableMachine NTFS Accessmedia. Restrictions
This capability in Security
can be Descriptor
given to: Definition Language (SDDL) synta
existing
Devices:
To recover, registry
Restrict
an settings
CD-ROM
administrator areaccess
no
must longerlogto effective,
locally
on, and
logged-on
archive the iflogyou
user make
only
(optional), changes
clear to the
the log, existing
and reset settings,
this computer
option as accessUntil
desired. permissions for users are not changed. Uso
For
The aregistry
computer
Administrators settings to print that toarea shared
created printer,
as a result the driverof this forpolicy
that shared printer must
take precedence over be theinstalled
previous on the local settings
registry computer. Thisthis
in this security
security
area. Remote setting
setting is reset,
determines
Procedure no
Callwhousers,
is allo
Services
Caution
Devices:
Administrators
The
Note:possible
This security
On Restrict and
values
setting floppy
Interactive
for thisaccess
determines policy to
Users locally
setting
whether alogged-on
are:
CD-ROM user only thistosecurity
is accessible both local and remote users simultaneously.
Default
The onWindows
possible valuesversions
servers: Enabled.
for this Group prior to Windows
Policy setting Vistaare:configuring setting, changes will not take effect until you restart Windows.
Disabling
Devices:
Default on this
Unsigned policy
workstations: may
driver tempt users
installation
Disabled to try
behavior and physically remove the laptop from its docking station using methods other than the external hardware eject but
This

If security
Default:
Blank. This
This setting
policy
represents is determines
not defined
the local whether
and
security only removable
Administrators
policy way floppy
of deletingmedia
have this are
the accessible
ability.
policy enforcement to both local
key. and
This remote
value users
deletes simultaneously.
the policyisand then sets and it as Notisdefined state.
this
Default:
Blank.policyThisisrepresents
Disabled. enabled, itthe allows
localonly security the interactively
policy way of logged-on
deleting user to access
the policy removable
enforcement key.CD-ROM
This value media.
deletes If this
thepolicy
policy and enabled
then sets itnotoone loggedstate.
Not defined on in
Domain
This controller:
security setting Allow server
determines operators
what happens to schedule
when antasksattempt is made to install a device driver (by means of Setup API) that has not been tested by the Win
If
this
SDDL.
Default: policyThisispolicy
isenabled,
the is notit defined
Security allows only
Descriptor andthe interactively
Definition Language logged-on user to to
is notrepresentation access removable
of locally
the groups floppy
and media.you
privileges If this policywhen
specify is enabled
you enableand no one
this is logged on intera
policy.
SDDL.This
Notes

Domain This is theLDAP
controller: Security serverDescriptor
signing
CD-ROM
Definition
requirements
access
Language restricted
representation the
of the groups logged-on user.
and privileges you specify when you enable this policy.
This
The securityare: setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility.
Notoptions
Default: This policy
Defined. This is is not
the defined
default value. and floppy disk drive access is not restricted to the locally logged-on user.

