This Workbook Displays The Group Policy Settings For Windows Server 2012 R2

General Information
This workbook displays the Group Policy settings for Windows Server 2012 R2.
Legend
New setting to Windows Server 2012 R2
Setting name or location change
Client-only setting
Server-only setting
General Information
This workbook displays the Group Policy settings for Windows Server 2012 R2.
Legend
tting to Windows Server 2012 R2
name or location change
nly setting
only setting
Policy Path Policy Name
Account Policies\Account Lockout Policy Account lockout duration
Account Policies\Account Lockout Policy Account lockout threshold
Account Policies\Account Lockout Policy Reset lockout counter after
Account Policies\Kerberos Policy Enforce user logon restrictions
Account Policies\Kerberos Policy Maximum lifetime for service ticket
Account Policies\Kerberos Policy Maximum lifetime for user ticket
Account Policies\Kerberos Policy Maximum lifetime for user ticket renewal
Account Policies\Kerberos Policy Maximum tolerance for computer clock synchronization
Account Policies\Password Policy Enforce password history
Account Policies\Password Policy Maximum password age
Account Policies\Password Policy Minimum password age
Account Policies\Password Policy Minimum password length
Account Policies\Password Policy Password must meet complexity requirement
Account Policies\Password Policy Store passwords using reversible encryption for all u
Local Policies\Audit Policy Audit account logon events
Local Policies\Audit Policy Audit account management
Local Policies\Audit Policy Audit directory service access
Local Policies\Audit Policy Audit logon events
Local Policies\Audit Policy Audit object access
Local Policies\Audit Policy Audit policy change
Local Policies\Audit Policy Audit privilege use
Local Policies\Audit Policy Audit process tracking
Local Policies\Audit Policy Audit system events
Local Policies\Security Options Accounts: Administrator account status
Local Policies\Security Options Accounts: Block Microsoft accounts
Local Policies\Security Options Accounts: Guest account status
Local Policies\Security Options Accounts: Limit local account use of blank passwords
Local Policies\Security Options Accounts: Rename administrator account
Local Policies\Security Options Accounts: Rename guest account
Local Policies\Security Options Audit: Audit the accesss of global system objects
Local Policies\Security Options Audit: Audit the use of Backup and Restore privilege
Local Policies\Security Options Audit: Force audit policy subcategory settings (Window
Local Policies\Security Options Audit: Shut down system immediately if unable to log
Local Policies\Security Options DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SD
Local Policies\Security Options DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SD
Local Policies\Security Options Devices: Allow undock without having to log on
Local Policies\Security Options Devices: Allowed to format and eject removable med
Local Policies\Security Options Devices: Prevent users from installing printer drivers
Local Policies\Security Options Devices: Restrict CD-ROM access to locally logged-on user only
Local Policies\Security Options Devices: Restrict floppy access to locally logged-on user only
Local Policies\Security Options Domain controller: Allow server operators to schedule tasks
Local Policies\Security Options Domain controller: LDAP server signing requirements
Local Policies\Security Options Domain controller: Refuse machine account password changes
Local Policies\Security Options Domain member: Digitally encrypt or sign secure chan
Local Policies\Security Options Domain member: Digitally encrypt secure channel dat
Local Policies\Security Options Domain member: Digitally sign secure channel data (w
Local Policies\Security Options Domain member: Disable machine account password
Local Policies\Security Options Domain member: Maximum machine account passwo
Local Policies\Security Options Domain member: Require strong (Windows 2000 or lat
Local Policies\Security Options Interactive Logon: Display user information when session is locked
Local Policies\Security Options Interactive logon: Do not display last user name
Local Policies\Security Options Interactive logon: Do not require CTRL+ALT+DEL
Local Policies\Security Options Interactive logon: Machine account lockout threshold
Local Policies\Security Options Interactive logon: Machine inactivity limit
Local Policies\Security Options Interactive logon: Message text for users attempting to logon
Local Policies\Security Options Interactive logon: Message title for users attempting to logon
Local Policies\Security Options Interactive logon: Number of previous logons to cache
Local Policies\Security Options Interactive logon: Prompt user to change password be
Local Policies\Security Options Interactive logon: Require Domain Controller authent
Local Policies\Security Options Interactive logon: Require smart card
Local Policies\Security Options Interactive logon: Smart card removal behavior
Local Policies\Security Options Microsoft network client: Digitally sign communicatio
Local Policies\Security Options Microsoft network client: Digitally sign communication
Local Policies\Security Options Microsoft network client: Send unencrypted password
Local Policies\Security Options Microsoft network server: Amount of idle time requir
Local Policies\Security Options Microsoft network server: Attempt S4U2Self to obtain claim information
Local Policies\Security Options Microsoft network server: Digitally sign communicati
Local Policies\Security Options Microsoft network server: Digitally sign communication
Local Policies\Security Options Microsoft network server: Disconnect clients when lo
Local Policies\Security Options Microsoft network server: Server SPN target name validation level
Local Policies\Security Options MSS: (AutoAdminLogon) Enable Automatic Logon (N
Local Policies\Security Options MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (R
Local Policies\Security Options MSS: (AutoShareServer) Enable Administrative Shares (recommended except for h
Local Policies\Security Options MSS: (AutoShareWks) Enable Administrative shares (Recommended except for hig
Local Policies\Security Options MSS: (DisableIPSourceRouting IPv6) IP source routing
Local Policies\Security Options MSS: (DisableIPSourceRouting) IP source routing prote
Local Policies\Security Options MSS: (DisableSavePassword) Prevent the dial-up password from being saved (reco
Local Policies\Security Options MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateway
Local Policies\Security Options MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated rout
Local Policies\Security Options MSS: (Hidden) Hide computer from the browse list (Not Recommended except for
Local Policies\Security Options MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
Local Policies\Security Options MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network
Local Policies\Security Options MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name re
Local Policies\Security Options MSS: (NTFSDisable8dot3NameCreation) Enable the computer to stop generating 8
Local Policies\Security Options MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gatew
Local Policies\Security Options MSS: (SafeDLLSearchMode) Enable safe DLL search
Local Policies\Security Options MSS: (ScreenSaverGracePeriod) The time in seconds
Local Policies\Security Options MSS: (SynAttackProtect) Syn attack protection level (Protects against DoS)
Local Policies\Security Options MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a
Local Policies\Security Options MSS: (TCPMaxDataRetransmissions IPv6) How many times unacknowledged data i
Local Policies\Security Options MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retr
Local Policies\Security Options MSS: (WarningLevel) Percentage threshold for the sec
Local Policies\Security Options Network access: Allow anonymous SID/Name translat
Local Policies\Security Options Network access: Do not allow anonymous enumerati
Local Policies\Security Options Network access: Do not allow anonymous enumeratio
Local Policies\Security Options Network access: Do not allow storage of passwords and credentials for network au
Local Policies\Security Options Network access: Let Everyone permissions apply to
Local Policies\Security Options Network access: Named Pipes that can be accessed anonymously
Local Policies\Security Options Network access: Remotely accessible registry paths
Local Policies\Security Options Network access: Remotely accessible registry paths
Local Policies\Security Options Network access: Restrict anonymous access to Named