This
Not
This setting
Defined.
security does This
setting notisdetermines
affect
the defaultthe ability value.
whether to add a localserver printer.requires signing to be negotiated with LDAP clients, as follows:
Note:
Silently
This This security
succeed
setting setting
does not affect Administrators. only affects thethe ATLDAPschedule facility; it does not affect the Task Scheduler facility.
Note
Default: This policy is not defined, which means that the system treats it as disabled.
Warn
Note
None: but allow
Data signing is
If the administrator installation
is denied
not required permission in order to to bind with
access DCOM theapplications
server. If thedue client requests
to the changes datamade signing, to DCOMthe server supportsthe
in Windows, it. administrator can use the DCOM:
Do
If thenotadministrator
Require
application allow toinstallation
signature: is denied
Unless
the administrator access
TLS\SSL and users. istobeing
activate doand
Toused, this,thelaunchLDAPthe
open DCOM
data DCOM: applications
signing optiondue
Machine must
Access to be
the changes made
negotiated.
Restrictions to DCOM
in Security in this version
Descriptor Definition of Language
Windows, this (SDDL)policy setti
syntax
Default:
This restores Warncontrol but allow of theinstallation.
DCOM application to the administrator and specified users. To do this, open the DCOM: Machine Launch Restrictions in Security D
Default: This policy is not defined, which has the same effect as None.
Domain controller: Refuse machine account password changes
Domain
This security member: setting Digitally
determines encrypt or signdomain
whether secure controllers
channel data will(always)
refuse requests from member computers to change computer account passwords. By default,
Domain
This member:
security setting Digitally
determines encrypt secureall
whether channel
secure data
channel (when possible)
traffic initiated
If it is enabled, this setting does not allow a domain controller to accept anyby the domain
changes member must
to a computer account'sbe signed password. or encrypted.
Domain
This member:
security Digitally
setting determines sign secure
whether channel
a domain data (when
member possible)
attempts to that,
negotiate
When
Default: a This
computer policyjoins is not a defined,
domain, a computer
which means account
that theissystem created. After
treats whenencryption
it as Disabled. the systemfor all secure
starts, it useschannel the computer traffic that account it initiates.
password to create a secure
Domain
This member:
security setting Disable
determines machine account
whether a password
domain member changes attempts to negotiate signing for all secure channel traffic that it initiates.
When a computer
This setting determines joins awhether domain, oranot computer
all secure account
channel is created.
traffic initiated After that, by the when domainthe system member starts,
meets it uses
minimum the computer account password
security requirements. to create
Specifically a secure
it determin
Domain
Determines
the Domain member: whether
Controller Maximum
a in
domain
which machine
member
case account
the periodically
level of password
signing changes age encryption
and its computer account
depends on password.
the version Ifstarts,
this
of thesetting
Domain isthe enabled,
Controller theand domain member
the settings ofdoes
the not attempt
following twotop
When
This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, theadomain
a computer joins a domain, a computer account is created. After that, when the system it uses computer account password to create secure
Domain
This
negotiate member:
security secure setting Require
channeldetermines stronghow
encryption. (Windows often a 2000
domain or later)
member session will key
attempt to change its computer account password.
Default:
Domain
This setting Disabled.
member: determines Digitally encrypt
whether orsecure
not thechannel domain data member (when possible)
attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain me
Interactive
Domain
This security logon:
member: setting Do not display
Digitally
determines sign secure last user
whether channelnamedata
128-bit key (when
strength possible)
is required for encrypted secure channel data.
Default:
This
Notessecurity 30 days.
Enabled. setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.
Default:
Interactive Enabled.
Logon: Display user information
If this policy
Default:
When a Enabled.
computer is enabled, joins athe name
domain, of the lastwhen
a computer user session
to
account successfully is locked on is not displayed in the Logon Screen. .
is created.log After that, when the system starts, it uses the computer account password to create a secure
Important
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and doma
Interactive logon: Do not require CTRL+ALT+DEL
Notes:
If this
This
Notes:
Depending policy
setting is
shoulddisabled, not bethe used name in of
an the
attempt last user
to to
support log on is
dual-boot displayed. scenariosthat thatthe usedomain the same computer account. If youwith want to the
dual-boot
settingstwo of installations tha
This
Interactiveis no on
Theresetting known whatreason
applies version
to Windows for ofdisabling
Windows
2000 is running
computers,
this setting.but on itthe
Besides domain
is not available
unnecessarilycontroller throughreducing the Security
the potential member
Configuration is communicating
confidentiality Manager leveltools of the and
onsecure
these computers.
channel, the parameters
disabling this settin
policylogon:
This Machine account threshold.
If thesecurity setting
Domain determines
member: whether
Digitally encryptpressing or sign CTRL+ALT+DEL
secure channel is data
required before
(always) is aenabled,
user canthen log this
on. policy is assumed to be enabled regardless of its curr
Thethismachine
Default:
If Disabled.
policy islockout
enabled, policy is
theencrypt enforced
policy Domain only onand
member: those machines
Digitally sign that
securehavechannel Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recove
Domain
Interactive
Note: member:
controllers
Domain logon: Digitally
are
Machine
controllers alsoare domain
inactivity ormembers
also Domain sign
limit.
domain secure
members channel
establish data
and establish secure(always) channels
secure withdata
channels other (when
with(when domain possible)
otherpossible) controllers
domain
is assumed
controllersin the same
in
to bedomain
thebesame
enabled asregardless
domain wellas aswell
domainof its current
asits controllers
domain
settin
contro in
If
If this
this policy
Domain policy
member: is
is enabled,
enabledDigitally the
on apolicy
computer,
encrypt secure a user member:
channel is notdata Digitally
required (whensign topossible)secure
press channel
CTRL+ALT+DEL data to log on. Not having is assumed to press to enabled
CTRL+ALT+DEL regardlessleavesofusers current settin
susceptibl
This
Logon security
Interactive information setting
logon: determines
transmitted
Message text overthe number
the
forisusers secure of
attempting failed
channel logonis attempts
always that
encrypted causes the
regardless machine
of whether to be locked
encryption out. of A locked
ALL other out machine
secure channelcan only
traffic be isrecovered
negotiated by o
Some
Windows or all of theinactivity
notices information of athat
logon transmitted
session, and over if to
thethelog on
secure
amount channel
of inactive will be exceeds
time encrypted. theThis policy limit,
inactivity setting then determines
the screen whether
saver will or not run,128-bit
lockingkey thestrength
session.i
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows (unless they are using a smart card for Windows logon).
Interactive
Failed
This password
If thissecurity
setting logon:
setting
is Message
attempts
enabled, specifiesthen title
against a for
thetext users
workstations
message
secure attempting
channel that is to
or will
member logbe
displayed
not on
servers to users
established that whenhave
unless been
they locked
log
128-bit on. using either
encryption can CTRL+ALT+DELETE
be performed. If this setting or password is disabled,protected then screen
the keysav str
Default: not enforced.
Default on domain-computers:
Interactive logon: Number of Disabled.
previous logons to cache (in case domain controller is not available)
This
The
This
Default security
machine
texton setting
lockout
is stand-alone
often used for allows
policy the
is specification
enforced
legal reasons,
computers: Enabled. only of
on a title
those to appear
machines in the
that title
have bar of
Bitlocker the window
enabled that
for contains
protecting
for example, to warn users about the ramifications of misusing company information or to warn them that their actions the
OS Interactive
volumes. logon:
Please Message
ensure text
that the for users
appropriate attemptrec
Default: Disabled.
Interactive
All previous logon:
users' Prompt
logon user to change
information is password
cached locally beforeso that, expiration
in the event that a domain controller is unavailable during subsequent logon attempts, they are a
Default:
Default: No
No message.
message.
Important
Interactive
Determines logon:
how far Require
in advance Domain Controller
(in days) authentication
users are thatunlock
to
Windows cannot connect to a server to confirm yourwarned logon settings. theirYou password
have been is about logged to expire.
on using With this advance
previously stored warning,
accountthe user has time
information. If you tochanged
constructyou ap
In order
Interactive to take advantage
logon: Require of
smart this cardto unlock a locked computer.and
policy on member workstations servers, all domain controllers that constitute the member's domain must be running Win
Logon
Default: information
14 days. must be provided For domain accounts, this security setting determines whether a domain controller must be c
In
If aorder
domain to takecontrolleradvantage of this policy
is unavailable and on domain
a user's logoncontrollers,
information all domain
is not cached,controllers the in usertheissame prompteddomain with asthis wellmessage:
as all trusted domains must run Windows 200
Interactive