Local Policies\Security Options Network access: Shares that can be accessed anonym
Local Policies\Security Options Network access: Sharing and security model for local
Local Policies\Security Options Network security: Allow Local System to use compute
Local Policies\Security Options Network security: Allow LocalSystem NULL session fal
Local Policies\Security Options Network security: Allow PKU2U authentication requests to this computer to use on
Local Policies\Security Options Network security: Configure encryption types allowed for Kerberos
Local Policies\Security Options Network security: Do not store LAN Manager hash va
Local Policies\Security Options Network security: Force logoff when logon hours expi
Local Policies\Security Options Network security: LAN Manager authentication level
Local Policies\Security Options Network security: LDAP client signing requirements
Local Policies\Security Options Network security: Minimum session security for NTLM
Local Policies\Security Options Network security: Minimum session security for NTLM
Local Policies\Security Options Network security: Restrict NTLM: Add remote server exceptions for NTLM authenti
Local Policies\Security Options Network security: Restrict NTLM: Add server exceptions in this domain
Local Policies\Security Options Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Local Policies\Security Options Network security: Restrict NTLM: Audit NTLM authentication in this domain
Local Policies\Security Options Network security: Restrict NTLM: Incoming NTLM traffic
Local Policies\Security Options Network security: Restrict NTLM: NTLM authentication in this domain
Local Policies\Security Options Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Local Policies\Security Options Recovery console: Allow automatic administrative log
Local Policies\Security Options Recovery console: Allow floppy copy and access to all
Local Policies\Security Options Shutdown: Allow system to be shut down without hav
Local Policies\Security Options Shutdown: Clear virtual memory pagefile
Local Policies\Security Options System Cryptography: Force strong key protection for user keys stored on the com
Local Policies\Security Options System cryptography: Use FIPS compliant algorithms f
Local Policies\Security Options System objects: Require case insensitivity for non-
Local Policies\Security Options System objects: Strengthen default permissions of inte
Local Policies\Security Options System settings: Optional subsystems
Local Policies\Security Options System settings: Use Certificate Rules on Windows Exe
Local Policies\Security Options User Account Control: Admin Approval Mode for the B
Local Policies\Security Options User Account Control: Allow UIAccess applications to
Local Policies\Security Options User Account Control: Behavior of the elevation pro
Local Policies\Security Options User Account Control: Behavior of the elevation prom
Local Policies\Security Options User Account Control: Detect application installation
Local Policies\Security Options User Account Control: Only elevate executables that
Local Policies\Security Options User Account Control: Only elevate UIAccess applicatio
Local Policies\Security Options User Account Control: Run all administrators in Adm
Local Policies\Security Options User Account Control: Switch to the secure desktop
Local Policies\Security Options User Account Control: Virtualize file and registry write
Local Policies\User Rights Assignment Access Credential Manager as a trusted caller
Local Policies\User Rights Assignment Access this computer from the network
Local Policies\User Rights Assignment Act as part of the operating system
Local Policies\User Rights Assignment Add workstations to a domain
Local Policies\User Rights Assignment Adjust memory quotas for a process
Local Policies\User Rights Assignment Allow log on locally
Local Policies\User Rights Assignment Allow log on through Remote Desktop Services
Local Policies\User Rights Assignment Backup files and directories
Local Policies\User Rights Assignment Bypass traverse checking
Local Policies\User Rights Assignment Change the system time
Local Policies\User Rights Assignment Change the time zone
Local Policies\User Rights Assignment Create a pagefile
Local Policies\User Rights Assignment Create a token object
Local Policies\User Rights Assignment Create global objects
Local Policies\User Rights Assignment Create permanent shared objects
Local Policies\User Rights Assignment Create Symbolic Links
Local Policies\User Rights Assignment Debug programs
Local Policies\User Rights Assignment Deny access to this computer from the network
Local Policies\User Rights Assignment Deny log on as a batch job
Local Policies\User Rights Assignment Deny log on as a service
Local Policies\User Rights Assignment Deny log on locally
Local Policies\User Rights Assignment Deny log on through Remote Desktop Services
Local Policies\User Rights Assignment Enable computer and user accounts to be trusted for
Local Policies\User Rights Assignment Force shutdown from a remote system
Local Policies\User Rights Assignment Generate security audits
Local Policies\User Rights Assignment Impersonate a client after authentication
Local Policies\User Rights Assignment Increase a process working set
Local Policies\User Rights Assignment Increase scheduling priority
Local Policies\User Rights Assignment Load and unload device drivers
Local Policies\User Rights Assignment Lock pages in memory
Local Policies\User Rights Assignment Log on as a batch job
Local Policies\User Rights Assignment Log on as a service
Local Policies\User Rights Assignment Manage auditing and security log
Local Policies\User Rights Assignment Modify an object label
Local Policies\User Rights Assignment Modify firmware environment values
Local Policies\User Rights Assignment Perform volume maintenance tasks
Local Policies\User Rights Assignment Profile single process
Local Policies\User Rights Assignment Profile system performance
Local Policies\User Rights Assignment Remove computer from docking station
Local Policies\User Rights Assignment Replace a process level token
Local Policies\User Rights Assignment Restore files and directories
Local Policies\User Rights Assignment Shut down the system
Local Policies\User Rights Assignment Synchronize directory service data
Local Policies\User Rights Assignment Take ownership of files or other objects
Security Settings\Event Log Maximum application log size
Security Settings\Event Log Maximum security log size
Security Settings\Event Log Maximum system log size
Security Settings\Event Log Prevent local guests group from accessing application log
Security Settings\Event Log Prevent local guests group from accessing security log
Security Settings\Event Log Prevent local guests group from accessing system log
Security Settings\Event Log Retain application log
Security Settings\Event Log Retain security log
Security Settings\Event Log Retain system log
Security Settings\Event Log Retention method for application log
Security Settings\Event Log Retention method for security log
Security Settings\Event Log Retention method for system log
Security Settings\File System File System
Security Settings\Registry Registry
Security Settings\Restricted Groups Restricted Groups
Security Settings\System Services System Services
MSFT Win2012 R2 MSFT Win2012 DC
15 minutes
10 invalid logon attempts
15 minutes
ynchronization
24 passwords remembered
60 days
1 day
14 characters
Enabled
Disabled
Disabled
Enabled
Enabled
Disabled
curity Descriptor Definition Language (SDDL) syntax
curity Descriptor Definition Language (SDDL) syntax
Administrators
Enabled
y logged-on user only
ogged-on user only
s to schedule tasks Disabled
quirements Require Signing
nt password changes Disabled
Enabled
Enabled
Enabled
Disabled
30 days
Enabled
on when session is locked
Enabled
Disabled
10
Enabled: 900 seconds
attempting to logon
attempting to logon
4 logons Not Defined
14 days
Not Defined
Lock Workstation
Enabled
Enabled
Disabled
15 minutes
elf to obtain claim information
Enabled
Enabled
Enabled
get name validation level
Disabled
tomatically restart after a system crash (Recommended except for highly secure enviroments)
ative Shares (recommended except for highly secure environments)
tive shares (Recommended except for highly secure environments)
Highest Protection, source routing is completely disabled
Highest Protection, source routing is completely disabled
dial-up password from being saved (recommended)
matic detection of dead network gateways (Could lead to DoS)
edirects to override OSPF generated routes
rowse list (Not Recommended except for highly secure environments
ve packets are sent in milliseconds
exemptions for various types of network traffic
the computer to ignore NetBIOS name release requests except from WINS servers
nable the computer to stop generating 8.3 style filenames (Recommended)
DP to detect and configure Default Gateway addresses (Could lead to DoS)
Enabled
5 seconds
ction level (Protects against DoS)
missions) SYN-ACK retransmissions when a connection request is not acknowledged
How many times unacknowledged data is retransmitted (3 Recommended, 5 is Default)
many times unacknowledged data is retransmitted (3 Recommended, 5 is Default)
90%
Disabled
Enabled
Enabled
passwords and credentials for network authentication
Disabled
e accessed anonymously
System\CurrentControlSet\Control\
ProductOptions
Server Applications
Software\Microsoft\Windows NT\
CurrentVersion
Print\Printers
System\CurrentControlSet\
Services\Eventlog
Software\Microsoft\OLAP Server
CurrentVersion\Print
CurrentVersion\Windows
ContentIndex
Terminal Server
Terminal Server\UserConfig
Terminal Server\
DefaultUserConfiguration
CurrentVersion\Perflib
System\CurrentControlSet\
Services\SysmonLog
Enabled
None (blank)
Classic - Local users authenticate as themselves
Enabled Enabled
Disabled Disabled
ation requests to this computer to use online identities.
ypes allowed for Kerberos
Enabled
Enabled
Send NTLMv2 Responses only, Refuse LM and NTLM
Negotiate Signing
Require NTLMv2 session security, Require 128bit encryption
Require NTLMv2 session security, Require 128bit encryption
mote server exceptions for NTLM authentication
ver exceptions in this domain
coming NTLM Traffic
TLM authentication in this domain
g NTLM traffic
uthentication in this domain
g NTLM traffic to remote servers
Disabled
Disabled
Disabled
Disabled
rotection for user keys stored on the computer
Not Defined
Enabled
Enabled
Enabled
Enabled
Disabled
Prompt for consent on the secure desktop
Automatically deny elevation requests
Enabled
Not Defined
Enabled
Enabled
Enabled
Enabled
No One (blank)
Administrators, Authenticated UsersAdministrators, Authentic
No One (blank)
Administrators
Administrators, Local Service, Network Service
Administrators
Administrators
Administrators
Not Defined Not Defined
Local Service, Administrators
LOCAL SERVICE, Administrat
Administrators
No One (blank)
Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE
No One (blank)
Administrators
Administrators
Guests, Local account and member of Administrators group
Guests
Guests No One (blank)
Guests
Guests, Local Account
No One (blank) Administrators
Administrators
Local Service, Network Service
Administrators, SERVICE, Local Service, Network Service
Not Defined
Administrators
Administrators
No One (blank)
Not Defined
Administrators
No One (blank)
Administrators
Administrators
Administrators
Administrators, NT SERVICE\WdiServiceHost
Not Defined
Network Service, Local Service
Administrators
Administrators
No One (blank)
Administrators
g application log
g security log
g system log
Help Text Supported On
Account lockout duration Windows XP SP2, Windows Server 20
Account lockout threshold Windows XP SP2, Windows Server 20
Reset account lockout counter after Windows XP SP2, Windows Server 20
Enforce user logon restrictions Windows XP SP2, Windows Server 20
Maximum lifetime for service ticket Windows XP SP2, Windows Server 20
Maximum lifetime for user ticket Windows XP SP2, Windows Server 20
Maximum lifetime for user ticket renewal Windows XP SP2, Windows Server 20
Maximum tolerance for computer clock synchronization Windows XP SP2, Windows Server 20
Enforce password history Windows XP SP2, Windows Server 20
Maximum password age Windows XP SP2, Windows Server 20
Minimum password age Windows XP SP2, Windows Server 20
Minimum password length Windows XP SP2, Windows Server 20
Password must meet complexity requirements Windows XP SP2, Windows Server 20
Store passwords using reversible encryption Windows XP SP2, Windows Server 20
Audit account logon events Windows XP SP2, Windows Server 20
Audit account management Windows XP SP2, Windows Server 20
Audit directory service access Windows XP SP2, Windows Server 20
Audit logon events Windows XP SP2, Windows Server 20
Audit object access Windows XP SP2, Windows Server 20
Audit policy change Windows XP SP2, Windows Server 20
Audit privilege use Windows XP SP2, Windows Server 20
Audit process tracking Windows XP SP2, Windows Server 20
Audit system events Windows XP SP2, Windows Server 20
Accounts: Administrator account status Windows XP SP2, Windows Server 20
This policy setting prevents users from adding new 8
Microsoft accounts on this
Accounts: Guest account status computer. Windows XP SP2, Windows Server 20
Accounts:
If you select Limit
thelocal
"Usersaccount use Microsoft
can’t add of blank passwords
accounts"to consoleWindows
logon XP
onlySP2, Windows Server 20
option, users
Accounts: will not
Rename be able to create
administrator account new Microsoft Windows XP SP2, Windows Server 20
accounts
Accounts:on this computer,
Rename switch a local account to a
guest account Windows XP SP2, Windows Server 20
Microsoft account, or connect a domain account to a
Audit: Audit
Microsoft the access
account. This of global
is the system option
preferred objectsif you need Windows XP SP2, Windows Server 20
to limit the use of Microsoft accounts
Audit: Audit the use of Backup and Restore in your enterprise.
privilege Windows XP SP2, Windows Server 20
Audit: Force audit policy subcategory settings (Windows Vista Windows
or later)Vista,
to override
Windowsaudit
Server
policy2008
category settings.
If you select the "Users can’t add or log on with Microsoft
Audit:
accounts"Shutoption,
down system
existingimmediately if unable
Microsoft account to log
users willsecurity
not Windows
audits XP SP2, Windows Server 20
be able to log on to Windows. Selecting this option might
DCOM: Machine Access Restrictions in Security Descriptor Definition WindowsLanguage
XP SP2, Windows
(SDDL) syntax
Server 20
make it impossible for an existing administrator on this
DCOM: Machine Launch Restrictions in Security Descriptor Definition WindowsLanguage
XP SP2, Windows
(SDDL) syntax
Server 20
computer to log on and manage the system.
Devices: Allow undock without having to log on Windows XP SP2, Windows Server 20
If you disable
Devices: or do
Allowed tonot configure
format this removable
and eject policy media Windows XP SP2, Windows Server 20
(recommended), users will be able to use Microsoft
Devices:
accountsPrevent users from installing printer drivers when connecting
with Windows. Windows XP to SP2,
shared
Windows
printersServer 20
Devices: Restrict CD-ROM access to locally logged-on user only Windows XP SP2, Windows Server 20
Devices: Restrict floppy access to locally logged-on user onlyWindows XP SP2, Windows Server 20
Domain controller: Allow server operators to schedule tasks Windows XP SP2, Windows Server 20
Domain controller: LDAP server signing requirements Windows Server 2003?
Domain controller: Refuse machine account password changes Windows XP SP2, Windows Server 20
Domain member: Digitally encrypt or sign secure channel data Windows
(always)XP SP2, Windows Server 20
Domain member: Digitally encrypt secure channel data (when Windows
possible)XP SP2, Windows Server 20
Domain member: Digitally sign secure channel data (when possible)Windows XP SP2, Windows Server 20
Domain member: Disable machine account password changes Windows XP SP2, Windows Server 20
Domain member: Maximum machine account password ageWindows XP SP2, Windows Server 20
Domain member: Require strong (Windows 2000 or later) session Windows key XP SP2, Windows Server 20
Interactive Logon: Display user information when session is Windows Vista, Windows Server 2008
Interactive logon: Do not display last user name Windows XP SP2, Windows Server 20
This security setting determines whether the
Interactive logon: Do not require CTRL+ALT+DEL name of the last user to log
Windows on toWindows
XP SP2, the computer
Serveris20
displayed in the Windows logo
Interactive logon: Machine account threshold. 8
The machine lockout policy is enforced only
Interactive logon: Machine inactivity limit. on those machines that have Bitlocker enabled for protecting
8 OS volumes. Please
Interactive logon: Message text for users attempting to log on Windows XP SP2, Windows Server 20
Interactive logon: Message title for users attempting to log on Windows XP SP2, Windows Server 20
Interactive logon: Number of previous logons to cache (in case Windows
domainXP controller
SP2, Windows
is not available)
Server 20
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logo
Interactive logon: Prompt user to change password before expiration
Windows XP SP2, Windows Server 20
Interactive
Default: Nologon: Require Domain Controller authenticationWindows
message. to unlockXP SP2, Windows Server 20
Interactive logon: Require smart card Windows XP SP2, Windows Server 20
Interactive logon: Smart card removal behavior Windows XP SP2, Windows Server 20
Microsoft network client: Digitally sign communications (always) Windows XP SP2, Windows Server 20
Microsoft network client: Digitally sign communications (if server
Windowsagrees)
XP SP2, Windows Server 20
Microsoft network client: Send unencrypted password to connect Windows to third-party
XP SP2, Windows
SMB servers
Server 20
Microsoft network server: Amount of idle time required before Windows
suspending
XP SP2,a session
Windows Server 20
Microsoft network server: Attempt S4U2Self to obtain claim information 8
Microsoft network server: Digitally sign communications (always) Windows XP SP2, Windows Server 20
Microsoft network server: Digitally sign communications (if client
Windowsagrees)
Microsoft network server: Disconnect clients when logon hours Windows
expireXP SP2, Windows Server 20
Microsoft network server: Server SPN target name validationWindows level 7, Windows Server 2008 R2
This security setting determines whether to disconnect users who are connected to the local computer outside their user acco
ept for highly secure
When thisenviroments)
policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon
If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.
Default on Windows Vista: Enabled.

Default on Windows XP: Disabled
cept from WINS servers

(Recommended)
ld lead to DoS)
est is not acknowledged

Recommended, 5 is Default)
mmended, 5 is Default)
Network access: Allow anonymous SID/name translation Windows XP SP2, Windows Server 20
Network access: Do not allow anonymous enumeration of SAM Windows
accounts
Network access: Do not allow anonymous enumeration of SAM Windows
accounts
XP SP2,
and shares
Windows Server 20
Network access: Do not allow storage of credentials or .NET Windows
Passports XP
forSP2,
network
Windows
authentication
Server 20
Network access: Let Everyone permissions apply to anonymous Windows
users XP SP2, Windows Server 20
Network access: Named pipes that can be accessed anonymouslyWindows XP SP2, Windows Server 20
Network access: Remotely accessible registry paths Windows XP SP2
This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed
Default:
System\\CurrentControlSet\\Control\\ProductOptions
Network access: Remotely accessible registry paths and subpaths
Windows Server 2003
This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users o
Default:
System\\CurrentControlSet\\Control\\Print\\Printers
System\\CurrentControlSet\\Services\\Eventlog
Software\\Microsoft\\OLAP Server
Software\\Microsoft\\Windows NT\\CurrentVersion\\Print
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
System\\CurrentControlSet\\Control\\ContentIndex
System\\CurrentControlSet\\Control\\Terminal Server
System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig
System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration
Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib
System\\CurrentControlSet\\Services\\SysmonLog
System\\CurrentControlSet\\Services\\CertSvc
System\\CurrentControlSet\\Services\\Wins
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up a
Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure t
Network access: Restrict anonymous access to Named PipesWindows
and SharesServer 2003
Network access: Shares that can be accessed anonymously Windows XP SP2, Windows Server 20
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity
Windows
for NTLM
7, Windows Server 2008 R2
Network security: Allow LocalSystem NULL session fallback Windows 7, Windows Server 2008 R2
Network security: Allow PKU2U authentication requests to this
Windows
computer
7, Windows
to use online
Server
identities.
2008 R2
Network security: Configure encryption types allowed for Kerberos
Windows 7, Windows Server 2008 R2
Network security: Do not store LAN Manager hash value on next
Windows
password
XP SP2,
change
Windows Server 20
Network security: Force logoff when logon hours expire Windows XP SP2, Windows Server 20
Network security: LAN Manager authentication level Windows XP SP2, Windows Server 20
Network security: LDAP client signing requirements Windows XP SP2, Windows Server 20
Network security: Minimum session security for NTLM SSP based
Windows
(including
XP SP2,
secure
Windows
RPC) Server
clients 20
Network security: Minimum session security for NTLM SSP based Windows (including
XP SP2,secure
Windows
RPC) Server
servers20
Network security: Restrict NTLM: Add remote server exceptions Windowsfor NTLM
7, Windows
authentication
Server 2008 R2
Network security: Restrict NTLM: Add server exceptions in this Windows
domain7, Windows Server 2008 R2
Network security: Restrict NTLM: Audit Incoming NTLM Traffic Windows 7, Windows Server 2008 R2
Network security: Restrict NTLM: Audit NTLM authenticationWindows in this domain
Network security: Restrict NTLM: Incoming NTLM traffic Windows 7, Windows Server 2008 R2
Network security: Restrict NTLM: NTLM authentication in this Windows
domain7, Windows Server 2008 R2
Network security: Restrict NTLM: Outgoing NTLM traffic to remote
Windows servers
Recovery console: Allow automatic administrative logon Windows XP SP2, Windows Server 20
Recovery console: Allow floppy copy and access to all drives Windows
and all folders
Shutdown: Allow system to be shut down without having to Windowslog on XP SP2, Windows Server 20
Shutdown: Clear virtual memory pagefile Windows XP SP2, Windows Server 20
System Cryptography: Force strong key protection for user keys WindowsstoredServer
on the2003
computer
System cryptography: Use FIPS 140 compliant cryptographicWindows algorithms, XPincluding
SP2, Windows
encryption,
Serverhashing
20 and signing algorithms
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system
Windows objects
XP SP2,
(e.g.,
Windows
SymbolicServer
Links)20
System settings: Optional subsystems Windows Server 2003
System settings: Use Certificate Rules on Windows Executables Windows
for Software
ServerRestriction
2003 Policies
User Account Control: Admin Approval Mode for the Built-inWindowsAdministrator
Vista,account
Windows Server 2008
User Account Control: Allow UIAccess applications to promptWindows for elevation
Vista,without
Windowsusing
Server
the secure
2008 desktop.
User Account Control: Behavior of the elevation prompt for administrators
Windows Vista,inWindowsAdmin Approval
Server 2008
Mode
User Account Control: Behavior of the elevation prompt for standard
Windowsusers Vista, Windows Server 2008
This security setting determines the behavior of the elevation
User Account Control: Detect application installations and prompt prompt
Windows for standard
for elevation
Vista, Windowsusers
Server 2008
User Account Control: Only elevate executables that are signed Windows
and validated
Vista, Windows Server 2008
User Account Control: Only elevate UIAccess applications that Windows
are installed
Vista,inWindows
secure locations
Server 2008
User Account Control: Run all users, including administrators,Windows
as standard
Vista,
users.
Windows Server 2008
User Account Control: Switch to the secure desktop when prompting
Windowsfor Vista,
elevation
Windows Server 2008
User Account Control: Virtualizes file and registry write failures
Windows
to per-user
Vista,locations
Windows Server 2008
This setting is used by Credential Manager during Backup/Rest Windows Vista, Windows Server 2008
Access this computer from the network Windows XP SP2, Windows Server 20
Act as part of the operating system Windows XP SP2, Windows Server 20
Add workstations to domain Windows XP SP2, Windows Server 20
Adjust memory quotas for a process Windows XP SP2, Windows Server 20
Allow log on locally Windows Server 2003
Allow log on through Remote Desktop Services Windows XP SP2, Windows Server 20
Back up files and directories Windows XP SP2, Windows Server 20
Bypass traverse checking Windows XP SP2, Windows Server 20
Change the system time Windows XP SP2, Windows Server 20
Change the Time Zone Windows Vista, Windows Server 2008
Create a pagefile Windows XP SP2, Windows Server 20
Create a token object Windows XP SP2, Windows Server 20
Create global objects Windows XP SP2, Windows Server 20
Create permanent shared objects Windows XP SP2, Windows Server 20
Create Symbolic Links Windows Vista, Windows Server 2008
Debug programs Windows XP SP2, Windows Server 20
Deny access to this computer from the network Windows XP SP2, Windows Server 20
Deny log on as a batch job Windows XP SP2, Windows Server 20
Deny log on as a service Windows XP SP2, Windows Server 20
Deny log on locally Windows XP SP2, Windows Server 20
Deny log on through Remote Desktop Services Windows XP SP2, Windows Server 20
Enable computer and user accounts to be trusted for delegation Windows XP SP2, Windows Server 20
Force shutdown from a remote system Windows XP SP2, Windows Server 20
Generate security audits Windows XP SP2, Windows Server 20
Impersonate a client after authentication Windows XP SP2, Windows Server 20
Increase a process working set Windows Vista, Windows Server 2008
Increase scheduling priority Windows XP SP2, Windows Server 20
Load and unload device drivers Windows XP SP2, Windows Server 20
Lock pages in memory Windows XP SP2, Windows Server 20
Log on as a batch job Windows XP SP2, Windows Server 20
Log on as a service Windows XP SP2, Windows Server 20
Manage auditing and security log Windows XP SP2, Windows Server 20
Modify an object label Windows Vista, Windows Server 2008
This security setting determines which users can specify
Modify firmware
object access environment
auditing values
options for individual resources, Windows XP SP2, Windows Server 20
such as files,
Perform Active
volume Directory objects,
maintenance tasks and registry keys. Windows XP SP2, Windows Server 20
Profile single process Windows XP SP2, Windows Server 20
This security setting does not allow a user to enable file
Profile
and object access auditing in general. For such auditing to Windows XP SP2, Windows Server 20
system performance
be enabled,
Remove the Audit
computer fromobject access
docking setting in Security
station Windows XP SP2, Windows Server 20
Settings\Local Policies\\Audit
Replace a process level token Policies must be configured. Windows XP SP2, Windows Server 20
Restore
You can files
viewand directories
audited events in the security log of the Windows XP SP2, Windows Server 20
Eventdown
Shut Viewer.
theAsystem
user with this privilege can also view and Windows XP SP2, Windows Server 20
clear the security
Synchronize log. service data
directory Windows XP SP2, Windows Server 20
Take ownership
Default: of files or other objects
Administrators. Windows XP SP2, Windows Server 20
Maximum application log size Windows XP SP2, Windows Server 20
Maximum security log size Windows XP SP2, Windows Server 20
Maximum system log size Windows XP SP2, Windows Server 20
Prevent local guests group and ANONYMOUS LOGIN users from Windows
accessing
XP SP2,
application
Windows logServer 20
accessing
XP SP2,
security
Windows
log Server 20
accessing
XP SP2,
system
Windows
log Server 20
Retain application log Windows XP SP2, Windows Server 20
Retain security log Windows XP SP2, Windows Server 20
Retain system log Windows XP SP2, Windows Server 20
Retention method for application log Windows XP SP2, Windows Server 20
Retention method for security log Windows XP SP2, Windows Server 20
Retention method for system log Windows XP SP2, Windows Server 20
File System security settings Windows XP SP2, Windows Server 20
Registry security settings Windows XP SP2, Windows Server 20
Restricted Groups Windows XP SP2, Windows Server 20
System Services security settings Windows XP SP2, Windows Server 20
Registry Settings
Account Lockout Policy security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Not a registry key
Not a registry key

MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Not a registry key
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System, value=DontDisplayLockedUserId
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
User Rights security settings are not registry keys
Event Log security settings are not registry keys.
File System policy settings are not registry keys.
not a registry key
Restricted Groups policy settings are not registry keys.
System Services policy settings are not registry keys.
Reboot Required Comments
No
No
No
No clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupda
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
Yes
No
Yes
No
No
No
No
No For the policy change to take effect, the spooler service needs to be stopped/restarted, but the system does n
No
No
Yes Restart of service might be sufficient
No
No
No Important: In order to take advantage of this policy on member workstations and servers, all domain controll
In order to take advantage of this policy on doma
No
No
No
No Important: This setting applies to Windows 2000 computers, but it is not available through the Security Config
No
No
No
No
No
No
No
No
No
No Important: This setting applies to Windows 2000 computers, but it is not available through the Security Confi
No Important: This setting will apply to any computers running Windows 2000 through changes in the registry, bu
No Only LogOff is required for W2K, XP and W2K3 computers. In Vista, start/restart the scpolicysvc will work or L
Yes Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must
Yes
Yes
Yes
No
Yes Important: For this policy to take effect on computers running Windows 2000, server-side packet signing mus
No
No
No
No
No Important: This policy has no impact on domain controllers. For more information, search for "Security Settin
No
No
No
Yes
No Important: The Network access: Remotely accessible registry paths security setting that appears on compute
No Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry pat
Yes
Yes
No Important: This setting only affects computers running Windows XP Professional which are not joined to a do
No This policy will have no impact on computers running Windows 2000. For more information, search for "Secu
No
No
No
No Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous
No This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Pr
No Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Prof
Yes
No Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but
No Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but
No
No
No
No
No
No
No
No Require restart of recovery console
No Require restart of recovery console
No Requires logoff
Yes Vista does NOT require reboot
Yes Requires reboot with CNG on Vista; Does not require reboot with CAPI on Vista; Does not require reboot on X
No
Yes
Yes
Yes
No
No
No
No
No
No
No
No
Yes
No
No
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Serv
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: This setting does not appear in the Local Computer Policy object.
No Important: Modifying
Note: This setting doesthis
notsetting
appearmay affect
in the compatibility
Local with clients,
Computer Policy object. services, and applications. For compati
No Notes: This setting does not appear in the Local Computer Policy object.
No This security
Notes: settingdoes
This setting affects
notonly computers
appear running
in the Local Windows
Computer 2000,
Policy Windows Server 2003, and Windows XP.
object.
No This security setting affects only computers running Windows 2000,
Note: This setting does not appear in the Local Computer Policy object. Windows Server 2003, and Windows XP.
No This security
Notes: settingdoes
This setting affects
notonly computers
appear running
in the Local Windows
Computer 2000,
Policy Windows Server 2003, and Windows XP.
object.
No A user must
Notes: possessdoes
This setting the not
Manage auditing
appear and security
in the Local log Policy
Computer user right to access the security log.
object.
Note: This setting does not appear in the Local Computer Policy object.
sign these new settings a Gpupdate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings
d/restarted, but the system does not have to be rebooted.
s and servers, all domain controllers that constitute the member’s domain must be running Windows NT 4.0 Service Pack 6 or higher.
ailable through the Security Configuration Manager tools on these computers.
ailable through the Security Configuration Manager tools on these computers.

hrough changes in the registry, but the security setting is not viewable through the Security Configuration Manager tool set.
start the scpolicysvc will work or LogOff
0, client-side packet signing must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Serve
0, server-side packet signing must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Serv
mation, search for "Security Settings Descriptions" in the Windows Server 2003 Help.
y setting that appears on computers running Windows XP corresponds to the Network access: Remotely accessible registry paths and sub
: Remotely accessible registry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a dom
onal which are not joined to a domain.

ore information, search for "Security Setting Descriptions" in the Win
y with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.

r, Windows 2000 Pr
2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computer
rough changes in the registry but the security setting will not be viewable through the Security Configuration Manager tool set. For more i
rough changes in the registry but the security setting will not be viewable through the Security Configuration Manager tool set. For more i
sta; Does not require reboot on XP, 2003 with CAPI

ofessional, and the Windows Server 2003 family, the Task Scheduler automatically grants this right as necessary.
ces, and applications. For compatibility information about this setting, see the "Event Log: Maximum sec
ws Server 2003, and Windows XP.

ess the security log.
gns all modified settings.
ce Pack 6 or higher.
s" in the Windows Server 2003 Help.
ns" in the Windows Server 2003 Help.

e registry paths and subpaths security policy setting on members of the Wi
y that is joined to a domain, this setting is inherited by computers
municate with computers running Windows NT 4.0 and earlier over the netwo
ager tool set. For more information, search for "Security Setting De
ager tool set. For more information, search for "Security Setting De
Policy Path
ettings\Advanced Audit Policy Configuration\Audit Policies\Account Logon
s\Advanced Audit Policy Configuration\Audit Policies\Account Management
ings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking
ows Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access
Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff
Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access
Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change
Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use
ndows Settings\Advanced Audit Policy Configuration\Audit Policies\System
d Audit Policy Configuration\Audit Policies\Global Object Access Auditing
d Audit Policy Configuration\Audit Policies\Global Object Access Auditing
Policy Setting Name MSFT Win2012 R2 MSFT Win2012 DC
Audit Credential Validation Success and Failure
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management Success Success and Failure
Audit Distributed Group Management
Audit Other Account Management Events Success and Failure
Audit Security Group Management Success and Failure
Audit User Account Management Success and Failure
Audit DPAPI Activity
Audit Process Creation Success
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit directory service access Success and Failure
Audit Directory Service Changes Success and Failure
Audit Directory Service Replication
Audit Account Lockout
Audit IPSec Extended Mode
Audit IPSec Main Mode
Audit IPSec Quick Mode
Audit Logoff Success
Audit Logon Success and Failure
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon Success
Audit User / Device Claims
Audit Application Generated
Audit Central Access Policy Staging
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Audit Policy Change Success and Failure
Audit Authentication Policy Change Success
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use Success and Failure
Audit IPSec Driver Success and Failure
Audit Other System Events
Audit Security State Change Success and Failure
Audit Security System Extension Success and Failure
Audit System Integrity Success and Failure
File System
Registry
Explain Text Requirements Registry Information
Policy Path
ws Settings\Windows Firewall with Advanced Security\Domain Profile\State
Settings\Windows Firewall with Advanced Security\Domain Profile\Settings
Settings\Windows Firewall with Advanced Security\Domain Profile\Logging
ws Settings\Windows Firewall with Advanced Security\Private Profile\State
Settings\Windows Firewall with Advanced Security\Private Profile\Settings
Settings\Windows Firewall with Advanced Security\Private Profile\Logging
ows Settings\Windows Firewall with Advanced Security\Public Profile\State
Settings\Windows Firewall with Advanced Security\Public Profile\Settings
s Settings\Windows Firewall with Advanced Security\Public Profile\Logging
ngs\Windows Firewall with Advanced Security\IPSec Settings\Ipsec defaults
\Windows Firewall with Advanced Security\IPSec Settings\Ipsec exemptions
\Windows Settings\Windows Firewall with Advanced Security\IPSec Settings
Configuration\Windows Settings\Windows Firewall with Advanced Security
Configuration\Windows Settings\Windows Firewall with Advanced Security
n\Windows Settings\Windows Firewall with Advanced Security\Public Profile
Policy Setting Name MSFT Win2012 Explain Text Requirements
Firewall State On
Inbound Connections Block
Outbound Connections Allow
Protected network connections
Display a notification Yes
Allow unicast response No
Apply local firewall rules Yes
Apply local connection security rules Yes
Name
Size limit
Log dropped packets
Log successful connections
Firewall State On
Name
Size limit
Log dropped packets
Firewall State On
Name
Size limit
Log dropped packets
Key exchange
Data protection
Authentication method
Exempt ICMP from Ipsec
Ipsec tunnel authorization
Outbound Firewall Rule
Outbound Firewall Rule
Inbound Firewall Rule
Registry Information
Policy Path
Control Panel\Personalization
Control Panel\Regional and Language Options
Control Panel\Regional and Language Options\Handwrit
Control Panel\User Accounts
Network
Network\Background Intelligent Transfer Service (BITS)
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\Hotspot Authentication
Network\Lanman Server
Network\Lanman Server
Network\Link-Layer Topology Discovery
Network\Link-Layer Topology Discovery
Network\Microsoft Peer-to-Peer Networking Services
Network\Microsoft Peer-to-Peer Networking Services
Network\Microsoft Peer-to-Peer Networking Services\
Network\Microsoft Peer-to-Peer Networking Services\P
Network\Network Connections
Network\Network Connections\Windows Firewall
Network\Network Connections\Windows Firewall\Doma
Network\Network Connections\Windows Firewall\Stand
Network\Network Connectivity Status Indicator
Network\Network Isolation
Network\Offline Files
Network\QoS Packet Scheduler
Network\QoS Packet Scheduler\DSCP value of conform
Network\QoS Packet Scheduler\DSCP value of non-con
Network\QoS Packet Scheduler\Layer-2 priority value
Network\SNMP
Network\SNMP
Network\SNMP
Network\SSL Configuration Settings
Network\TCPIP Settings\IPv6 Transition Technologies
Network\TCPIP Settings\Parameters
Network\TCPIP Settings\Parameters
Network\Windows Connect Now
Network\Windows Connection Manager
Network\WLAN Service\WLAN Media Cost
Network\WWAN Service\WWAN Media Cost
Network\WWAN Service\WWAN Media Cost
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
SCM: Pass the Hash Mitigations
Server
Server
Server
Server
Server
Start Menu and Taskbar
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System\Access-Denied Assistance
System\Access-Denied Assistance
System\Audit Process Creation
System\Credentials Delegation
System\Device Installation
System\Device Installation\Device Installation Restricti
System\Device Redirection\Device Redirection Restrict
System\Device Redirection\Device Redirection Restrict
System\Disk NV Cache
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Distributed COM\Application Compatibility Set
System\Distributed COM\Application Compatibility Set
System\Driver Installation
System\Early Launch Antimalware
System\Enhanced Storage Access
System\File Classification Infrastructure
System\File Classification Infrastructure
System\File Share Shadow Copy Provider
System\Filesystem
System\Filesystem
System\Filesystem\NTFS
System\Folder Redirection
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy\Logging and tracing
System\Internet Communication Management
System\Internet Communication Management\Internet
System\iSCSI\General iSCSI
System\iSCSI\General iSCSI
System\iSCSI\iSCSI Security
System\iSCSI\iSCSI Target Discovery
System\KDC
System\KDC
System\KDC
System\KDC
System\KDC
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Locale Services
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon\DC Locator DNS Records
System\Power Management
System\Power Management\Button Settings
System\Power Management\Hard Disk Settings
System\Power Management\Hard Disk Settings
System\Power Management\Notification Settings
System\Power Management\Sleep Settings
System\Power Management\Video and Display Setting
System\Recovery
System\Remote Assistance
System\Remote Procedure Call
System\Removable Storage Access
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Server Manager
System\Shutdown
System\Shutdown Options
System\System Restore
System\System Restore
System\Troubleshooting and Diagnostics
System\Troubleshooting and Diagnostics
System\Troubleshooting and Diagnostics\Application Co
System\Troubleshooting and Diagnostics\Corrupted Fil
System\Troubleshooting and Diagnostics\Disk Diagnost
System\Troubleshooting and Diagnostics\Disk Diagnost
System\Troubleshooting and Diagnostics\Fault Toleran
System\Troubleshooting and Diagnostics\Microsoft Sup
System\Troubleshooting and Diagnostics\MSI Corrupted
System\Troubleshooting and Diagnostics\Scheduled M
System\Troubleshooting and Diagnostics\Scripted Diag
System\Troubleshooting and Diagnostics\Windows Boo
System\Troubleshooting and Diagnostics\Windows Me
System\Troubleshooting and Diagnostics\Windows Per
System\Troubleshooting and Diagnostics\Windows Reso
System\Troubleshooting and Diagnostics\Windows Shu
System\Troubleshooting and Diagnostics\Windows St
System\Troubleshooting and Diagnostics\Windows Sys
System\Trusted Platform Module Services
System\User Profiles
System\Windows File Protection
System\Windows Time Service
System\Windows Time Service\Time Providers
Windows Components\ActiveX Installer Service
Windows Components\ActiveX Installer Service
Windows Components\Add features to Windows 8.1
Windows Components\App Package Deployment
Windows Components\App runtime
Windows Components\Application Compatibility
Windows Components\AutoPlay Policies
Windows Components\Biometrics
Windows Components\BitLocker Drive Encryption
Windows Components\BitLocker Drive Encryption\Fixed
Windows Components\BitLocker Drive Encryption\Oper
Windows Components\BitLocker Drive Encryption\Rem
Windows Components\Credential User Interface
Windows Components\Desktop Gadgets
Windows Components\Desktop Window Manager
Windows Components\Desktop Window Manager\Wind
Windows Components\Desktop Window Manager\Wind
Windows Components\Device and Driver Compatibility
Windows Components\Device and Driver Compatibility
Windows Components\Digital Locker
Windows Components\Edge UI
Windows Components\EMET
Windows Components\Event Forwarding
Windows Components\Event Forwarding
Windows Components\Event Log Service\Application
Windows Components\Event Log Service\Security
Windows Components\Event Log Service\Setup
Windows Components\Event Log Service\System
Windows Components\Event Viewer
Windows Components\Family Safety
Windows Components\File Explorer
Windows Components\File Explorer\Previous Versions
Windows Components\File History
Windows Components\Game Explorer
Windows Components\HomeGroup
Windows Components\Internet Information Services
Windows Components\Location and Sensors
Windows Components\Location and Sensors\Windows L
Windows Components\Maintenance Scheduler
Windows Components\NetMeeting
Windows Components\Network Access Protection
Windows Components\Network Projector
Windows Components\Online Assistance
Windows Components\Password Synchronization
Windows Components\Portable Operating System
Windows Components\Presentation Settings
Windows Components\Remote Desktop Services\RD Li
Windows Components\Remote Desktop Services\RD Li
Windows Components\Remote Desktop Services\Remot
Windows Components\Remote Desktop Services\Remote
Windows Components\RSS Feeds
Windows Components\Search
Windows Components\Security Center
Windows Components\Server for NIS
Windows Components\Server for NIS
Windows Components\Shutdown Options
Windows Components\Shutdown Options
Windows Components\SkyDrive
Windows Components\Smart Card
Windows Components\Sound Recorder
Windows Components\Store
Windows Components\Sync your settings
Windows Components\Tablet PC\Accessories
Windows Components\Tablet PC\Cursors
Windows Components\Tablet PC\Hardware Buttons
Windows Components\Tablet PC\Input Panel
Windows Components\Tablet PC\Pen Flicks Learning
Windows Components\Tablet PC\Pen UX Behaviors
Windows Components\Tablet PC\Tablet PC Pen Trainin
Windows Components\Tablet PC\Touch Input
Windows Components\Task Scheduler
Windows Components\Windows Calendar
Windows Components\Windows Color System
Windows Components\Windows Customer Experience
Windows Components\Windows Customer Experience
Windows Components\Windows Defender
Windows Components\Windows Defender\Client Inter
Windows Components\Windows Defender\Client Inter
Windows Components\Windows Defender\Exclusions
Windows Components\Windows Defender\MAPS
Windows Components\Windows Defender\MAPS
Windows Components\Windows Defender\Network Ins
Windows Components\Windows Defender\Network Insp
Windows Components\Windows Defender\Quarantine
Windows Components\Windows Defender\Quarantine
Windows Components\Windows Defender\Real-time Pr
Windows Components\Windows Defender\Remediatio
Windows Components\Windows Defender\Reporting
Windows Components\Windows Defender\Scan
Windows Components\Windows Defender\Signature U
Windows Components\Windows Defender\Threats
Windows Components\Windows Defender\Threats
Windows Components\Windows Error Reporting
Windows Components\Windows Error Reporting\Advanc
Windows Components\Windows Error Reporting\Cons
Windows Components\Windows Installer
Windows Components\Windows Logon Options
Windows Components\Windows Mail
Windows Components\Windows Media Center
Windows Components\Windows Media Digital Rights
Windows Components\Windows Media Player
Windows Components\Windows Messenger
Windows Components\Windows Mobility Center
Windows Components\Windows PowerShell
Windows Components\Windows Reliability Analysis
Windows Components\Windows Remote Management
Windows Components\Windows Remote Shell
Windows Components\Windows Update
Windows Components\Work Folders
Windows Components\Workplace Join
Policy Setting Name
Do not display the lock screen
Force a specific background and accent color
Force a specific default lock screen image
Force a specific Start background
Prevent changing lock screen image
Prevent changing start menu background
Prevent enabling lock screen camera
Prevent enabling lock screen slide show
Block clean-up of unused language packs
Force selected system UI language to overwrite the user UI language
Restricts the UI language Windows uses for all logged users
Turn off automatic learning
Apply the default account picture to all users
Configure how often a DFS client discovers domain controllers
Allow BITS Peercaching
Do not allow the BITS client to use Windows Branch Cache
Do not allow the computer to act as a BITS Peercaching client
Do not allow the computer to act as a BITS Peercaching server
Limit the age of files in the BITS Peercache
Limit the BITS Peercache size
Limit the maximum BITS job download time
Limit the maximum network bandwidth for BITS background transfers
Limit the maximum network bandwidth used for Peercaching
Limit the maximum number of BITS jobs for each user
Limit the maximum number of BITS jobs for this computer
Limit the maximum number of files allowed in a BITS job
Limit the maximum number of ranges that can be added to the file in a BITS job
Set default download behavior for BITS jobs on costed networks
Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers
Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers
Timeout for inactive BITS jobs
Configure BranchCache for network files
Configure Client BranchCache Version Support
Configure Hosted Cache Servers
Enable Automatic Hosted Cache Discovery by Service Connection Point
Set age for segments in the data cache
Set BranchCache Distributed Cache mode
Set BranchCache Hosted Cache mode
Set percentage of disk space used for client computer cache
Turn on BranchCache
Allow DNS suffix appending to unqualified multi-label name queries
Allow NetBT queries for fully qualified domain names
Connection-specific DNS suffix
DNS servers
DNS suffix search list
Dynamic update
IDN mapping
Prefer link local responses over DNS when received over a network with higher precedence
Primary DNS suffix
Primary DNS suffix devolution
Primary DNS suffix devolution level
Register DNS records with connection-specific DNS suffix
Register PTR records
Registration refresh interval
Replace addresses in conflicts
TTL value for A and PTR records
Turn off IDN encoding
Turn off multicast name resolution
Turn off smart multi-homed name resolution
Turn off smart protocol reordering
Update security level
Update top level domain zones
Enable Hotspot Authentication
Hash Publication for BranchCache
Hash Version support for BranchCache
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
Disable password strength validation for Peer Grouping
Turn off Microsoft Peer-to-Peer Networking Services
Set PNRP cloud to resolve only
Set the Seed Server
Turn off Multicast Bootstrap
Turn off PNRP cloud creation
Set the Seed Server
Set the Seed Server
Do not show the "local access only" network icon
Prohibit installation and configuration of Network Bridge on your DNS domain network
Prohibit use of Internet Connection Firewall on your DNS domain network
Prohibit use of Internet Connection Sharing on your DNS domain network
Require domain users to elevate when setting a network's location
Route all traffic through the internal network
Windows Firewall: Allow authenticated IPsec bypass
Windows Firewall: Allow ICMP exceptions
Windows Firewall: Allow inbound file and printer sharing exception
Windows Firewall: Allow inbound remote administration exception
Windows Firewall: Allow inbound Remote Desktop exceptions
Windows Firewall: Allow inbound UPnP framework exceptions
Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions
Windows Firewall: Allow logging
Windows Firewall: Define inbound port exceptions
Windows Firewall: Define inbound program exceptions
Windows Firewall: Do not allow exceptions
Windows Firewall: Prohibit notifications
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Firewall: Protect all network connections
Windows Firewall: Allow ICMP exceptions
Windows Firewall: Allow inbound file and printer sharing exception
Windows Firewall: Allow inbound remote administration exception
Windows Firewall: Allow inbound Remote Desktop exceptions
Windows Firewall: Allow inbound UPnP framework exceptions
Windows Firewall: Allow local port exceptions
Windows Firewall: Allow local program exceptions
Windows Firewall: Allow logging
Windows Firewall: Define inbound port exceptions
Windows Firewall: Define inbound program exceptions
Windows Firewall: Do not allow exceptions
Windows Firewall: Prohibit notifications
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Firewall: Protect all network connections
Specify corporate DNS probe host address
Specify corporate DNS probe host name
Specify corporate site prefix list
Specify corporate Website probe URL
Specify domain location determination URL
Specify passive polling
Internet proxy servers for apps
Intranet proxy servers for apps
Private network ranges for apps
Proxy definitions are authoritative
Subnet definitions are authoritative
Action on server disconnect
Allow or Disallow use of the Offline Files feature
At logoff, delete local copy of userΓÇÖs offline files
Configure Background Sync
Configure Slow link speed
Configure slow-link mode
Default cache size
Enable file screens
Enable file synchronization on costed networks
Enable Transparent Caching
Encrypt the Offline Files cache
Event logging level
Files not cached
Initial reminder balloon lifetime
Limit disk space used by Offline Files
Non-default server disconnect actions
Prevent use of Offline Files folder
Prohibit user configuration of Offline Files
Reminder balloon frequency
Reminder balloon lifetime
Remove "Make Available Offline" command
Remove "Make Available Offline" for these files and folders
Remove "Work offline" command
Specify administratively assigned Offline Files
Subfolders always available offline
Synchronize all offline files before logging off
Synchronize all offline files when logging on
Synchronize offline files before suspend
Turn off reminder balloons
Turn on economical application of administratively assigned Offline Files
Limit outstanding packets
Limit reservable bandwidth
Set timer resolution
Best effort service type
Controlled load service type
Guaranteed service type
Network control service type
Qualitative service type
Non-conforming packets
Specify communities
Specify permitted managers
Specify traps for public community
SSL Cipher Suite Order
Set 6to4 Relay Name
Set 6to4 Relay Name Resolution Interval
Set 6to4 State
Set IP-HTTPS State
Set ISATAP Router Name
Set ISATAP State
Set Teredo Client Port
Set Teredo Default Qualified
Set Teredo Refresh Rate
Set Teredo Server Name
Set Teredo State
Set IP Stateless Autoconfiguration Limits State
Set Window Scaling Heuristics State
Configuration of wireless settings using Windows Connect Now
Prohibit access of the Windows Connect Now wizards
Disable power management in connected standby mode
Minimize the number of simultaneous connections to the Internet or a Windows Domain
Prohibit connection to non-domain networks when connected to domain authenticated network
Prohibit connection to roaming Mobile Broadband networks
Set Cost
Set 3G Cost
Set 4G Cost
Activate Internet printing
Add Printer wizard - Network scan page (Managed network)
Add Printer wizard - Network scan page (Unmanaged network)
Allow Print Spooler to accept client connections
Allow printers to be published
Allow pruning of published printers
Always rasterize content to be printed using a software rasterizer
Always render print jobs on the server
Automatically publish new printers in Active Directory
Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)
Check published state
Computer location
Custom support URL in the Printers folder's left pane
Directory pruning interval
Directory pruning priority
Directory pruning retry
Disallow installation of printers using kernel-mode drivers
Do not allow v4 printer drivers to show printer extensions
Execute print drivers in isolated processes
Extend Point and Print connection to search Windows Update
Isolate print drivers from applications
Log directory pruning retry events
Only use Package Point and print
Override print driver execution compatibility setting reported by print driver
Package Point and print - Approved servers
Point and Print Restrictions
Pre-populate printer search location text
Printer browsing
Prune printers that are not automatically republished
Apply UAC restrictions to local accounts on network logon
Lsass.exe audit mode
LSA Protection
WDigest Authentication
Allow only system backup
Disallow locally attached storage as backup target
Disallow network as backup target
Disallow optical media as backup target
Disallow run-once backups
Pin Apps to Start when installed
Start Screen Layout
Activate Shutdown Event Tracker System State Data feature