This security logon: Smart card removal behavior
setting requires users to log on to a computer using a smart card.
Default: Disabled.
The system
Microsoft cannotclient:
network log you on now
Digitally signbecausecommunicationsthe domain(always) <DOMAIN_NAME> is not available.
This securityare:
The options setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
Important
Microsoft
In
Thisthissecurity
policynetworksetting,
setting client:
a value Digitally
determines sign communications
of 0whether
disables logon signing
packet caching. (ifisAny
server
requiredvalue agrees)
above
by the SMB 50 only clientcaches component.50 logon attempts.
The
Enabled:options Users are: can to only log on to the computers,
computer using aissmart card.
This setting
Microsoft applies
network client: Windows
Send 2000
unencrypted password but it not
to attempts
connect toavailable through the Security Configuration Manager tools on these computers.
This
Default:
The security
Disabled.
server25 Users setting
message can determines
log
block on to the
(SMB) whether
computer
protocol the SMB any
using
provides client
themethod.
basis for Microsoft to third-party
negotiate SMBpacket
file SMB
and print
serverssigning.
sharing and many other networking operations, such as remote Windo
No Action
Default: Disabled.
Microsoft
If thisserver network
security setting server: Amountthe
is enabled, of idle
Server timeMessagerequiredBlock before(SMB) suspending redirector a session
The
If
Lock
this
Workstation
setting message
is enabled, block the(SMB) Microsoft protocol network providesclientthe willbasis for Microsoft
not communicate fileisand
with
allowed to send and
print sharing
a Microsoft
plaintext
network server manypasswords other networking
unless
to non-Microsoft SMB
that serveroperations, agrees to perform such servers
asSMB remotethat do not
Windo
packet sig
Force
Microsoft
Important Logoff
network server: Attempt S4U2Self to obtain claim information
This
Sending
this security
Disconnect setting
unencryptedif a Remote determines
passwords
Desktop the aamount
isServicessecurity ofrisk.
continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended
session
If
Default: setting
Disabled. is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled
Microsoft
This security
setting network setting
will server:
apply istotothis
anyDigitally
support computers sign communications
clients running
running a aversion
Windows (always)
of Windows
2000 throughprior changes to Windows
in the 8session.
Consumer
registry, butIfthe Preview
security that are trying
setting is notthe to access
viewable aisfile share that require
Administrators
Default:
If you Lockcan
Disabled.
click use
Workstation policy
in thetowhose control
Properties when dialog computer
box be forinthis suspends
policy, the an workstation
inactive SMB client activity resumes, sessionthrough the Security
automatically reestaCo
server
Default:
Microsoft
Important will support
Enabled.
network client
server: principals
Digitally accounts
sign communications may (if required
client a domain
agrees) which has clientiscomputers locked when andthe smart controllers
domain card is removed, runningallowing a version users to leave
of Windows the
priora
This security setting determines whether packet signing is by the SMB server component.
For
If you this policy
click Force setting,
Logoff a value
inDisconnect
the of 0 meansdialog
Properties to disconnect
boxlogon for the an idle
this policy, sessionthecan as quickly
user as is reasonably
is automatically logged possible.
off when Thesmart
the maximum card isvalue removed. is 99999, which is 208 days;
Microsoft
This
Notes
This
For setting
security network
should
setting server:
be set
determines to automatic
whether clients
(default)
the when
SMB so that
server hours
willfile expire
server
negotiate SMB automatically
packet signing evaluate
with whether
clients thatclaimsrequest areTo it.needed for the user.SMB An administrator wou
The thisserverpolicy messageto take effect
block on
(SMB) computers
protocol running
provides Windows
the basis 2000, client-side
for Microsoft filepacket
and print signingsharing must andalsomany be enabled.
other networking enable client-side
operations, such as packet
remote signing,
Windo
Default:This
Computers
Microsoft networkpolicy
that have is not
this defined,
policy set which
will means
not be that
able tothe system
communicate treats it
with as 15
computers minutes that fordo servers
not haveand undefined
server-side for
packet workstations.
signing enabled. By default, server-sid
If you
This
When
All
The
click
security
enabled
Windows Disconnectthisserver:
setting
operating security aServer
ifsystems
determines Remote
setting SPNDesktop
whether
will
support target
cause
both name
Services
toprovides
disconnect
athe validation
Windows
client-side session,
users SMB level
filewho removal
serverare
component to ofexamine
the
connected and smart
a tothe card
the access
server-side disconnects
local computer
token
SMB the
ofmany
an session
outside
andcomponent. authenticated their
To without
usernetwork
take loggingclient
account's
advantage the user
valid
of off.
logon
principal
SMB packetThis
hours.
and allowsThis
determine
signing, the
setti
both ui
If thisserver
Server-side
which
Microsoft setting
have
message
packet
network is enabled,
claim-based client:
block
signing the(SMB)
can
access
Digitally
be
Microsoft protocol
enabled
control
sign network
policy
on
communications
computers
server
applied.
the willbasis
running
not
(always)
for Microsoft
Windows
communicate
- Controls
file
2000
with
whether
and a andprint
Microsoft
or not
sharing
later
the
by setting
network
client-side
Microsoft
client SMB
other
unless networking
network
that client
component
server: operations,
agrees
requires
Digitally such
sign
to perform
packet
as
signing. SMBremote
communicationspacket Windo sig(
Network
Server-side
The
Note:server access:packet
message Allow anonymous
signing
block can be
(SMB) SID/name
enabled
protocol on translation
computers
provides the running Windows NT 4.0 of Service Pack 3 other
and later by setting the following registry value to 1:
When
Microsoft
If
Remote
thisnetwork
this setting policy Desktop
isclient:
is enabled, enabled,Services
Digitallyit causes
the Microsoft
was
sign called
client Terminal
sessions
communications
network
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature server with (ifbasis
Services
will the for
server
negotiate
file
in agrees)
SMB previousand printer
Service
SMB -packet to besharing
versions
Controls forcibly
whether
signing
and
Windows
as
many
disconnected
or Server.
not
requested the by networking
when
client-side
the client.the client's
SMB operations,
That logon
component
is,
such
hours
if packet has aspacket
remote
expire.
signing has
Windows
signing
been enabled.
adm
enabled
Default:
Network
If thissecurity
Microsoft access:
settingnetwork is Do
disabled, not allow
server: the
Digitally anonymous
Windows sign file enumeration
server
communications will not of SAM
attempt
(always) accounts
to obtain aidentifier
- Controls claim-enabled
whether or access
not attributes
the token
server-side forSMB the component
client principal. requires packet signing.
This
This setting determines if an anonymous user can request security (SID) for another user.
thissecurity
Default:
If
Microsoft
Default:
Server-side
This
policy network
Enabled
setting
ispolicy
disabled,
on
isdetermines
server: notan
domain
defined,
established
Digitally the
controllers signlevel
which of validation
means
client
communications
only.
that the
session isa allowed
SMB
system
(if clientservertreats
to beperforms
agrees) it as
maintainedNo on
- Controls the
action.
95 after
service
orwhether orprincipal
the client's the name
98. logon
not hours
server-side (SPN)have provided
SMB expired.
component by the SMB client when
has packet signing trying
enabledto e
Network
Disabled
This
Default:
If security
server-side for packet
access:
Automatic.member
setting
SMB Do signing
not
signing allow
servers.
determines
cannot
is anonymous
what
required,
be enabled
additional
a client
on computers
enumerationpermissions
will not be ofable
SAM running
willto accounts
be
Windows
granted
establish and
a forshares
anonymous
session
Windows
with that connections
server unless to the
it computer.
has client-side SMB signing enabled. By default,
If
Onthis
The
Enabled policy
options
Windows for is
are:
domainenabled,
Vista a user with
controllers.
and above: For this knowledgesetting to ofwork,
an administrator's
thewill Smart Card SIDRemoval
could contact Policy a computer thatbehas this policy enabled and use the SID to get the admi
Default
Similarly,
Network
Important
Notes on if Windows
client-side
access: Vista:
SMB
Do determines
not allow Enabled.
signing
storage is required,
of credentials that client orenumeration not be
.NET Passports ablefortonetwork
establish a service
session must
authentication with servers started. that do not have packet signing enabled. By defau
This
Default
Windows security
onallows
If server-side setting
Windows
SMB anonymousXP:and
signing Disabled users
ismember whether
enabled, to servers:
perform anonymous
SMB packet certain activities,
signing will be such of SAM accounts
as enumerating
negotiated with clients and
the thatshares
names have is allowed.
of client-side
domain accounts SMB signing and network enabled. shares. This is convenient, fo
Default
No on
validation workstations
- validation ofcan the permissions
SPN will performancenotapply Disabled.
be performed by
Notes
Network
Using
This
Default
For SMB
on
Windows access:
security packet
setting
domain2000 Let Everyone
signing
determines
controllers:
servers degrade
whether
Enabled.
tousers
negotiate Stored
signing User
with to anonymous
up
Names
Windows toSMB15theandNT
SMB on
users
percentPasswords
4.0
server.
clients,file service
saves
the a following transactions.
passwords, registry credentials,
value must orbe .NET
Toset Passports on thefor
to advantage
1 network later
server use
running when it gains2000 dom
All
This
Windows
Windows security allowsoperating
option anonymous systems
allows additional
support
to both
perform
restrictions
acertain
client-side
to be placedactivities, component
such
on- anonymous as and
enumerating server-side
connections the names SMB
as follows: of component.
domain accounts take and of SMB
shares. packet
This isWindows
signing,
convenient, both fo
Microsoft
Network
All
Validate
Windows network
ifaccess:
provided
operating client:
Namedby Digitally
pipes
client
systems - thethat sign
support
SMBcan communications
be
server
both accessed
awill
client-side
validate (always)
anonymously
SMB
theare SPN Controls
componentprovided whether
andby athe or notclient
server-side
SMB the client-side
SMBand component.
allow SMB
a session component
To take to be requires packet
advantage
established of SMB signing.
if it matches
packet signing,
the SMBboth ser
This
If security
it is enabled, setting
thisclient:determines
setting prevents what additional
thecommunications
Stored User Namespermissions and agrees)granted
Passwords for anonymous
from storing connections to the computer.
Notes
Microsoft
Default:
Enabled:Disabled.
Microsoft network
network
Do not allow client: Digitally
Digitally
enumeration
sign
sign of communications
SAM accounts.
(if server
(always)
This option- -Controls
replaces
- Controls
whether
Everyone or notpasswords
whether theorclient-side
not the and credentials.
client-side
SMB SMB component
component requires has
packet packet
signing.signing enabled.
Network
Microsoft
This
Require
Microsoft access:
security network
match
network setting
fromRemotely
server:
determines
client
client: - accessible
Digitally
the
Digitally SMB sign
which
sign registry
communications
communication
client MUST
communications paths send a
(if(always)
sessions
SPN
server name Controls
(pipes)
agrees) in will
session
- whether
have
Controls setup, orwith
attributes
whether notAuthenticated
and the
and
theor server-side
permissions
SPN
not thename
UsersSMB that
provided
client-side
incomponent
the security
allow
SMB MUST anonymous
componentmatch
permissions
requires thehas packet
access.
SMB
forsigning.
packetserver
resources.
that enabled.
signing is beingfo
Windows
Disabled:
Note:
All When
Windows allows
Noconfiguringanonymous
additional
operating this
systems users
restrictions.
security toRely
support perform
setting,
both acertain
on default
changes
client-side activities,
permissions.
will(always)
(ifnot
SMB take such as enumerating
effect
component untiland you restart the Windows.
a server-side names orSMB of the
domain
component. accounts and network shares. This is convenient,
Microsoft
Microsoft
Network
set,
network
network
access:
anonymous
server:
server:
Remotely
users can
Digitally
Digitally
accessible
only access
sign
sign communications
communications
registry
those paths
resources and
client
subpaths
for which
agrees)
-the
Controls - Controls
anonymous whether whether
user or nothas the
been
not
server-side
explicitly SMB To
server-side
given
take
SMB
component
permission.
advantage
componentrequires ofhasSMB
packet packet
packet signing. signing,
signing both
enabled
This
For
If security
more
Microsoft
server-side
Default:
Microsoft None.
No setting
information
network SMBclient:
validation
network determines
about
signing
server: isStored
Digitally which
required,
Digitally User
sign
sign registry
Names
communications
acommunications
client will keys
and not can be be
Passwords,
(always)
able
(if accessed
client see
to-agrees)
Controls
establish over
Stored -a the network,
User
whether
session
Controls Names
orwithnot
whether regardless
and
the
that of unless
Passwords.
orclient-side
server,
not the the users
SMB
server-side or groups
it component
has client-side
SMB listed
requires
component SMB in thepacketaccess
signing
has control
signing.
enabled.
packet signing Bylistenabled
(ACL)
default,
Default
Microsoft
If on
server-side workstations:
network SMB client:
signing Enabled.
Digitally
is enabled, sign accesscommunications
SMB packet signing (if server
willand beagrees)
negotiated - Controls
with clientswhether that orhave
not the client-side
client-side SMB SMB signingcomponent enabled. has packet signing enabled.
Network
If
If server-side
This
thissecurity
Default access:
policy
on SMB
issetting Restrict
enabled,
server:Disabled. signing
determines
theanonymous
isEveryone
required,
which a client
registry
SID towill
is added Named
paths nottoand be
the Pipes
able
subpaths
token to that Shares
establish
can be aaccessed
is created session
forservice with
over
anonymous that
the server
network, unless
connections. regardless itInhasthis client-side
of
case,the users
anonymousSMB signing
or groups users enabled.
listed
are in abletheBy default,
toaccess
access co
Default:
Microsoft
Using
All SMB
Windows
Similarly, Disabled.
ifnetwork
packet
operating
client-side server:
signingsystems
SMB Digitally
cansigningimpose sign
support communications
upboth
is required, to aa 15 client(always)
percent
client-side
that performance
SMB
will - Controls
notcomponent
be ablehittoon whether
and file ora not
a server-side
establish theSMB server-side
transactions.
session withcomponent.
servers SMB component
thatThisdo not setting requires
haveaffects packetthe packet
serversigning.
signing SMB behavior,
enabled. By defau a
Network
Microsoft
When
If server-side access:
network
enabled, SMB Shares
thisserver:
security
signing thatis can be
Digitally
setting
enabled, sign accessed
communications
restricts
SMB anonymously
anonymous
packet signing (if client
access
will be agrees)
to shares
negotiated - and
Controls
pipes
with whether
to
clients the that orhave
settingsnot the for: server-side
client-side SMB SMB
signing component
enabled. has packet signing enabled
Default:
Important Disabled.
System\\CurrentControlSet\\Control\\ProductOptions
If server-side SMB signingsigning can is required, a performance
client will notup beto able
Using
Network SMB packet
access: Sharing and degrade
security model forthat
local accounts 15 to establish
percent on file a session
servicewith that server unless it has client-side SMB signing enabled. By default,
transactions.
This
Network security
access: setting Named determines
System\\CurrentControlSet\\Control\\Server
Similarly, if client-side SMB pipes signing which
that is
can network
required,
be accessedshares
Applications client canwill
anonymously accessed
not be able by anonymous
to establishusers. a session with servers that do not have packet signing enabled. By defau
System\\CurrentControlSet\\Control\\Print\\Printers
This policy has
Software\\Microsoft\\Windows
If server-side SMB no impact
signing onis domain
enabled, controllers.
NT\\CurrentVersionSMB packet signing will bepassword
negotiated with clients that have client-side SMB signing enabled.
Network
Important
This access:
security: Shares
Do not thatstore can LAN beManager
accessed hash
anonymously
valuethat on next change
Usingsecurity setting determines
System\\CurrentControlSet\\Services\\Eventlog
Default:
Default: SMBNone packet
Enabled. specified.signing can impose how network
up to alogons 15 percent use local
performance accounts hit onare fileauthenticated.
service transactions. If this setting is set to Classic, network logons that use local acc
Software\\Microsoft\\OLAP
Network
Caution security: Force logoffServer when logon hours expire
This
For
If this security
this policyis
setting setting
Software\\Microsoft\\Windowstoset
take todetermines
effect on
Guest only, if,network
at the next
computers
NT\\CurrentVersion\\Print running
logons password
thatWindowsusechange,
local 2000, the LANare
server-side
accounts Manager packet
automatically(LM) hash
signing mapped valuealso
must forthe
to the
beGuest new password
enabled. account. To enable Byis stored.
using The
server-side
the LMSMB
Guest hash is relatively
packet
model, can hw
yousigning
Microsoft
Network network LAN
security:
Software\\Microsoft\\Windows server: ManagerDigitally sign communications
authentication
NT\\CurrentVersion\\Windows level your (if server agrees)
This security
Incorrectly setting
editing thedetermines
registry may whether
severely to disconnect
damage users system.who are Before connected
making to the local
changes to computer
the registry, outside
you should their user backaccount's
up any valued valid logon data on hours. This setti
the computer
Default on domain
This security computers:
System\\CurrentControlSet\\Control\\ContentIndex
Note: setting istonot Classic.
available on earlier versions of
Network
Default
For
This on
Windows security:
security 2000LDAP
Windows
setting Vista:
servers client
determines Enabled signing
negotiate
which requirements
signing
challenge/response with Windows NTWindows.
authentication 4.0 clients, The thesecurity
following setting
registry thatvalue
appears must onbe computers
set to 1 on running
the Windows Windows
level 2000
XP,server:
"Network acc
System\\CurrentControlSet\\Control\\Terminal
Default
When
Default:
Default
on
this stand-alone
policy is
on Windows XP: Disabled. enabled,computers: it causes Guest client only
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
Server
sessions with the SMB serverprotocol to be forcibly is used for
disconnectednetwork logons.
when theThis choice
client's logon affectshours theexpire. of authentication pro
Network security: Minimum session security for Server\\UserConfig
NTLM SSP based (including secure RPC) clients
This
Send security setting determines the level of data signing that is requested onnever
behalfuse of clients issuing LDAP BIND domain requests, as follows:
this LM
Important & NTLM responses:
If policy is disabled,
System\CurrentControlSet\Control\ProductOptions
Important
Computers that have anpolicy
thisNTLMv2
Clients
established
set will
use
not
LM
client and
communicate
NTLM authentication
Server\\DefaultUserConfiguration
session is allowed
with to be maintained
computers
and
that doand notafter have
NTLMv2
theclient-side
client's session
logon packet
security;
hours have enabled.
signing expired. controllers
Client-side
accept LM, NTLM, and NT
packet
Network
Send LM security:
& NTLM
Software\\Microsoft\\Windows
This security setting Minimum
-
System\CurrentControlSet\Control\Serveruse
allows session security
session
NT\\CurrentVersion\\Perflib