Allow Distributed Link Tracking clients to use domain resources
Display highly detailed status messages
Display Shutdown Event Tracker
Do not automatically encrypt files moved to encrypted folders
Do not display Manage Your Server page at logon
Do not turn off system power after a Windows system shutdown has occurred.
Download missing COM components
Enable Persistent Time Stamp
Remove Boot / Shutdown / Logon / Logoff status messages
Restrict potentially unsafe HTML Help functions to specified folders
Restrict these programs from being launched from Help
Specify settings for optional component installation and component repair
Specify Windows installation file location
Specify Windows Service Pack installation file location
Turn off Data Execution Prevention for HTML Help Executible
Customize message for Access Denied errors
Enable access-denied assistance on client for all file types
Include command line in process creation events
Allow delegating default credentials
Allow delegating default credentials with NTLM-only server authentication
Allow delegating fresh credentials
Allow delegating fresh credentials with NTLM-only server authentication
Allow delegating saved credentials
Allow delegating saved credentials with NTLM-only server authentication
Deny delegating default credentials
Deny delegating fresh credentials
Deny delegating saved credentials
Restrict delegation of credentials to remote servers
Allow remote access to the Plug and Play interface
Configure device installation time-out
Do not send a Windows error report when a generic driver is installed on a device
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
Prevent device metadata retrieval from the Internet
Prevent Windows from sending an error report when a device driver requests additional software during installation
Prioritize all digitally signed drivers equally during the driver ranking and selection process
Specify search order for device driver source locations
Specify the search server for device driver updates
Turn off "Found New Hardware" balloons during device installation
Allow administrators to override Device Installation Restriction policies
Allow installation of devices that match any of these device IDs
Allow installation of devices using drivers that match these device setup classes
Display a custom message title when device installation is prevented by a policy setting
Display a custom message when installation is prevented by a policy setting
Prevent installation of devices not described by other policy settings
Prevent installation of devices that match any of these device IDs
Prevent installation of devices using drivers that match these device setup classes
Prevent installation of removable devices
Time (in seconds) to force reboot when required for policy changes to take effect
Prevent redirection of devices that match any of these device Ids
Prevent redirection of USB devices
Turn off boot and resume optimizations
Turn off cache power mode
Turn off non-volatile cache feature
Turn off solid state mode
Apply policy to removable media
Enable disk quotas
Enforce disk quota limit
Log event when quota limit is exceeded
Log event when quota warning level is exceeded
Specify default quota limit and warning level
Allow local activation security check exemptions
Define Activation Security Check exemptions
Allow non-administrators to install drivers for these device setup classes
Turn off Windows Update device driver search prompt
Boot-Start Driver Initialization Policy
Allow only USB root hub connected Enhanced Storage devices
Configure list of Enhanced Storage devices usable on your computer
Configure list of IEEE 1667 silos usable on your computer
Do not allow non-Enhanced Storage removable devices
Do not allow password authentication of Enhanced Storage devices
Do not allow Windows to activate Enhanced Storage devices
Lock Enhanced Storage when the computer is locked
File Classification Infrastructure: Display Classification tab in File Explorer
File Classification Infrastructure: Specify classification properties list
Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running o
Disable delete notifications on all volumes
Selectively allow the evaluation of a symbolic link
Do not allow compression on all NTFS volumes
Do not allow encryption on all NTFS volumes
Enable / disable TXF deprecated features
Enable NTFS pagefile encryption
Short name creation options
Redirect folders on primary computers only
Use localized subfolder names when redirecting Start Menu and My Documents
Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services
Allow cross-forest user policy and roaming user profiles
Always use local ADM files for Group Policy Object Editor
Change Group Policy processing to run asynchronously when a slow network connection is detected.
Configure Applications preference extension policy processing
Configure Data Sources preference extension policy processing
Configure Devices preference extension policy processing
Configure Direct Access connections as a fast network connection
Configure disk quota policy processing
Configure Drive Maps preference extension policy processing
Configure EFS recovery policy processing
Configure Environment preference extension policy processing
Configure Files preference extension policy processing
Configure Folder Options preference extension policy processing
Configure folder redirection policy processing
Configure Folders preference extension policy processing
Configure Group Policy Caching
Configure Group Policy slow link detection
Configure Ini Files preference extension policy processing
Configure Internet Explorer Maintenance policy processing
Configure Internet Settings preference extension policy processing
Configure IP security policy processing
Configure Local Users and Groups preference extension policy processing
Configure Logon Script Delay
Configure Network Options preference extension policy processing
Configure Network Shares preference extension policy processing
Configure Power Options preference extension policy processing
Configure Printers preference extension policy processing
Configure Regional Options preference extension policy processing
Configure registry policy processing
Configure Registry preference extension policy processing
Configure Scheduled Tasks preference extension policy processing
Configure scripts policy processing
Configure security policy processing
Configure Services preference extension policy processing
Configure Shortcuts preference extension policy processing
Configure software Installation policy processing
Configure Start Menu preference extension policy processing
Configure user Group Policy loopback processing mode
Configure wired policy processing
Configure wireless policy processing
Determine if interactive users can generate Resultant Set of Policy data
Enable AD/DFS domain controller synchronization during policy refresh
Enable Group Policy Caching for Servers
Remove users' ability to invoke machine policy refresh
Set Group Policy refresh interval for computers
Set Group Policy refresh interval for domain controllers
Specify startup policy processing wait time
Specify workplace connectivity wait time for policy processing
Turn off background refresh of Group Policy
Turn off Group Policy Client Service AOAC optimization
Turn off Local Group Policy Objects processing
Turn off Resultant Set of Policy logging
Configure Applications preference logging and tracing
Configure Data Sources preference logging and tracing
Configure Devices preference logging and tracing
Configure Drive Maps preference logging and tracing
Configure Environment preference logging and tracing
Configure Files preference logging and tracing
Configure Folder Options preference logging and tracing
Configure Folders preference logging and tracing
Configure Ini Files preference logging and tracing
Configure Internet Settings preference logging and tracing
Configure Local Users and Groups preference logging and tracing
Configure Network Options preference logging and tracing
Configure Network Shares preference logging and tracing
Configure Power Options preference logging and tracing
Configure Printers preference logging and tracing
Configure Regional Options preference logging and tracing
Configure Registry preference logging and tracing
Configure Scheduled Tasks preference logging and tracing
Configure Services preference logging and tracing
Configure Shortcuts preference logging and tracing
Configure Start Menu preference logging and tracing
Restrict Internet communication
Turn off access to all Windows Update features
Turn off access to the Store
Turn off Automatic Root Certificates Update
Turn off downloading of print drivers over HTTP
Turn off Event Viewer "Events.asp" links
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Help and Support Center "Did you know?" content
Turn off Help and Support Center Microsoft Knowledge Base search
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off Registration if URL connection is referring to Microsoft.com
Turn off Search Companion content file updates
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting
Turn off Windows Network Connectivity Status Indicator active tests
Turn off Windows Update device driver searching
Do not allow additional session logins
Do not allow changes to initiator iqn name
Do not allow changes to initiator CHAP secret
Do not allow connections without IPSec
Do not allow sessions without mutual CHAP
Do not allow sessions without one way CHAP
Do not allow adding new targets via manual configuration
Do not allow manual configuration of discovered targets
Do not allow manual configuration of iSNS servers
Do not allow manual configuration of target portals
KDC support for claims, compound authentication and Kerberos armoring
Provide information about previous logons to client computers
Request compound authentication
Use forest search order
Warning for large Kerberos tickets
Always send compound authentication first
Define host name-to-Kerberos realm mappings
Define interoperable Kerberos V5 realm settings
Disable revocation checking for the SSL certificate of KDC proxy servers
Fail authentication requests when Kerberos armoring is not available
Kerberos client support for claims, compound authentication and Kerberos armoring
Require strict KDC validation
Require strict target SPN match on remote procedure calls
Set maximum Kerberos SSPI context token buffer size
Specify KDC proxy servers for Kerberos clients
Support compound authentication
Use forest search order
Disallow changing of geographic location
Disallow copying of user input methods to the system account for sign-in
Disallow selection of Custom Locales
Disallow user override of locale settings
Restrict system locales
Restrict user locales
Allow users to select when a password is required when resuming from connected standby
Always use classic logon
Always use custom logon background
Always wait for the network at computer startup and logon
Assign a default domain for logon
Do not display network selection UI
Do not display the Getting Started welcome screen at logon
Do not enumerate connected users on domain-joined computers
Do not process the legacy run list
Do not process the run once list
Enumerate local users on domain-joined computers
Exclude credential providers
Hide entry points for Fast User Switching
Run these programs at user logon
Show first sign-in animation
Turn off app notifications on the lock screen
Turn off picture password sign-in
Turn off Windows Startup sound
Turn on PIN sign-in
Allow cryptography algorithms compatible with Windows NT 4.0
Contact PDC on logon failure
Set Netlogon share compatibility
Set scavenge interval
Set SYSVOL share compatibility
Specify expected dial-up delay on logon
Specify log file debug output level
Specify maximum log file size
Specify negative DC Discovery cache setting
Specify positive periodic DC Cache refresh for non-background callers
Specify site name
Use final DC discovery retry setting for background callers
Use initial DC discovery retry setting for background callers
Use maximum DC discovery retry interval setting for background callers
Use positive periodic DC cache refresh for background callers
Use urgent mode when pinging domain controllers
Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names
Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails
Force Rediscovery Interval
Return domain controller address type
Set Priority in the DC Locator DNS SRV records
Set TTL in the DC Locator DNS Records
Set Weight in the DC Locator DNS SRV records
Specify address lookup behavior for DC locator ping
Specify DC Locator DNS records not registered by the DCs
Specify dynamic registration of the DC Locator DNS Records
Specify Refresh Interval of the DC Locator DNS records
Specify sites covered by the application directory partition DC Locator DNS SRV records
Specify sites covered by the DC Locator DNS SRV records
Specify sites covered by the GC Locator DNS SRV Records
Try Next Closest Site
Use automated site coverage by the DC Locator DNS SRV Records
Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the All
Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC
Select an active power plan
Specify a custom active power plan
Select the lid switch action (on battery)
Select the lid switch action (plugged in)
Select the Power button action (on battery)
Select the Power button action (plugged in)
Select the Sleep button action (on battery)
Select the Sleep button action (plugged in)
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Turn Off the hard disk (on battery)
Turn Off the hard disk (plugged in)
Critical battery notification action
Critical battery notification level
Low battery notification action
Low battery notification level
Reserve battery notification level
Turn off low battery user notification
Allow applications to prevent automatic sleep (on battery)
Allow applications to prevent automatic sleep (plugged in)
Allow automatic sleep with Open Network Files (on battery)
Allow automatic sleep with Open Network Files (plugged in)
Allow standby states (S1-S3) when sleeping (on battery)
Allow standby states (S1-S3) when sleeping (plugged in)
Require a password when a computer wakes (on battery)
Require a password when a computer wakes (plugged in)
Specify the system hibernate timeout (on battery)
Specify the system hibernate timeout (plugged in)
Specify the system sleep timeout (on battery)
Specify the system sleep timeout (plugged in)
Specify the unattended sleep timeout (on battery)
Specify the unattended sleep timeout (plugged in)
Turn off hybrid sleep (on battery)
Turn off hybrid sleep (plugged in)
Turn on the ability for applications to prevent sleep transitions (on battery)
Turn on the ability for applications to prevent sleep transitions (plugged in)
Reduce display brightness (on battery)
Reduce display brightness (plugged in)
Specify the display dim brightness (on battery)
Specify the display dim brightness (plugged in)
Turn off adaptive display timeout (on battery)
Turn off adaptive display timeout (plugged in)
Turn off the display (on battery)
Turn off the display (plugged in)
Turn on desktop background slideshow (on battery)
Turn on desktop background slideshow (plugged in)
Allow restore of system to default state
Allow only Windows Vista or later connections
Configure Offer Remote Assistance
Configure Solicited Remote Assistance
Customize warning messages
Turn on bandwidth optimization
Turn on session logging
Enable RPC Endpoint Mapper Client Authentication
Ignore Delegation Failure
Maintain RPC Troubleshooting State Information
Propagate extended error information
Restrict Unauthenticated RPC clients
Set Minimum Idle Connection Timeout for RPC/HTTP connections
All Removable Storage classes: Deny all access
All Removable Storage: Allow direct access in remote sessions
CD and DVD: Deny execute access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny execute access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access
Set time (in seconds) to force reboot
Tape Drives: Deny execute access
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
Allow logon scripts when NetBIOS or WINS is disabled
Display instructions in shutdown scripts as they run
Display instructions in startup scripts as they run
Run logon scripts synchronously
Run startup scripts asynchronously
Run Windows PowerShell scripts first at computer startup, shutdown
Run Windows PowerShell scripts first at user logon, logoff
Specify maximum wait time for Group Policy scripts
Configure the refresh interval for Server Manager
Do not display Initial Configuration Tasks window automatically at logon
Do not display Server Manager automatically at logon
Require use of fast startup
Turn off automatic termination of applications that block or cancel shutdown
Turn off Configuration
Turn off System Restore
Diagnostics: Configure scenario execution level
Diagnostics: Configure scenario retention
Detect application failures caused by deprecated COM objects
Detect application failures caused by deprecated Windows DLLs
Detect application install failures
Detect application installers that need to be run as administrator
Detect applications unable to launch installers under UAC
Detect compatibility issues for applications and drivers
Notify blocked drivers
Configure Corrupted File Recovery behavior
Disk Diagnostic: Configure custom alert text
Disk Diagnostic: Configure execution level
Configure Scenario Execution Level
Microsoft Support Diagnostic Tool: Configure execution level
Microsoft Support Diagnostic Tool: Restrict tool download
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
Configure MSI Corrupted File Recovery behavior
Configure Scheduled Maintenance Behavior
Configure Security Policy for Scripted Diagnostics
Troubleshooting: Allow users to access and run Troubleshooting Wizards
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Contro
Enable/Disable PerfTrack
Configure the level of TPM owner authorization information available to the operating system
Configure the list of blocked TPM commands
Ignore the default list of blocked TPM commands
Ignore the local list of blocked TPM commands
Standard User Individual Lockout Threshold
Standard User Lockout Duration
Standard User Total Lockout Threshold
Turn on TPM backup to Active Directory Domain Services
Add the Administrators security group to roaming user profiles
Control slow network connection timeout for user profiles
Delete cached copies of roaming profiles
Delete user profiles older than a specified number of days on system restart
Disable detection of slow network connections
Do not check for user ownership of Roaming Profile Folders
Do not forcefully unload the users registry at user logoff
Do not log users on with temporary profiles
Download roaming profiles on primary computers only
Establish timeout value for dialog boxes
Leave Windows Installer and Group Policy Software Installation Data
Maximum retries to unload and update user profile
Only allow local user profiles
Prevent Roaming Profile changes from propagating to the server
Prompt user when a slow network connection is detected
Set maximum wait time for the network if a user has a roaming user profile or remote home directory
Set roaming profile path for all users logging onto this computer
Set the schedule for background upload of a roaming user profile's registry file while user is logged on
Set user home folder
Turn off the advertising ID
User management of sharing user name, account picture, and domain information with apps (not desktop apps)
Wait for remote user profile
Hide the file scan progress window
Limit Windows File Protection cache size
Set Windows File Protection scanning
Specify Windows File Protection cache location
Global Configuration Settings
Configure Windows NTP Client
Enable Windows NTP Client
Enable Windows NTP Server
Approved Installation Sites for ActiveX Controls
Establish ActiveX installation policy for sites in Trusted zones
Prevent the wizard from running.
Allow all trusted apps to install
Allow deployment operations in special profiles
Allow development of Windows Store apps without installing a developer license
Allow Microsoft accounts to be optional
Block launching desktop apps associated with a file.
Block launching desktop apps associated with a URI scheme
Turn on dynamic Content URI Rules for Windows store apps
Prevent access to 16-bit applications
Remove Program Compatibility Property Page
Turn off Application Compatibility Engine
Turn off Application Telemetry
Turn off Inventory Collector
Turn off Program Compatibility Assistant
Turn off Steps Recorder
Turn off SwitchBack Compatibility Engine
Disallow Autoplay for non-volume devices
Prevent AutoPlay from remembering user choices.
Set the default behavior for AutoRun
Turn off Autoplay
Allow domain users to log on using biometrics
Allow the use of biometrics
Allow users to log on using biometrics
Specify timeout for fast user switching events
Choose default folder for recovery password
Choose drive encryption method and cipher strength
Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 200
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
Prevent memory overwrite on restart
Provide the unique identifiers for your organization
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
Validate smart card certificate usage rule compliance
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
Choose how BitLocker-protected fixed drives can be recovered
Configure use of hardware-based encryption for fixed data drives
Configure use of passwords for fixed data drives
Configure use of smart cards on fixed data drives
Deny write access to fixed drives not protected by BitLocker
Enforce drive encryption type on fixed data drives
Allow enhanced PINs for startup
Allow network unlock at startup
Allow Secure Boot for integrity validation
Choose how BitLocker-protected operating system drives can be recovered
Configure minimum PIN length for startup
Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
Configure TPM platform validation profile for BIOS-based firmware configurations
Configure TPM platform validation profile for native UEFI firmware configurations
Configure use of hardware-based encryption for operating system drives