a client to require for
securitythe NTLM
Applications if
negotiation SSP
negotiated: based
ofare (including
Clients
128-bit use LM
encryption secure RPC)
NTLM
and/or servers
authentication and
NTLMv2 session security. These values are use NTLMv2 session security
dependent if thesigning
server
on
can
the LANsuppo be
M
None:
Send
With The
NTLM
the GuestLDAPresponse
onlyBIND model,
System\\CurrentControlSet\\Services\\SysmonLogrequest
only: Clients
any is
userissued
use who with
NTLMcan the
accessoptions
authentication your that only
computer specified
and overuse theby
NTLMv2the
network caller.
session
(including security if
anonymous the server Internetsupports users) it; domain
can access controllers
your sharedaccept LM,
resources NT
Default:
Windows Enabled.
Software\Microsoft\Windows
Negotiate signing:
2000 If Transport
Service Pack NT\CurrentVersion
Layer
(SP2)toSecurity/Secure
2Clients and above offer Sockets
compatibility Layer (TLS\SSL)
with authentication has nottobeen previous started, the LDAP
versions of BINDThese
Windows, request
such isit;initiated
as Microsoft with the LDAP
Windows NT data
4.0. siM
Send
This security
NTLMv2 setting
response allows
System\\CurrentControlSet\\Services\\CertSvc
Require NTLMv2 session only: a server use
require NTLMv2 the negotiation
authentication of 128-bit
only and
encryption
use NTLMv2 and/or session
NTLMv2 security
session if the
security.
server supports values domain
are dependent
controllers on accept
the LAN LM
Require
This
Note:
Send signature:
setting
NTLMv2 canresponse Thisthe
affect is security:
the
ability same of The
computers connection
as Negotiate running will Windows
signing. failHowever,
if NTLMv2 2000 if protocol
the
Server,LDAP is server's
not negotiated.
Windows intermediate
2000 Professional, saslBindInProgress
Windows XP,theandresponse the Windows does not indicate
Server 2003 thatfamily
LDA
Note: This security settingonly\\refuse
System\\CurrentControlSet\\Services\\Wins
Require 128-bit encryption: The connection
behaves asLM: an Clients will fail
account use NTLMv2
if strong
policy. Forencryptionauthentication
domain (128-bit)
accounts, only andcan
is not
there use
negotiated.
be NTLMv2
only one session
account security
policy.ifThe server
account supports
policy must it; domain
be defined controller
in th
Require
Send NTLMv2
NTLMv2 session
response security:
only\\refuse The LM connection
& NTLM: will
Clients fail if
use message
NTLMv2 integrity is
authentication
servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account po not negotiated.
only and use NTLMv2 session security if the server supports it; domain
Caution
Require
This
Caution 128-bit
setting doesencryption.
not affect interactiveThe connection logons willthatfailare if strong
performed encryption remotely (128-bit)
by using is not such negotiated.
services as Telnet or Remote Desktop Services. Remote Desktop Se
Default: No requirements.
Important
If youpolicy
Default:
This setNo
Incorrectly the server
requirements.
will
editing have theto Require
noregistry
impactmay signature,
on computers
severely you must also
running
damage Windows
your set the2000.
system. client.
Before Notmaking
settingchangesthe clienttoresults in a loss
the registry, youofshould connection back with up any thevalued
server.data on the computer
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Network
This policy security:
settingRestrict allows you NTLM: to deny Incoming or audit NTLM outgoing trafficNTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote s
Network
This security: Restrict NTLM: AuditorIncoming NTLM NTLM Traffic traffic.
If youpolicy selectsetting "Allowallows all" or you do not to deny configure allowthisincoming
policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
Network
setting Restrict
allows NTLM:
you to auditNTLM incomingauthentication NTLM in
traffic.this domain
If
If you you select
select "Allow "Audit all," all" or thedoclientnot configure
computerthis logspolicy an event setting, for each the server NTLMwill allow all NTLM
authentication requestauthentication
to a remote requests.
server. This allows you to identify those servers re
Network
setting Restrict
allows NTLM:
you to denyAuditorNTLM allow authentication
NTLM authentication in this domain within a domain from this domain controller. This policy does not affect interactive logon to
If
If you
you select
select "Disable",
"Deny all or do not
domain configurethe
accounts," thisserverpolicywill setting,
deny the
NTLM server will not log events
authentication requests forforincoming
domain NTLM
logon traffic.
and display anYou NTLM
If
Networkyou select security:"DenyRestrict all," theNTLM: client computer Add remote cannot server authenticate
exceptions identities
for NTLM toauthentication
a remote server by using NTLM authentication. can blocked
use the error,"Network but allow
security: loc
This
If you policy
select setting
"Disabled" allows or you
do to audit
not configure NTLMthis authentication
policy setting, in the a domain
domain from this domain
controller will controller.
allow all NTLM pass-through authentication requests within the domain
If
If you select
youpolicy
select "Enable allauditing for domain accounts", the server will log events for NTLM frompass-through authentication
and displayrequests an NTLMthat woulderror.be blocked when the "
Network
This
This policy is"Deny
security: supported
setting Restrict
allows
accounts,"
on NTLM:
youat to least the
Add
create
server
Windowsserver
an this
will
7 or
exception
deny
exceptions
Windows NTLM
list of
authentication
in remote
this
Server domain 2008 R2.
servers
requests
to whichwill clients
incoming traffic
areevents
allowed toNTLM
use NTLM authentication
blocked
if domain.
the "Network Security: Re
If
If you select "Disable" or do not configure policy setting, the domain controller not log for authentication in this
If you
Network
This
select
youpolicy
select
security:
is
"Deny
"Enable
supported
forauditing
Allow
domainfor
LocalSystem
on atare
accounts
least all Windows
accounts",
NULL
to domain
sessionthe
7this
servers"
server
or Windowsfallback will the logdomain
Server events2008
controller
for all NTLM will authentication
deny all NTLM requests authentication that would logonbe attempts
blockedtowhen all servers
the "Networkin the domainSecurit
This
Note:
If you policy
Audit
configure setting
and block
this allows events
policy you to
setting, create
recorded
you an exception
can on
define a listofofremote
computer
list servers
in theservers in this R2.
"NTLMBlock" domain
to which toclients
Log which
located clients
are under are
allowed theallowed
to Applications
use to useauthentication.
NTLM NTLM
and pass-through
Services authentication if the "
Log/Microsoft/Windows/Secu
If you
If you select
select "Deny "Enable forfor domain
domain accounts
account" the todomain
domaincontroller servers," will the denydomain all controller
NTLM will log events
authentication logon for attempts
NTLM authentication
from domain logon
accounts attempts
and for domain
return an NTLMaccount blo
Network
This
Allow policy security:
isevents
tosupportedAllow Local
onNULLat System
least to computer
Windows use computer7 or Windows identity Server for NTLM 2008 R2.
Note:
If you
If you NTLM
Block
configure
do not
fall
thisback
configure
are
policy to
recorded
this setting,
policy
session
on you this
setting, canwhenno define used
exceptions ainlistwith
the LocalSystem.
"NTLMBlock"
ofwill
servers
be in this
applied.
Logdomainlocated to under
which the clientsApplications
are allowed andtoServices
use NTLM Log/Microsoft/Windows/Security-NTLM
authentication.
If
Network
If you select
youpolicy security:
select "Enable
"DenyAllow forfor domain
PKU2U
domain accounts,"
authentication
servers" the therequests
domain domain controller
toNegotiate
thiswill will log
computer events
to use for NTLM
online authentication
identities. logon attempts that use domain accounts when NTLM
This
Note:
The Audit
default setting
events
isconfigure
TRUE allows
are toLocal
uprecorded Windows System
on this Vista services
computer
and FALSE incontroller
that use
the in "NTLMBlock"
Windows
deny
7.to Log
NTLM
use the
locatedauthentication
computerunder the requests
identity when to
Applications all
reverting
andservers in the
to NTLM
Services domain
authentication.and return
Log/Microsoft/Windows/Security-NTLM an NTLM blocked
If
The you do not this policy setting, no exceptions will be applied.
Network
If
This younaming
select format
security:"Enable for
forservers
Configure domain onservers"
encryption this exception
typesthe list iscontroller
allowed
domain theKerberos
for fully qualified
will log domain
events for name
NTLM (FQDN) or NetBIOS
authentication requestsserver name
toable used in
all servers bythe thedomain
application, when listed
NTLM one per
an authe
If
If you youpolicy
select
enable will"Denybe policy
this turned
all," the offdomain
setting,by defaultservices on
controller domain
running will as joined
deny Local allmachines.
NTLM
System This
pass-through
that would
use disallow willthe
authentication
Negotiate use online
requests identities
the computer from to be
its servers
identity. This to
and authenticate
for its
might cause accountsto theand
some domain
return
authentication joined ma
NTLM
requ
The naming
Recovery format Allow
console: for serversautomatic on this exception list
administrative is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed o
logon
This
If
This youpolicy
selectsetting
is"Enable allows
all" on you
the to
atdomain set Windows
the encryption
controller will log types eventsthat Kerberos
for NTLM ispass-through allowed to use. authentication requests from its servers and for its accounts which would
If youpolicy do not supported
configure this policy least setting, services Server 2008
running R2.
as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonym
Recovery
This console: Allow floppy copy and access to all drives and all folders
If
This
Note: notsecurity
selected,
policy
Blockis
setting
supported determines
the encryption on at least type if the
onwill
password
thisnot
Windows be Server for the
allowed. in 2008
Administrator
This R2.setting may account