Configure use of passwords for operating system drives
Disallow standard users from changing the PIN or password
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Enforce drive encryption type on operating system drives
Require additional authentication at startup
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
Reset platform validation data after BitLocker recovery
Use enhanced Boot Configuration Data validation profile
Allow access to BitLocker-protected removable data drives from earlier versions of Windows
Choose how BitLocker-protected removable drives can be recovered
Configure use of hardware-based encryption for removable data drives
Configure use of passwords for removable data drives
Configure use of smart cards on removable data drives
Control use of BitLocker on removable drives
Deny write access to removable drives not protected by BitLocker
Enforce drive encryption type on removable data drives
Do not display the password reveal button
Enumerate administrator accounts on elevation
Require trusted path for credential entry
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
Do not allow Flip3D invocation
Do not allow window animations
Use solid color for Start background
Do not allow color changes
Specify a default color
Device compatibility settings
Driver compatibility settings
Do not allow Digital Locker to run
Disable help tips
Application Configuration
Default Action and Mitigation Settings
Default Protections for Internet Explorer
Default Protections for Popular Software
Default Protections for Recommended Software
EMET Agent Custom Message
EMET Agent Visibility
Reporting
System ASLR
System DEP
System SEHOP
Configure forwarder resource usage
Configure target Subscription Manager
Back up log automatically when full
Configure log access
Control Event Log behavior when the log file reaches its maximum size
Control the location of the log file
Specify the maximum log file size (KB)
Turn on logging
Events.asp program
Events.asp program command line parameters
Events.asp URL
Make Family Safety control panel visible on a Domain
Allow the use of remote paths in file shortcut icons
Configure Windows SmartScreen
Disable binding directly to IPropertySetStorage without intermediate layers.
Do not show the 'new application installed' notification
Location where all default Library definition files for users/machines reside.
Set a default associations configuration file
Set a support web page link
Show hibernate in the power options menu
Show lock in the user tile menu
Show sleep in the power options menu
Start File Explorer with ribbon minimized
Turn off Data Execution Prevention for Explorer
Turn off heap termination on corruption
Turn off numerical sorting in File Explorer
Turn off shell protocol protected mode
Verify old and new Folder Redirection targets point to the same share before redirecting
Hide previous versions list for local files
Hide previous versions list for remote files
Hide previous versions of files on backup location
Prevent restoring local previous versions
Prevent restoring previous versions from backups
Prevent restoring remote previous versions
Turn off File History
Turn off downloading of game information
Turn off game updates
Turn off tracking of last play time of games in the Games folder
Prevent the computer from joining a homegroup
Prevent IIS installation
Turn off location
Turn off location scripting
Turn off sensors
Turn off Windows Location Provider
Automatic Maintenance Activation Boundary
Automatic Maintenance Random Delay
Automatic Maintenance WakeUp Policy
Disable remote Desktop Sharing
Allow the Network Access Protection client to support the 802.1x Enforcement Client component
Network Projector Port Setting
Turn off Connect to a Network Projector
Turn off Active Help
Set the interval between synchronization retries for Password Synchronization
Set the number of synchronization retries for servers running Password Synchronization
Turn on extensive logging for Password Synchronization
Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory
Allow hibernate (S4) when starting from a Windows To Go workspace
Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace
Windows To Go Default Startup Options
Turn off Windows presentation settings
License server security group
Prevent license upgrade
Allow .rdp files from unknown publishers
Allow .rdp files from valid publishers and user's default .rdp settings
Configure server authentication for client
Do not allow passwords to be saved
Prompt for credentials on the client computer
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Turn Off UDP On Client
Allow RDP redirection of other supported RemoteFX USB devices from this computer
Do not use Remote Desktop Session Host server IP address when virtual IP address is not available
Select the network adapter to be used for Remote Desktop IP Virtualization
Turn off Windows Installer RDS Compatibility
Turn on Remote Desktop IP Virtualization
Allow remote start of unlisted programs
Allow users to connect remotely by using Remote Desktop Services
Automatic reconnection
Configure keep-alive connection interval
Deny logoff of an administrator logged in to the console session
Limit number of connections
Restrict Remote Desktop Services users to a single Remote Desktop Services session
Select network detection on the server
Select RDP transport protocols
Set rules for remote control of Remote Desktop Services user sessions
Suspend user sign-in to complete app registration
Turn off Fair Share CPU Scheduling
Allow audio and video playback redirection
Allow audio recording redirection
Allow time zone redirection
Do not allow Clipboard redirection
Do not allow COM port redirection
Do not allow drive redirection
Do not allow LPT port redirection
Do not allow smart card device redirection
Do not allow supported Plug and Play device redirection
Limit audio playback quality
Hide notifications about RD Licensing problems that affect the RD Session Host server
Set the Remote Desktop licensing mode
Use the specified Remote Desktop license servers
Do not allow client printer redirection
Do not set default client printer to be default printer in a session
Redirect only the default client printer
Specify RD Session Host server fallback printer driver behavior
Use Remote Desktop Easy Print printer driver first
Limit the size of the entire roaming user profile cache
Set path for Remote Desktop Services Roaming User Profile
Set Remote Desktop Services User Home Directory
Use mandatory profiles on the RD Session Host server
Configure RD Connection Broker farm name
Configure RD Connection Broker server name
Join RD Connection Broker
Use IP Address Redirection
Use RD Connection Broker load balancing
Allow desktop composition for remote desktop sessions
Always show desktop on connection
Configure compression for RemoteFX data
Configure image quality for RemoteFX Adaptive Graphics
Configure RemoteFX Adaptive Graphics
Do not allow font smoothing
Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
Enforce Removal of Remote Desktop Wallpaper
Limit maximum color depth
Limit maximum display resolution
Limit number of monitors
Remove "Disconnect" option from Shut Down dialog
Remove Windows Security item from Start menu
Start a program on connection
Use advanced RemoteFX graphics for RemoteApp
Use the hardware default graphics adapter for all Remote Desktop Services sessions
Configure RemoteFX
Optimize visual experience for Remote Desktop Service Sessions
Optimize visual experience when using RemoteFX
Always prompt for password upon connection
Do not allow local administrators to customize permissions
Require secure RPC communication
Require use of specific security layer for remote (RDP) connections
Require user authentication for remote connections by using Network Level Authentication
Server authentication certificate template
Set client connection encryption level
End session when time limits are reached
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for active Remote Desktop Services sessions
Set time limit for disconnected sessions
Set time limit for logoff of RemoteApp sessions
Do not delete temp folders upon exit
Do not use temporary folders per session
Prevent access to feed list
Prevent automatic discovery of feeds and Web Slices
Prevent downloading of enclosures
Prevent subscribing to or deleting a feed or a Web Slice
Turn off background synchronization for feeds and Web Slices
Turn on Basic feed authentication over HTTP
Add primary intranet search location
Add secondary intranet search locations
Allow indexing of encrypted files
Allow use of diacritics
Always use automatic language detection when indexing content and properties
Control rich previews for attachments
Default excluded paths
Default indexed paths
Disable indexer backoff
Do not allow locations on removable drives to be added to libraries
Do not allow web search
Don't search the web or display web results in Search
Don't search the web or display web results in Search over metered connections
Enable indexing of online delegate mailboxes
Enable indexing uncached Exchange folders
Enable throttling for online mail indexing
Indexer data location
Prevent adding UNC locations to index from Control Panel
Prevent adding user-specified locations to the All Locations menu
Prevent automatically adding shared folders to the Windows Search index
Prevent clients from querying the index remotely
Prevent customization of indexed locations in Control Panel
Prevent indexing certain paths
Prevent indexing e-mail attachments
Prevent indexing files in offline files cache
Prevent indexing Microsoft Office Outlook
Prevent indexing of certain file types
Prevent indexing public folders
Prevent indexing when running on battery power to conserve energy
Prevent the display of advanced indexing options for Windows Search in the Control Panel
Prevent unwanted iFilters and protocol handlers
Preview pane location
Set large or small icon view in desktop search results
Set the SafeSearch setting for Search
Set what information is shared in Search
Stop indexing in the event of limited hard drive space
Turn on Security Center (Domain PCs only)
Set the map update interval for NIS subordinate servers
Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS
Timeout for hung logon sessions during shutdown
Turn off legacy remote shutdown interface
Prevent SkyDrive files from syncing over metered connections
Prevent the usage of SkyDrive for file storage
Save documents and pictures to the local PC by default
Allow certificates with no extended key usage certificate attribute
Allow ECC certificates to be used for logon and authentication
Allow Integrated Unblock screen to be displayed at the time of logon
Allow signature keys valid for Logon
Allow time invalid certificates
Allow user name hint
Configure root certificate clean up
Display string when smart card is blocked
Filter duplicate logon certificates
Force the reading of all certificates from the smart card
Notify user of successful smart card driver installation
Prevent plaintext PINs from being returned by Credential Manager
Reverse the subject name stored in a certificate when displaying
Turn on certificate propagation from smart card
Turn on root certificate propagation from smart card
Turn on Smart Card Plug and Play service
Do not allow Sound Recorder to run
Turn off Automatic Download and Install of updates
Turn off Automatic Download of updates on Win8 machines
Turn off the offer to update to the latest version of Windows
Turn off the Store application
Do not sync
Do not sync app settings
Do not sync Apps
Do not sync browser settings
Do not sync desktop personalization
Do not sync on metered connections
Do not sync other Windows settings
Do not sync passwords
Do not sync personalize
Do not sync start settings
Do not allow Inkball to run
Do not allow printing to Journal Note Writer
Do not allow Snipping Tool to run
Do not allow Windows Journal to be run
Turn off pen feedback
Prevent Back-ESC mapping
Prevent launch an application
Prevent press and hold
Turn off hardware buttons
Disable text prediction
For tablet pen input, donΓÇÖt show the Input Panel icon
For touch input, donΓÇÖt show the Input Panel icon
Include rarely used Chinese, Kanji, or Hanja characters
Prevent Input Panel tab from appearing
Turn off AutoComplete integration with Input Panel
Turn off password security in Input Panel
Turn off tolerant and Z-shaped scratch-out gestures
Prevent Flicks Learning Mode
Prevent flicks
Turn off Tablet PC Pen Training
Turn off Tablet PC touch input
Turn off Touch Panning
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
Hide Property Pages
Prevent Task Run or End
Prohibit Browse
Prohibit Drag-and-Drop
Prohibit New Task Creation
Prohibit Task Deletion
Turn off Windows Calendar
Prohibit installing or uninstalling color profiles
Allow Corporate redirection of Customer Experience Improvement uploads
Tag Windows Customer Experience Improvement data with Study Identifier
Allow antimalware service to remain running always
Allow antimalware service to startup with normal priority
Configure local administrator merge behavior for lists
Define addresses to bypass proxy server
Define proxy server for connecting to the network
Randomize scheduled task times
Turn off routine remediation
Turn off Windows Defender
Display additional text to clients when they need to perform an action
Display notifications to clients when they need to perform actions
Extension Exclusions
Path Exclusions
Process Exclusions
Configure local setting override for reporting to Microsoft MAPS
Join Microsoft MAPS
Define the rate of detection events for logging
Specify additional definition sets for network traffic inspection
Turn on definition retirement
Turn on protocol recognition
IP address range Exclusions
Port number Exclusions
Process Exclusions for outbound traffic
Threat ID Exclusions
Configure local setting override for the removal of items from Quarantine folder
Configure removal of items from Quarantine folder
Configure local setting override for monitoring file and program activity on your computer
Configure local setting override for monitoring for incoming and outgoing file activity
Configure local setting override for scanning all downloaded files and attachments
Configure local setting override for turn on behavior monitoring
Configure local setting override to turn off Intrusion Prevention System
Configure local setting override to turn on real-time protection
Configure monitoring for incoming and outgoing file and program activity
Define the maximum size of downloaded files and attachments to be scanned
Monitor file and program activity on your computer
Scan all downloaded files and attachments
Turn off real-time protection
Turn on behavior monitoring
Turn on Information Protection Control
Turn on network protection against exploits of known vulnerabilities
Turn on process scanning whenever real-time protection is enabled
Turn on raw volume write notifications
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Specify the day of the week to run a scheduled full scan to complete remediation
Specify the time of day to run a scheduled full scan to complete remediation
Configure time out for detections in critically failed state
Configure time out for detections in non-critical failed state
Configure time out for detections in recently remediated state
Configure time out for detections requiring additional action
Configure Watson events
Configure Windows software trace preprocessor components
Configure WPP tracing level
Allow users to pause scan
Check for the latest virus and spyware definitions before running a scheduled scan
Configure local setting override for maximum percentage of CPU utilization
Configure local setting override for schedule scan day
Configure local setting override for scheduled quick scan time
Configure local setting override for scheduled scan time
Configure local setting override for the scan type to use for a scheduled scan
Create a system restore point
Run full scan on mapped network drives
Scan archive files
Scan network files
Scan packed executables
Scan removable drives
Specify the day of the week to run a scheduled scan
Specify the interval to run quick scans per day
Specify the maximum depth to scan archive files
Specify the maximum percentage of CPU utilization during a scan
Specify the maximum size of archive files to be scanned
Specify the scan type to use for a scheduled scan
Specify the time for a daily quick scan
Specify the time of day to run a scheduled scan
Start the scheduled scan only when computer is on but not in use
Turn on catch-up full scan
Turn on catch-up quick scan
Turn on e-mail scanning
Turn on heuristics
Turn on removal of items from scan history folder
Turn on reparse point scanning
Allow definition updates from Microsoft Update
Allow definition updates when running on battery power
Allow notifications to disable definitions based reports to Microsoft MAPS
Allow real-time definition updates based on reports to Microsoft MAPS
Check for the latest virus and spyware definitions on startup
Define file shares for downloading definition updates
Define the number of days after which a catch-up definition update is required
Define the number of days before spyware definitions are considered out of date
Define the number of days before virus definitions are considered out of date
Define the order of sources for downloading definition updates
Initiate definition update on startup
Specify the day of the week to check for definition updates
Specify the interval to check for definition updates
Specify the time to check for definition updates
Turn on scan after signature update
Specify threat alert levels at which default action should not be taken when detected
Specify threats upon which default action should not be taken when detected
Automatically send memory dumps for OS-generated error reports
Configure Error Reporting
Disable logging
Disable Windows Error Reporting
Display Error Notification
Do not send additional data
Do not throttle additional data
Prevent display of the user interface for critical errors
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Configure Corporate Windows Error Reporting
Configure Report Archive
Configure Report Queue
Default application reporting settings
List of applications to always report errors for
List of applications to be excluded
List of applications to never report errors for
Report operating system errors
Report unplanned shutdown events
Configure Default consent
Customize consent settings
Ignore custom consent settings
Allow user control over installs
Allow users to browse for source while elevated
Allow users to patch elevated products
Allow users to use media source while elevated
Always install with elevated privileges
Control maximum size of baseline file cache
Enforce upgrade component rules
Prevent embedded UI
Prevent Internet Explorer security prompt for Windows Installer scripts
Prevent users from using Windows Installer to install updates and upgrades
Prohibit flyweight patching
Prohibit non-administrators from applying vendor signed updates
Prohibit removal of updates
Prohibit rollback
Prohibit use of Restart Manager
Prohibit User Installs
Remove browse dialog box for new source
Save copies of transform files in a secure location on workstation
Specify the types of events Windows Installer records in its transaction log
Turn off creation of System Restore checkpoints
Turn off logging via package settings
Turn off shared components
Turn off Windows Installer
Disable or enable software Secure Attention Sequence
Display information about previous logons during user logon
Report when logon server was not available during user logon
Sign-in last interactive user automatically after a system-initiated restart
Turn off the communities features
Turn off Windows Mail application
Do not allow Windows Media Center to run
Prevent Windows Media DRM Internet Access
Do Not Show First Use Dialog Boxes
Prevent Automatic Updates
Prevent Desktop Shortcut Creation
Prevent Media Sharing
Prevent Quick Launch Toolbar Shortcut Creation
Prevent Video Smoothing
Do not allow Windows Messenger to be run
Do not automatically start Windows Messenger initially
Turn off Windows Mobility Center
Set the default source path for Update-Help
Turn on Module Logging
Turn on Script Execution
Configure Reliability WMI Providers
Allow Basic authentication
Allow CredSSP authentication
Allow unencrypted traffic
Disallow Digest authentication
Disallow Kerberos authentication
Disallow Negotiate authentication
Trusted Hosts
Allow Basic authentication
Allow CredSSP authentication
Allow remote server management through WinRM
Allow unencrypted traffic
Disallow Kerberos authentication
Disallow Negotiate authentication
Disallow WinRM from storing RunAs credentials
Specify channel binding token hardening level
Turn On Compatibility HTTP Listener
Turn On Compatibility HTTPS Listener
Allow Remote Shell Access
MaxConcurrentUsers
Specify idle Timeout
Specify maximum amount of memory in MB per Shell
Specify maximum number of processes per Shell
Specify maximum number of remote shells per user
Specify Shell Timeout
Allow Automatic Updates immediate installation
Allow non-administrators to receive update notifications
Allow signed updates from an intranet Microsoft update service location
Always automatically restart at the scheduled time
Automatic Updates detection frequency
Configure Automatic Updates
Delay Restart for scheduled installations
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not connect to any Windows Update Internet locations
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Enable client-side targeting
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
No auto-restart with logged on users for scheduled automatic updates installations
Re-prompt for restart with scheduled installations
Reschedule Automatic Updates scheduled installations
Specify intranet Microsoft update service location
Turn on recommended updates via Automatic Updates
Turn on Software Notifications
Force automatic setup for all users
Automatically workplace join client computers
MSFT Win2012 R2
Enabled
Enabled
ackground transfers
nd transfers
rosoft XPS format (*.xps)
Enabled
Disabled
Not Configured
mpt creation of a restore point
software during installation

hare Shadow Copy Provider running on
top Services
is detected.
Enabled
Not Configured
NetBIOS domain names

nt registered DNS suffixes, if the All
lution to locate the DC
ers from the Troubleshooting Contro
me directory
is logged on
pps (not desktop apps)

Enabled
Enabled: All Drives
008, Windows 7, Windows Server 200

ndows Vista)
er 2008 and Windows Vista)
ws 7, Windows Server 2008 R2)

Enabled
Enabled
Enabled
Enabled: Application Opt

Not Defined
Enabled: 32768
Not Defined
Enabled: 196608
Not Defined
Enabled: 32768
to Active Directory
Disabled
re running Server for NIS
te remediation
Disabled
Disabled
nstall scheduled updates
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreen
HKLM\Software\Policies\Microsoft\Windows\Personalization!PersonalColors_Background, HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\Personalization!LockScreenImage
HKLM\Software\Policies\Microsoft\Windows\Personalization!ForceStartBackground
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoChangingLockScreen
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoChangingStartMenuBackground
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreenCamera
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreenSlideshow
HKLM\Software\Policies\Microsoft\Control Panel\International!BlockCleanupOfUnusedPreinstalledL
HKLM\Software\Policies\Microsoft\MUI\Settings!MachineUILock
HKLM\Software\Policies\Microsoft\MUI\Settings!PreferredUILanguages
HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization!RestrictImplicitTextCollection, HKLM\SOFTW
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!UseDefaultTile
HKLM\Software\Policies\Microsoft\System\DFSClient!DfsDcNameDelay
HKLM\Software\Policies\Microsoft\Windows\BITS!EnablePeercaching
HKLM\Software\Policies\Microsoft\Windows\BITS!DisableBranchCache
HKLM\Software\Policies\Microsoft\Windows\BITS!DisablePeerCachingClient
HKLM\Software\Policies\Microsoft\Windows\BITS!DisablePeerCachingServer
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxContentAge
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxCacheSize
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxDownloadTime
HKLM\Software\Policies\Microsoft\Windows\BITS!EnableBITSMaxBandwidth, HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxBandwidthServed
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxJobsPerUser
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxJobsPerMachine
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxFilesPerJob
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxRangesPerFile
HKLM\Software\Policies\Microsoft\Windows\BITS\TransferPolicy!ForegroundTransferPolicy, HKLM\S
HKLM\Software\Policies\Microsoft\Windows\BITS\Throttling!EnableMaintenanceLimits, HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\BITS\Throttling!EnableBandwidthLimits, HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\BITS!JobInactivityTimeout
HKLM\Software\Policies\Microsoft\Windows\NetCache!PeerCachingLatencyThreshold
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service\Versioning!PreferredContentInformationVers
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\MultipleServers
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Discovery!SCPDiscoveryEnabled
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Retrieval!SegmentTTL
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching!Enable
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection!Location
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication!SizePercent
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service!Enable
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AppendToMultiLabelName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!QueryNetBTFQDN
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AdapterDomainName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!NameServer
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!SearchList
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationEnabled
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableIdnMapping
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!PreferLocalOverLowerBindingDNS
HKLM\Software\Policies\Microsoft\System\DNSClient!NV PrimaryDnsSuffix
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UseDomainNameDevolution
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableDevolutionLevelControl, HKLM\S
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterAdapterName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterReverseLookup
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationRefreshInterval
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationOverwritesInConflict
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationTtl
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableIdnEncoding
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableMulticast
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableSmartNameResolution
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableSmartProtocolReordering
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateSecurityLevel
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateTopLevelDomainZones
HKLM\Software\Policies\Microsoft\Windows\HotspotAuthentication!Enabled
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HashPublicationForPeerCaching
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HashSupportVersion
HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableLLTDIO, HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableRspndr, HKLM\Software\Policies\Microso
HKLM\Software\policies\Microsoft\Peernet!IgnoreDomainPasswordPolicyForNewGroups
HKLM\Software\policies\Microsoft\Peernet!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SeedServer, HKLM\Software\policies\
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SeedServer
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SeedServer
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!Disabled
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_DoNotShowLocalOnlyIcon
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowNetBridge_NLA
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_PersonalFirewallConfig
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_ShowSharedAccessUI
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_StdDomainUserSetLocation
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Force_Tunneling
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\ICFv4!BypassFirewall
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundD
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!Enable
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!Ena
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!En
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!AllowUse
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Allo
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogDroppedPackets, H
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!Enabled, H
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DoNotAllowExceptions
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DisableNotifications
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DisableUnicastResponsesToMu
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!EnableFirewall
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboun
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enab
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!En
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!E
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!AllowUs
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!All
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogDroppedPackets,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!Enabled,
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!Enab
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DoNotAllowExceptions
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableNotifications
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableUnicastResponsesToM
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!EnableFirewall
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnec
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnect
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectiv
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnec
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnect
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!DisablePassivePoll
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainProxies
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainLocalProxies
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainSubnets
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DProxiesAuthoritive
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DSubnetsAuthoritive
HKLM\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
HKLM\Software\Policies\Microsoft\Windows\NetCache!Enabled
HKLM\Software\Policies\Microsoft\Windows\NetCache!PurgeAtLogoff, HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows\NetCache!BackgroundSyncEnabled, HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\NetCache!SlowLinkSpeed
HKLM\Software\Policies\Microsoft\Windows\NetCache!SlowLinkEnabled, HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\NetCache!DefCacheSize
HKLM\Software\Policies\Microsoft\Windows\NetCache!ExcludedFileTypes
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncEnabledForCostedNetwork
HKLM\Software\Policies\Microsoft\Windows\NetCache!OnlineCachingLatencyThreshold
HKLM\Software\Policies\Microsoft\Windows\NetCache!EncryptCache
HKLM\Software\Policies\Microsoft\Windows\NetCache!EventLoggingLevel
HKLM\Software\Policies\Microsoft\Windows\NetCache!ExcludeExtensions
HKLM\Software\Policies\Microsoft\Windows\NetCache!InitialBalloonTimeoutSeconds
HKLM\Software\Policies\Microsoft\Windows\NetCache!CacheQuotaLimit, HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoCacheViewer
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
HKLM\Software\Policies\Microsoft\Windows\NetCache!ReminderFreqMinutes
HKLM\Software\Policies\Microsoft\Windows\NetCache!ReminderBalloonTimeoutSeconds
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoMakeAvailableOffline
HKLM\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
HKLM\Software\Policies\Microsoft\Windows\NetCache!WorkOfflineDisabled
HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
HKLM\Software\Policies\Microsoft\Windows\NetCache!AlwaysPinSubFolders
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoReminders
HKLM\Software\Policies\Microsoft\Windows\NetCache!EconomicalAdminPinning
HKLM\Software\Policies\Microsoft\Windows\Psched!MaxOutstandingSends
HKLM\Software\Policies\Microsoft\Windows\Psched!NonBestEffortLimit
HKLM\Software\Policies\Microsoft\Windows\Psched!TimerResolution
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeBe
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeC
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceType
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeN
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeQu
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTy
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceT
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceT
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeBestEffort
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeControlledLo
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeGuaranteed
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNetworkCont
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNonConform
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeQualitative
HKLM\Software\Policies\SNMP\Parameters\ValidCommunities
HKLM\Software\Policies\SNMP\Parameters\PermittedManagers
HKLM\Software\Policies\SNMP\Parameters\TrapConfiguration\public
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_RouterName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_RouterNameResolutionInterv
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_State
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface!IPHTTPS_
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!ISATAP_RouterName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!ISATAP_State
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_ClientPort
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_DefaultQualified
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_RefreshRate
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_ServerName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_State
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableIPAutoConfigurationLimits
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableWsd
HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars!EnableRegistrars, HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\WCN\UI!DisableWcnUi
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fDisablePowerManagement
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fMinimizeConnections
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fBlockNonDomain
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fBlockRoaming
HKLM\Software\Policies\Microsoft\Windows\Wireless\NetCost!Cost
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\NetCost!Cost3G
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\NetCost!Cost4G
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPrinting
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!DomainDisplayPrinters_State, HKL
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!NonDomainDisplayPrinters_State,
HKLM\Software\Policies\Microsoft\Windows NT\Printers!RegisterSpoolerRemoteRpcEndPoint
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PublishPrinters
HKLM\Software\Policies\Microsoft\Windows NT\Printers!Immortal
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ForceSoftwareRasterization
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ForceCSREMFDespooling
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Auto Publishing
HKLM\Software\Policies\Microsoft\Windows NT\Printers!MXDWUseLegacyOutputFormatMSXPS
HKLM\Software\Policies\Microsoft\Windows NT\Printers!VerifyPublishedState
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocation
HKLM\Software\Policies\Microsoft\Windows NT\Printers!SupportLink
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningInterval
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningPriority
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetries
HKLM\Software\Policies\Microsoft\Windows NT\Printers!KMPrintersAreBlocked
HKLM\Software\Policies\Microsoft\Windows NT\Printers!V4DriverDisallowPrinterExtension
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PrintDriverIsolationExecutionPolicy
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DoNotInstallCompatibleDriverFromWindo
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApplicationDriverIsolation
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetryLog
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPr
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PrintDriverIsolationOverrideCompat
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrin
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocationSupport
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ServerThread
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruneDownlevel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPoli
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe\A
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!OnlySystemBackup
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToDisk
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToNetwork
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToOptical
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoRunNowBackup
HKLM\Software\Policies\Microsoft\Windows\Explorer!StartPinAppsWhenInstalled, HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\Explorer!LockedStartLayout, HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!SnapShot
HKLM\Software\Policies\Microsoft\Windows\System!DLT_AllowDomainMode
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!VerboseStatus
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!ShutdownReasonOn, HKLM\Software\Pol
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS!DisableShowAtLogon
HKLM\Software\Policies\Microsoft\Windows NT!DontPowerOffAfterShutdown
HKLM\Software\Policies\Microsoft\Windows\App Management!COMClassStore
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!TimeStampEnabled, HKLM\Software\Polic
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStatusMessages
HKLM\Software\Policies\Microsoft\Windows\System!HelpQualifiedRootDir
HKLM\Software\Policies\Microsoft\Windows\System!DisableInHelp
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing, HKLM\Software\Microsoft\Wi
HKLM\Software\Policies\Microsoft\Windows NT\Setup!SourcePath
HKLM\Software\Policies\Microsoft\Windows NT\Setup!ServicePackSourcePath
HKLM\Software\Policies\Microsoft\Windows\System!DisableHHDEP
HKLM\SOFTWARE\Policies\Microsoft\Windows\ADR\AccessDenied!Enabled, HKLM\SOFTWARE\Polici
HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!EnableShellExecuteFileStreamCheck
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit!ProcessCreationIncludeCmdLine_Enabled
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowDefaultCredentials, HKLM\
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowDefCredentialsWhenNTLM
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowFreshCredentials, HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowFreshCredentialsWhenNT
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowSavedCredentials, HKLM\S
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowSavedCredentialsWhenNT
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenyDefaultCredentials, HKLM\S
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenyFreshCredentials, HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenySavedCredentials, HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!RestrictedRemoteAdministratio
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!AllowRemoteRPC
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!InstallTimeout
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSendGenericDriverNot
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSystemRestore
HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata!PreventDeviceMetadataFromNetw
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSendRequestAdditional
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!AllSigningEqual
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!SearchOrderConfig
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DriverServerSelection
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableBalloonTips
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowAdminInstall
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDeviceIDs, HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDeviceClasses, HKLM\So
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy!SimpleText
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy!DetailText
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyUnspecified
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyDeviceIDs, HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyDeviceClasses, HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyRemovableDevices
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!ForceReboot, HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions!DenyDeviceIDs, HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions!AllowRedirect
HKLM\Software\Policies\Microsoft\Windows\NvCache!OptimizeBootAndResume
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnablePowerModeState
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnableNvCache
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnableSolidStateMode
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!ApplyToRemovableMedia
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enable
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enforce
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverLimit
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverThreshold
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Limit, HKLM\Software\Policies\Microsof
HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!AllowLocalActivationSecurityCh
HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!ListBox_Support_ActivationSecu
HKLM\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions!AllowUserDeviceClasses, HKL
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
HKLM\System\CurrentControlSet\Policies\EarlyLaunch!DriverLoadPolicy, HKLM\System\CurrentControlSet\Policies\EarlyLaun
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!RootHubConnectedEnStorDe
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices!Poli
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedSilos!SiloAllowListP
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!DisallowLegacyDiskDevices
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!DisablePasswordAuthenticat
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!TCGSecurityActivationDisabl
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!LockDeviceOnMachineLock
HKLM\SOFTWARE\Policies\Microsoft\Windows\FCI!EnableManualUX
HKLM\SOFTWARE\Policies\Microsoft\Windows\FCI!CentralClassificationList
HKLM\Software\Policies\Microsoft\Windows\fssProv!EncryptProtocol
HKLM\System\CurrentControlSet\Policies!DisableDeleteNotification
HKLM\Software\Policies\Microsoft\Windows\Filesystems\NTFS!SymLinkState, HKLM\Software\Polic
HKLM\System\CurrentControlSet\Policies!NtfsDisableCompression
HKLM\System\CurrentControlSet\Policies!NtfsDisableEncryption