affect must be givenwith
compatibility before
client access
computers to theorsystem services is granted. If this option
and applications. is enabled,
Multiple selection th
This
Shutdown: policy isevents
Allow supported
system
are recorded
on
to at least
be shut Windows
down
computer
without 7 or having
Windowsthe "NTLMBlock"
to Server
log on 2008 Log R2. located under the Applications and Services Log/Microsoft/Windows/Security-NTLM
EnablingThis
Default: this policy
security option
is not makes the Recoveryadministrative Console SETlogon command available, which allows you to set the following Recovery Console environment varia
This
Note:policy Audit is supported
events are ondefined
recorded at least on and thisautomatic
Windows computer 7 or Windows
in the "NTLMBlock" Server 2008 is
Lognot
R2. allowed.
located under the Applications and Services Log/Microsoft/Windows/Security-NTLM
Shutdown:
This security Clearsetting virtual memory whether
determines pagefile a computer can be shut down without having to log on to Windows.
AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
System
AllowAllPaths:
This cryptography:
security Allow determines
setting Use FIPS
access 140
to allwhether filescompliant
and the folders cryptographic
virtual on the computer.
memory algorithms,
pagefile including encryption, hashing
is shutand signing algorithms
When this policy
AllowRemovableMedia: is enabled, Allowthe filesShut to be Down copied command to removable is available media, onis cleared
the
such Windows when
as a floppy
the system
logon disk.screen.
down.
System
NoCopyPrompt:
For Cryptography:
thememory
Schannel Do notForce
Security prompt strong
Service when key
Provider protection
overwriting (SSP), for user keys stored disables on the computer
Virtual
When this policy support
is disabled, uses a system
the option pagefile
to shut toan
down
this
swap existing
the
security
pages
computer
file.ofsetting
memory
does not diskthe
to appear when weaker Secure
are not Sockets
theyWindows
on SHA512)
the used.
logon OnLayera running(SSL)system,protocols thisand supports
pagefile is ableonly theexclusi
opened Trans
authentication,
System
unauthorized objects: userand
Default
whoonly the
owner
manages Secure for to Hashing
objects
directly created Algorithm
access bythe (SHA1,
members
pagefile. SHA256,
of the SHA384,
Administrators and group for the TLSscreen.
hashing Inrequirements.
this case, users must be to log on to
This security
Default: This policysettingisdeterminesnot definedif and users' theprivate
recover keys consolerequire SET a password
commandtoisbe notused.
available.
Description
Default on workstations: Enabled.
System
For Encrypting
When
This objects:
security
this policysettingRequire
File
is System
enabled,
determinescaseService
it insensitivity
causes
which (EFS),the
security for
system non-Windows
it supports
principal
pagefile the(SID) Triple
to subsystems
be Data
will
cleared
be Encryption
assigned
upon clean
theStandard
OWNER
shutdown. (DES) andenable
of objects
If you Advanced
when the Encryption
thisobject
security Standard
is created
option, the
by a (AES)
hibernation
member encryption
offile algorith
the(hiberfil.sys
Administr
The
Default options are: Disabled.
on servers:
Default:
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)
This
For
Windows
Default: security
Remote XP:
Disabled. setting
Desktop
User determines
SID Services, itwhether supportscase onlyinsensitivity
the Triple DES is enforced
encryption for algorithm
all subsystems. The Win32
for encrypting Remote subsystem Desktop is case
Services insensitive.
networkHowever, communication. the kernel suppo
User input is not required when new keys are stored and used
System
Windows
This settings:
2003 : Optional
Administrators subsystems Group
If thissecurity
User
Note: isRemote
prompted
setting setting
is when
enabled,
Desktop determines
the
case
Services isthe
keyinsensitivity
was firststrength
usedisTerminal
called of the default
enforced for alldiscretionary
Services directory
in previous access
objects,versions control
symbolic list
links,
of Windows (DACL)
and IO
Server.forobjects,
objects.including file objects. Disabling this setting does n
User
System must enter aUse
settings: password
Certificate each Rules time on they use a key
Windows Executables for Software Restriction Policies
Thismore
Active security
Directory settingmaintainsdetermines a global which subsystems
listinfrastructure.
of shared systemcan optionally be started up to device
supportnames, your applications. With this securityInsetting, you can specify beaslocated
many
For
Default:
For BitLocker, information,
Enabled. this policy seeneeds Public tokey be enabled before anyresources,
encryptionsuch key is asgenerated.
DOS Please note mutexes,
that when and semaphores.
this policy is enabled, this way,
BitLockerobjects willcan prevent the c
User security
This Accountsetting Control: Admin Approval
determines if digital Mode certificatesfor the are Built-inprocessedAdministrator when aaccount
user or process attempts to run software with an .exe file name extension. This sec
Default:
If this policy
Default: POSIX.
This ispolicy
enabled, the
is notthis default
defined. DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify s
effect,
Default:
User you must
Disabled.
Account enable
Control: Behavior security of the setting.
elevation prompt for administrators in Admin Approval Mode
This security setting determines the behavior of Admin Approval mode for the Built-in Administrator account.
Default:
User Enabled.
Account Control: Behavior of
When
Note:
This
The options
certificate
The
security Federalsetting rules are
Information
determines enabled, thethe
Processing elevation
software
behavior Standard prompt
restriction
of the (FIPS)
elevationfor standard
policies 140 will
is acheck
prompt users
security a certificate
implementation
for administrators revocation designedlist (CRL) to makecryptographic
for certifying sure the software's software. certificate
FIPS 140 andvalidated
signatur
This securityare: setting determines the behavior of the elevation prompt for standard users
User
Default: Account
Disabled. Control: Detect application installations and prompt for elevation
The
options
Enabled: Theare:Built-in Administrator will logon in Admin Approval Mode. By default any operation that requires elevation of privilege will prompt the Consent A
The options
User security
Accountsetting are:Control: Only elevate
This determines the executables
behavior of application that are signed and validated
installation detection for the entire system.
Prompt
Disabled: forThe consent:
Built-in AnAdministrator
operation that will requires
logon inelevation
XP compatible of privilege mode will
and prompt
run allthe Consent Admin
applications to selectwith either Permit or Deny. If the Consent Admin sel
User
This Account
Prompt for
securityare: Control:
credentials: Only An elevate
operation UIAccess
that requires
setting will enforce PKI signature checks on any interactive application applicationselevation that of are installed
privilege willin secure
prompt the
thatlocations
user
requests to by
enterdefault
elevationan administrativefull administrative
of privilege. user name
Enterprise
privilege.
and password.can
administrators If the user et
control
The options
User Prompt
Account for credentials:
Control: Run An operation
all users, that
including requires elevation
administrators, of privilege will prompt the Consent Admin to enter their user name and password. If the user en
Default:
This
The
Disabled
security
Automatically
options setting
are: denywill enforce
elevation the requirement
requests: This option thatresults
applications in as an standard
that request
access users.
denied execution
error message with a UIAccess
being returned integrity to thelevel (via a marking
standard user when of UIAccess=true
they try to perform in thei a
Enabled: Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation pro
User
This Account
Elevate
security without Control:
setting prompting: Switch
determines to
This the secure
option
the behavior allows desktop the
of all UAC when
Consent prompting
policies Admin for the tofor elevation
perform
entire system.an operation that requires elevation without consent or credentials. Note: this sc
-Default:
\Program
Enabled: Prompt Files\,
Enforces for including
credentialsPKI subdirectories
therunning (home)
certificate /chain
Automatically validation deny a elevation
ofthat given requests
executable (enterprise)
before it is permitted to run. like Group Policy Software Install (GPSI) or SMS wil
Disabled:
-Default:
User\Windows\system32\
Account Enterprises
Control: Virtualizesstandard file and the users
registry desktops
write request
failures leverage
to per-user delegated
locations installation technologies
This
The security
options Prompt setting
are: for determines
consent whether elevation will prompt on the interactive users desktop or the Secure Desktop.
- \Program
Disabled: Files not
Does (x86)\, enforce including subdirectories
PKI certificate chainfor 64 bit versions
validation before ofgiven
a Windows executable
User
Default:
This Account
Enabled
security Control:
setting (home) Allow
enables UIAccess
/ Disabled
the redirection applications
(enterprise) of legacy to prompt
application for elevation
write failures without usingisthe
to defined
permitted
locations
to run.
secureindesktop. both the registry and file system. This feature mitigates th
The
options
Enabled: are:
Admin Approval Mode and all check other UAC policies are dependent onthat thisrequests
option being enabled. Changing integrity this setting requires a system
Note:
Maximum
Default: Windows application
Disabled enforces log a PKI
size signature on any interactive application execution with UIAccess level regardless of thereboot.
state of thi
This security setting
Virtualization facilitates controls
the whether
running User
ofdefault
pre-Vista Interface (legacy) Accessibility
applications (UIAccess or UIA) programs
that historically failed to run canasautomatically
Standard User. disable the secure desktop
An administrator runningforonly elevation
Windows prom Vi

Enabled:
Disabled: All
Admin elevationApproval requests by will go to the secure desktop
Mode user type and all related UAC policies will be disabled. Note: the Security Center will notify that the overall security of the op
Maximum
The
This options
security security
are:
setting log size
specifies the maximum size of the application event log, which has a theoretical maximum of 4 GB. Practically the limit is lowerUnless (~300MB
If
The you enable
optionsAll this
are: setting, UIA programs including Windows Remote Assistance can automatically disable the secure desktop for elevation prompts. you
Disabled:
Maximum
Default: system
Enabled elevation sizerequests
logspecifies will go to the interactive users desktop
This
security
Enabled:
Notes Ansetting
application the maximum
will only launch with size of the security
UIAccess integrityevent log, which
if it resides in ahas secure a theoretical
location inmaximum the file system. of 4 GB. Practically the limit is lower (~300MB).
If you
Enabled: disable or
Facilitates do not configure
the runtime this setting, of
redirection theapplication
secure desktop write can onlytobe
failures disabled
defined user bylocations
the user for of thebothinteractive
the file system desktop andorregistry.
by disabling the "User Account
Prevent
Default:
This local
Enabled
securityAn guests
setting group
specifies and the ANONYMOUS
maximum LOGIN
size of the users
system from event accessing
log, which application
has a in log
theoretical maximum of 4 GB. Practically the limit is lower (~300MB).
Notes
Disabled:
Log programs
file sizes must application
be a multiple will launch
of 64 KB. with UIAccess
IfWindows
you enterand integrity
a value even if it
that is programs does not
not a multiple reside of 64 KB, a secure location in the file system.
UIA
Prevent
Disabled: local are designed
guests
Applications group towrite
thatand interact
ANONYMOUS
data with
to Computer
protected LOGIN users
locations application
from accessing
will simply on behalf
security
fail application
as they did in of
logevent aEvent
user. This
previous
Viewer will round
setting allowshe UIA logprograms
file size up to a multiple
to bypass the secureof 64 KB. desk
This
Notes security
setting setting
does notdetermines
appear in the if guests
Local are prevented Policy from object.accessing the log. versions of Windows.
Log file
Default:
Event Logsizes
Enabled must
sizeguests and log be a multiple
wrapping of 64
should KB. If
be definedyou enter a
to match value that
the business is not a multiple
and securityof 64 KB, Event
requirements Viewer will
you determined round he log file size up to a multiple of 64 KB.
Prevent
Since
This
Default UIA
settinglocal
security
:For programs
Enableddoes
setting group
must
notdetermines
appear beand able
in ANONYMOUS
the toLocal
if2003
guestsrespond Computer toLOGIN
are prevented prompts Policyusersregarding
from from
object.accessing accessing
security system
the issues,
application logevent
such as the UAC elevation
log. prompt,when designing must
UIA programs your enterprise
be highly trusted. securityInp
Notes
Default:
Log file sizes themust
..\Program Windowsbe a
Files\ Server
multiple
(and of 64
subfolders) family,
KB. If you 16 enter
MB; for
a Windows
value that XPnot
is Professional
a multiple Service
of 64 KB, Pack
Event 1, Viewer
8 MB; for will Windows
round he XP
log Professional,
file size up to 512
a KB. of 64 KB.
multiple
Event
Retain Log size andlog
application log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security p
This
Notes
Default:setting
security
For does
setting
..\Program
the notdetermines
Windows appear
Files (x86)\
Serverin the if(and
guests
2003 Local Computer
are prevented
subfolders,
family, 16 MB; in Policyforfrom
64-bit object.accessing
versions
Windows the application
of Windows
XP Professional only) ServiceeventPack log. 1, 8 MB; for Windows XP Professional, 512 KB.
This setting
..\Windows\System32\
Event Log does
size and not logappear
wrapping in the Local
should beComputer
defined to Policy
match object.the business and security requirements you determined when designing your enterprise security p
Retain
This security
security log
setting determines the number of16 days' worth of events toProfessional
be retained for the application
Notes
Default:
This settingFor does the Windows
notaffects
appear Serverin the 2003 Local family,
Computer MB; for Windows
Policy object. XP Service Pack 1, 8 log MB;iffor theWindows
retentionXP method for the application
Professional, 512 KB. log is By D
This
Retain
The security
system
requirement setting
log to be in a only
protected computers path can runningbe Windows
disabled by 2000
the "Userand Account
WindowsControl: XP. Only elevate UIAccess applications that are installed in secure locatio
This
Set security
this value setting
onlynot if determines
you archive the
theLocalnumber
log atComputer of days' worth
scheduled intervals of events and you to be make retained
sure that for the the security
Maximum logapplication
if the retention log sizemethodis largefor theenoughsecurity log
to accommodateis By Days. the
This
This setting
security does
setting appear
affects in the
only computers running Policy
Windows object. 2000 and Windows XP.
Retention
Default:
Thisthis
While security
this method
Enabled
settingsetting forfordetermines
applies application
Windows to any XP, the
UIAlogDisabled
number
program, for Windows
ofitdays'
will be worth
used 2000ofprimarily
events toinbe retained
certain Windowsfor the system
Remote log security
if the retention
Assistance scenarios. methodThe for
Windowsthe system Remote log Assistance
is By Days. pro
Set
Note: value
This setting only if
does you archive
not appear the log
in the Local at scheduled Computer intervalsPolicy and object.you make sure that the Maximum log size is large enough to accommodate the inte
This
Default:security
Retention method
Enabled setting forforaffects
security
Windows only log
XP, computers
Disabled running
for Windows Windows 2000 2000 and Windows XP.
This
If security
Default:
Set this value
a user None.
requests setting
onlyremote determines
if you archiveassistance the
the log "wrapping"
from atan scheduled method
administrator for
intervals the
andand application
the you remote make log. sure thatsession
assistance the Maximum system log
is established, anysize is largeprompts
elevation enoughappear to accommodate
on the interactive the inte
Notes
Retention
Default:
requires
This security
setting method
Enabled
that the for
setting
does fordetermines
not systemuser
Windows
interactive
appear log
in XP, the
the Disabled
respond
"wrapping"
Local tofor
Computer anWindows
elevation
method Policy for2000
prompt
the
object. on thelog.
security secure desktop. If the interactive user is a standard user, the user does not have the r
If you This
Note: do not archive
setting does thenot application
appearauditing inlog,
theinLocal the Properties
Computer dialog box for this policy, select the Define this policy setting check box, and then click Overwrite eve
A user must
Restricted possess
Groups the Manage and security logPolicy
user right object. to access the security log.
This
Default:
If you
Default:
If security
you archiveNone.
enable
doNone. setting
this
not archive determines
setting, ("User the
Account "wrapping" Control: method
Allow for the
UIAccess system log.
applications to prompt for elevation withoutsetting using check the secure desktop), , requests for elevatio
If you the log the security log,
at scheduled in the Properties
intervals, in the Properties dialog box dialog for boxthis policy,
for this select
policy,the selectDefinethe this
Define policythis policy setting box,
check and then
box, and click
then Overwrite
click Overwrite events
This
If
Thisyou security
do
setting not setting
archive
does not allows
the
change anthe
system administrator
log,
behaviorin the of tothedefine
Properties UAC two
dialog properties
elevation box for
prompt for for
this security-sensitive
policy, select
administrators. the groupsthis
Define ("restricted"
policy groups).
setting check box, and then click Overwrite events
If
If you
you archive
must retain the log all the at scheduled
events in the intervals,
log, in in thethe Properties
Properties dialog dialog box box forforthis this policy,
policy, select
select thethe Define
Define thisthis policy
policy setting
setting check
check box,box,and andthen then click
click DoOverwrite
not overw
The
If youtwo planproperties
archive to the
enable log are at
this Members
scheduled
setting, and
you Member
intervals,
should in
also Of.
the The
review Members
Properties the dialog
effect listof defines
box
the for
"User who
this belongs
policy,
Account and
select
Control: who
the does
Define
Behavior not
this
of belong
policy
the to the
setting
elevation restricted
check
prompt box,
for group.
and
standard The
then Member
click
users" Of listIf
Overwrite
setting.
If you This
Note: mustsettingretain all does thenot events
appear in the in the log,Local in theComputerPropertiesPolicy dialogobject. box for this policy, select the Define this policy setting check box, and then click Do not overw
When
.If you a Restricted
must retain all Groups
the events Policyinisthe enforced,
log, in the anyProperties
current member dialog box of afor restricted
this policy, group that the
select is not
Defineon the thisMembers
policy setting list is check
removed. box,Any anduserthenon theDo
click Members
not overl
Notes
Default: None.
System Services security settings
Registry
Allows ansecurity settingsto define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system se
administrator
File System
Allows security settings
Default:an administrator
Undefined. to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs
Allows
Default:an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs
Notes Undefined.
Default:
Note: Undefined.
This setting does not appear
This setting does not appear in the in the Local
Local Computer
Computer PolicyPolicy
object.object.
If you choose to set system service startup to Automatic, perform
Note: This setting does not appear in the Local Computer Policy object.adequate testing to verify that the services can start without user intervention.
For performance optimization, set unnecessary or unused services to Manual.
Reboot Required Comments
No
No
No
No
No
No
No
No
No
No clients will get the new setting
after a maximum of 8 hours
No clients
but for will
DCsgetto the newthese
assign setting
after
new a maximum
settings a of 8 hours
Gpupdate
No clients
but foriswill
DCs get
to the newthese
assign setting
/force
after required
a maximum or waiting
of 8 hours for
No newusual
the settings
clients will
5 a the
get Gpupdate
minutesnew
whensetting
the
but forisDCs
/force to assign
required or these
waiting
after
new a maximum
SCE settings
engine of 8
assigns
a hours for
all
Gpupdate
No clients
the foriswill
usual
modified
but DCs5get
to the
minutes
settings. new
assignwhensetting
thesethe
/force
after
SCE a required
maximum
engine or waiting
of 8
assigns hours for
all
No new
the settings
usual a Gpupdate
5 minutes when
modified
but forisDCs
/force settings.
to assign
required thesethe
or waiting for
SCE
new engine
settings assigns
a all
Gpupdate
No the usualsettings.
modified 5 minutes when the
/force is required
SCE engine or waiting
assigns all for
No the usualsettings.
modified 5 minutes when the
SCE engine assigns all
No modified settings.
No
No
No
No
No
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: In Windows 2000
Server, Windows 2000
No Logoff required
Professional, Windows XP
No Professional,
Note: See also and
thethe
Windows Server
corresponding 2003 family,
Windows
No Logoff
the required
Task
Server Scheduler
2003 Allow log on
automatically
locally policy grants
setting,this rightin
earlier
No Logoff
as required
thisnecessary.
worksheet.
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No
No
No
No
No
Yes
Yes
No
Yes
No
No
No
No
No For the policy change to take
effect, the spooler service
No needs to be
No stopped/restarted, but the
system does not have to be
No rebooted.
Yes Restart of service might be
sufficient
No
No
No Important: In order to take
advantage of this policy on
No member workstations and
No servers, all domain controllers
that constitute the members
No domain must be running
Windows NT 4.0 Service Pack
No Important:
6 or higher.This setting applies
to
In Windows
order to take2000 computers,
advantage of
No but
this itpolicy
is noton
available
doma through
No the Security Configuration
Manager tools on these
computers.
No
No
No
No
No
No
No
No Important: This setting
applies to Windows 2000
No Important:
computers,This but itsetting
is not will
apply to any
available computers
through the Security
No Only
runningLogOff is
Windows required for
2000 tools
Configuration
W2K, XPchangesand Manager
W2K3
Yes through
on
Important:
these computers.
For in the
computers.
registry, butonIn this
the
policy to
Vista,
security
take effect
start/restart thecomputers
scpolicysvc
Yes setting
running is not viewable
2000,through
will
the workWindows
or LogOff client-
Yes sideSecurity Configuration
packet signing must also
Manager tool set.
be enabled. For more
Yes information, search for
"Security Settings
No Descriptions" in the Windows
Yes Server
Important:2003 ForHelp.
this policy to
take effect on computers
No running Windows 2000,
No server-side packet signing
must also be enabled. For
No more information, search for
"Security Settings
No Descriptions" in the Windows
No Server
Important:2003 Help.
This policy has no
impact on domain controllers.
No For more information, search
No for "Security Settings
Descriptions" in the Windows
No Server 2003 Help.
Yes
No Important: The Network
access: Remotely
No Important:
accessible On Windows
registry paths XP,
this security
security setting
setting that was
appearscalled
Yes "Network access: Remotely
on computers running
Yes accessible
Windows XP registry paths." to
corresponds If
you configureaccess:
the Network this setting on a
No member
Important:
Remotely ofaccessible
the
ThisWindows
setting only
affects
Server computers
registry 2003
paths family
and running
that is
subpaths
No Important:
Windows
joined aXP Windows
topolicy Professional
domain, 2000
this setting
security
Service Pack 2 setting
(SP2) on
and
No which
is are of
inherited
members not
bythejoined
Wi to a with
computers
above offer
domain. compatibility
No authentication
Important:
This policy willThis to previous
setting
have can
no impact
versionstheofability
on computers
affect Windows,
running such as
of computers
Yes Microsoft
running Windows
WindowsWindows
2000. For NT
2000more4.0.
This setting
Server, Windows
information, can
search affect
2000 the
forwill
No Warning:
ability This
of computers settingrunning
Professional,
"Security
apply to Setting
any Windows XP
Descriptions"
computers
No Windows
Warning:
Professional,
in the Win 2000
Thisand Server,
setting
the will
running
Windows Windows
2000 Pr 2000
apply
Windows
through to changes
any computers
Server 2003
in thefamily
to
running
communicate
registry Windows
but with
the security2000 setting
through
computers
will not bechanges
running
viewable in Windows
the
through
registry
NT
the 4.0 but the
and
Security earlier security
over the
Configuration setting
will
netwonot betool
Manager viewable
set. For through
more
the Security search
information, Configuration for
Manager tool set.De
"Security Setting For more
No
No
No
No
No
No
No
No
No
No
No
No Require restart of recovery
console
Require restart of recovery
No console
No Requires logoff
Yes Vista does NOT require reboot
No
Yes Requires reboot with CNG on
Vista; Does not require reboot
No This policyon
with CAPI does notDoes
Vista; exist not
on
Vista
require reboot on XP, 2003
Yes
with CAPI
Yes
Yes
No
No
No
No
No
No
No
Yes
No
No
No
No Note: This setting does not
appear in the Local Computer
No Note:
Policy This setting does not
object.
No Note: This
Policy setting does not
object.
appear in the
Important: Local Computer
Modifying thisnot
No Notes:
Policy This
object. setting does
setting may affect
No Notes: This setting
compatibility
Policy object. does not
with clients,
appear
services,
This in and
the setting
security Local Computer
applications.
affects For
No Note: This
compatibility
Policy setting
object. does
information not
about
only
appearcomputers
in the running
Local Computer
No This
this
Notes:security
setting,
Windows This setting
see
setting
2000, affects
the does
"Event
Windows not
Policy
only
Log: object.
computers
Maximum running
sec
appear in the and
Server 2003, Local Computer
Windows
No Notes:
Windows
XP.
Policy This setting
2000, does
Windows
object.setting affects not
This
appear
Serversecurity
in thepossess
2003, Local
and Computer
Windows
No A user
Note:
only must
This setting
computers the
does not
running
Policy
XP.
Manage object.
appear
Windows
A user inauditing
must thepossess
2000, Localand
Computer
Windows the
No Note:
ServerThis
security
Policy setting
log
object.
2003, user
andanddoes
right
Windows tonot
Manage
appear
access inauditing
the the Local
security security
Computer
log.
No XP.
Note:
log This
user setting
right does not
to acces
Policy object.
No Note: This
Policy object.setting does not
Policy object.
Note: This setting does not
Note:
PolicyThis setting does not
object.
Note: This
Policy setting does not
object.
Policy object.

Windows 10 and Windows Server 2016 Policy Settings

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Windows 10 and Windows Server 2016 Policy Settings

Caricato da

Copyright:

Formati disponibili

Group Policy Settings Reference

2015 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

based on one value or a combination of values that are available

Web site references, may change without notice.

workspace, can't hibernate the PC.

ast Browsing Session feature.

setting overrides this one.

tivity is Corporate Connection.

wise it is outside the network.

licy is set to 0, then storage of previous PINs is not required. Default: 0.

re this policy setting, users control this setting.

rmat: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), i

removable storage class.

in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.

ping will occur.

in the system notification area.

re this policy setting, the default number is five users.

retail catalog in the Windows Store app.

ers will need to sign in with a Microsoft account.

edit Web content or disable, lock, or synchronize Active Desktop components.

hen log back on.

ault title in a notification when a policy setting prevents device installation.

ly used apps will appear at the top.

ced Storage devices are usable on your computer.

og automatically when full" policy setting.

administrators may select the types of symbolic links to be evaluated.

this policy setting, files can be downloaded from the zone.

d in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy

s from the Microsoft Internet Explorer Help file.

ates to Internet Explorer and Internet Tools.

on or off automatic image resizing.

on feature for add-on management will be functional.

ic Detection, unless specified by the user.

ough proxy connections.

ers to use special characters in their PIN.

sers control this setting.

e default for this policy setting.

en root certificates will not be propagated from the smart card.

The value is not used and it is recommended that this be set to 0.

tting, CPU utilization will not exceed the default value.

t users to take actions on malware detections.

on to resolve problems with the device.

Power Options Control Panel.

emote shells per user.

hange using Settings in the Windows Store.

abled, this policy has no effect.

med pipe remote shutdown interface.

the static Content URI Rules.

d domain users from using biometrics to log on.

etting only applies to Enterprise, Education, and Server SKUs.

ss Ctrl+Alt+Delete, and then click Lock this computer.

revent users from saving data to the Desktop.

e local or DHCP supplied connection specific DNS suffix, if configured.

or window frames that cannot be changed by users.

File Explorer encrypts those files automatically.

ng policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Managem

emoved as part of a scheduled clean up task.

n pages in the Local Machine zone to run.

n pages in the Local Machine zone to run.

o run or install files with an invalid signature.

fication bar to allow the file download prompt.

ose to move them.