HKLM\System\CurrentControlSet\Policies!NtfsEnableTxfDeprecatedFunctionality
HKLM\System\CurrentControlSet\Policies!NtfsEncryptPagingFile
HKLM\System\CurrentControlSet\Policies!NtfsDisable8dot3NameCreation
HKLM\Software\Policies\Microsoft\Windows\System\Fdeploy!PrimaryComputerEnabledFR
HKLM\Software\Policies\Microsoft\Windows\System\Fdeploy!LocalizeXPRelativePaths
HKLM\Software\Policies\Microsoft\Windows\System!ProcessTSUserLogonAsync
HKLM\Software\Policies\Microsoft\Windows\System!AllowX-ForestPolicy-and-RUP
HKLM\Software\Policies\Microsoft\Windows\Group Policy!OnlyUseLocalAdminFiles
HKLM\Software\Policies\Microsoft\Windows\System!SlowlinkDefaultToAsync
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{F9C77450-3A41-477E-9310-9ACD617BD9
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{728EE579-943C-4519-9EF7-AB56765798E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{1A6364EB-776B-4120-ADE1-B63A406A76
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDefaultForDirectAccess
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a6
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{5794DAFD-BE60-433f-88A2-1A31939AC0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0E28E245-9368-4853-AD84-6DA3BA35BB
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{7150F9BF-48AD-4da4-A49C-29EF4A8369
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A3F3E39B-5D83-4940-B954-28315B82F0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F80808
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6232C319-91AC-4931-9385-E70C2B099F0
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonOptimization, HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{74EE6C03-5363-4554-B161-627540339C
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86A
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e2
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{17D89FEC-5C44-4972-B12D-241CAEF745
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonScriptDelay, HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3A0DBA37-F8B2-4356-83DE-3E90BD5C26
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E62688F0-25FD-4c90-BFF5-F508B9D2E31
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E5094040-C46C-4115-B030-04FB2E545B0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBC
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B087BE9D-ED37-454f-AF9C-04291E35118
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{AADCED64-746C-4633-A97C-D613490465
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{91FBB303-0CD5-4055-BF42-E512A681B3
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{C418DD9D-0D14-4efb-8FBF-CFE535C8FA
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E4F48E54-F38D-4884-BFB9-D4D2E5729C
HKLM\Software\Policies\Microsoft\Windows\System!UserPolicyMode
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B587E2B1-4D59-4e7e-AED9-22B9DF11D
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7F
HKLM\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
HKLM\Software\Policies\Microsoft\Windows\System!ResetDfsClientInfoDuringRefreshPolicy
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonOptimizationOnServerSKU, HKLM
HKLM\Software\Policies\Microsoft\Windows\System!DenyUsersFromMachGP
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime, HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeDC, HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\System!GpNetworkStartTimeoutPolicyValue
HKLM\Software\Policies\Microsoft\Windows\System!CorpConnStartTimeoutPolicyValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableBkGndGroupPolicy
HKLM\Software\Policies\Microsoft\Windows\System!DisableAOACProcessing
HKLM\Software\Policies\Microsoft\Windows\System!DisableLGPOProcessing
HKLM\Software\Policies\Microsoft\Windows\System!RSoPLogging
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{F9C77450-3A41-477E-9310-9ACD617BD9E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{728EE579-943C-4519-9EF7-AB56765798E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{1A6364EB-776B-4120-ADE1-B63A406A76
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{5794DAFD-BE60-433f-88A2-1A31939AC01
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0E28E245-9368-4853-AD84-6DA3BA35BB
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{7150F9BF-48AD-4da4-A49C-29EF4A8369B
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A3F3E39B-5D83-4940-B954-28315B82F0A
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6232C319-91AC-4931-9385-E70C2B099F0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{74EE6C03-5363-4554-B161-627540339CA
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183D
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{17D89FEC-5C44-4972-B12D-241CAEF7450
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E5094040-C46C-4115-B030-04FB2E545B0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B087BE9D-ED37-454f-AF9C-04291E35118
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{AADCED64-746C-4633-A97C-D613490465
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{91FBB303-0CD5-4055-BF42-E512A681B32
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E4F48E54-F38D-4884-BFB9-D4D2E5729C1
HKLM\Software\Policies\Microsoft\InternetManagement!RestrictCommunication, HKLM\Software\Mi
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWindowsUpdateAccess
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoUseStoreOpenWith
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftEventVwrDisableLinks
HKLM\Software\Policies\Microsoft\Windows\TabletPC!PreventHandwritingDataSharing
HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports!PreventHandwritingErrorRep
HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!Headlines
HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!MicrosoftKBSearch
HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control!NoRegistration
HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
HKLM\Software\Policies\Microsoft\SQMClient\Windows!CEIPEnable
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!DoReport, HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!NoActiveProbe
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RestrictAdditionalLogins
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ChangeIQNName
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ChangeCHAPSecret
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireIPSec
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireMutualCHAP
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireOneWayCHAP
HKLM\Software\Policies\Microsoft\Windows\iSCSI!NewStaticTargets
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureTargets
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureiSNSServers
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureTargetPortals
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EnableCbacA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EmitLILI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!RequestCom
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!UseForestSear
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EnableTicketS
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Alway
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!domain_realm_Enabl
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!MitRealms_Enabled,
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!NoRevo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!RequireF
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Enable
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!KdcValid
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!StrictTar
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters!EnableMaxTokenSize, HKLM\Sys
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!KdcProxyServer_Enab
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!CompoundIdDisabled, HKLM\Software\Pol
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!UseFores
HKLM\Software\Policies\Microsoft\Control Panel\International!PreventGeoIdChange
HKLM\Software\Policies\Microsoft\Control Panel\International!BlockUserInputMethodsForSignIn
HKLM\Software\Policies\Microsoft\Control Panel\International!CustomLocalesNoSelect
HKLM\Software\Policies\Microsoft\Control Panel\International!PreventUserOverrides
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictSystemLocales, HKLM\Softwar
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictUserLocales, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainDelayLock
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonType
HKLM\Software\Policies\Microsoft\Windows\System!UseOEMBackground
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon!SyncForegroundPolicy
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DefaultLogonDomain
HKLM\Software\Policies\Microsoft\Windows\System!DontDisplayNetworkSelectionUI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
HKLM\Software\Policies\Microsoft\Windows\System!DontEnumerateConnectedUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRunOnc
HKLM\Software\Policies\Microsoft\Windows\System!EnumerateLocalUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ExcludedCredentialProviders
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideFastUserSwitching
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableFirstLogonAnimation
HKLM\Software\Policies\Microsoft\Windows\System!DisableLockScreenAppNotifications
HKLM\Software\Policies\Microsoft\Windows\System!BlockDomainPicturePassword
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStartupSound
HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainPINLogon
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowNT4Crypto
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidPdcOnWan
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveScriptsShareAccess
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ScavengeInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveSysvolShareAccess
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ExpectedDialupDelay
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!dbFlag
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!MaximumLogFileSize
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NegativeCachePeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NonBackgroundSuccessfulRefreshPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteName
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryQuitTime
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryInitialPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryMaximumPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundSuccessfulRefreshPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!PingUrgencyMode
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!IgnoreIncomingMailslotMessages
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidFallbackNetbiosDiscovery
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ForceRediscoveryInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AddressTypeReturned
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvPriority
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsTtl
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvWeight
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AddressLookupOnPingBehavior
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsAvoidRegisterRecords
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!UseDynamicDns
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsRefreshInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NdncSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!GcSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!TryNextClosestSite
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AutoSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowDnsSuffixSearch
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowSingleLabelDnsDomain
HKLM\Software\Policies\Microsoft\Power\PowerSettings!ActivePowerScheme
HKLM\Software\Policies\Microsoft\Power\PowerSettings!ActivePowerScheme
HKLM\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936
HKLM\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280
HKLM\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5
HKLM\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\637EA02F-BBCB-4015-8E2C-A1C7B9C0B546
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9A66D8D7-4FF7-4EF9-B5A2-5A326CA2A46
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\8183ba9a-e910-48da-8769-14ae6dc1170a!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F0
HKLM\Software\Policies\Microsoft\Power\PowerSettings\bcded951-187b-4d05-bccc-f7e51960c258!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364
HKLM\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1
HKLM\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335
HKLM\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335
HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7
HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7
HKLM\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4!A
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE!DisableSetup
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!CreateEncryptedOnlyTickets
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicited, HKLM\Software
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowToGetHelp, HKLM\Software\
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!UseCustomMessages, HKLM\Softw
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!UseBandwidthOptimization, HKL
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!LoggingEnabled
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!EnableAuthEpResolution
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!IgnoreDelegationFailure
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!StateInformation
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!ExtErrorInformation, HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!RestrictRemoteClients
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!MinimumConnectionTimeout
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!AllowRemoteDASD
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read!Deny_R
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write!Deny_W
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!RebootTimeinSeconds_stat
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!Allow-LogonScript-NetbiosDisa
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideShutdownScripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideStartupScripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunStartupScriptSync
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunComputerPSScriptsFirst
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunUserPSScriptsFirst
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MaxGPOScriptWait
HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager!RefreshIntervalEnabled, HKLM\S
HKLM\Software\Policies\Microsoft\Windows\Server\InitialConfigurationTasks!DoNotOpenAtLogon
HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager!DoNotOpenAtLogon
HKLM\Software\Policies\Microsoft\Windows\System!HiberbootEnabled
HKLM\Software\Policies\Microsoft\Windows\System!AllowBlockingAppsAtShutdown
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableConfig
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI!ScenarioExecutionEnabled, HKLM\SOFTWARE\Pol
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI!DataRetentionBySizeEnabled, HKLM\SOFTWARE\P
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{88D69CE1-577A-4dd9-87AE-AD36D3CD9643}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{659F08FB-2FAB-42a7-BD4F-566CFA528769}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{acfd1ca6-18b6-4ccf-9c07-580cdb6eded4}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{D113E4AA-2D07-41b1-8D9B-C065194A791D}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{081D3213-48AA-4533-9284-D98F01BDC8E6}!Sce
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePcaUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{affc81e2-612a-4f70-6fb2-916ff5c7e3f8}!Scenar
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{8519d925-541e-4a2b-8b1e-8059d16082f2}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD}!Dfd
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}!Do
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy!DisableQueryRe
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{54077489-683b-4762-86c8-02cf87a33423}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics!EnabledExecution, HKLM\SOFT
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics!ValidateTrust
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics!EnableDiagnostics
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy!EnableQueryRem
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{eb73b633-3f4e-4ba0-8f60-8f3c6f53168f}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{3af8b24a-c441-4fa4-8c5c-bed591bfa867}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}!Scenar
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}!Scen
HKLM\Software\Policies\Microsoft\TPM!OSManagedAuthLevel
HKLM\SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands!Enabled, HKLM\SOFTWARE\Policies\M
HKLM\Software\Policies\Microsoft\TPM\BlockedCommands!IgnoreDefaultList
HKLM\Software\Policies\Microsoft\TPM\BlockedCommands!IgnoreLocalList
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureIndividualThreshold, HKLM
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureDuration, HKLM\Software\
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureTotalThreshold, HKLM\Sof
HKLM\Software\Policies\Microsoft\TPM!ActiveDirectoryBackup, HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\Windows\System!AddAdminGroupToRUP
HKLM\Software\Policies\Microsoft\Windows\System!UserProfileMinTransferRate, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\System!DeleteRoamingCache
HKLM\Software\Policies\Microsoft\Windows\System!CleanupProfiles
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDetectEnabled
HKLM\Software\Policies\Microsoft\Windows\System!CompatibleRUPSecurity
HKLM\Software\Policies\Microsoft\Windows\System!DisableForceUnload
HKLM\Software\Policies\Microsoft\Windows\System!ProfileErrorAction
HKLM\Software\Policies\Microsoft\Windows\System!PrimaryComputerEnabledRUP
HKLM\Software\Policies\Microsoft\Windows\System!ProfileDlgTimeOut
HKLM\Software\Policies\Microsoft\Windows\System!LeaveAppMgmtData
HKLM\Software\Policies\Microsoft\Windows\System!ProfileUnloadTimeout
HKLM\Software\Policies\Microsoft\Windows\System!LocalProfile
HKLM\Software\Policies\Microsoft\Windows\System!ReadOnlyProfile
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkUIEnabled
HKLM\Software\Policies\Microsoft\Windows\System!WaitForNetwork
HKLM\Software\Policies\Microsoft\Windows\System!MachineProfilePath
HKLM\Software\Policies\Microsoft\Windows\System!UploadHiveMethod, HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows\System!HomeDirLocation, HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo!DisabledByGroupPolicy
HKLM\Software\Policies\Microsoft\Windows\System!AllowUserInfoAccess, HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkProfileDefault
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcShowProgress
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcQuota
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcScan
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SFCDllCacheDir
HKLM\Software\Policies\Microsoft\W32Time\Config!FrequencyCorrectRate, HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\W32time\Parameters!NtpServer, HKLM\Software\Policies\Micros
HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient!Enabled
HKLM\Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\AxInstaller!ApprovedList, HKLM\SOFTWARE\Policies\M
HKLM\SOFTWARE\Policies\Microsoft\Windows\AxInstaller\AxISURLZonePolicies!InstallTrustedOCX,
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU!Disabled
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAllTrustedApps
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowDeploymentInSpecialProfiles
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowDevelopmentWithoutDevLicense
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MSAOptional
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockFileElevation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications!EnableDynamicC
HKLM\Software\Policies\Microsoft\Windows\AppCompat!VDMDisallowed
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine
HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR
HKLM\Software\Policies\Microsoft\Windows\AppCompat!SbEnable
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoAutoplayfornonVolume
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DontSetAutoplayCheckbox
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!Domain Accounts
HKLM\SOFTWARE\Policies\Microsoft\Biometrics!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!SwitchTimeoutInSeconds
HKLM\SOFTWARE\Policies\Microsoft\FVE!DefaultRecoveryFolderPath
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethodNoDiffuser
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethod
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseRecoveryPassword, HKLM\SOFTWARE\Policies\Microso
HKLM\Software\Policies\Microsoft\FVE!MorBehavior
HKLM\Software\Policies\Microsoft\FVE!IdentificationField, HKLM\Software\Policies\Microsoft\FVE!Id
HKLM\Software\Policies\Microsoft\FVE!ActiveDirectoryBackup, HKLM\Software\Policies\Microsoft\F
HKLM\Software\Policies\Microsoft\FVE!CertificateOID
HKLM\Software\Policies\Microsoft\FVE!FDVDiscoveryVolumeType, HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVRecovery, HKLM\SOFTWARE\Policies\Microsoft\FVE!FD
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVHardwareEncryption, HKLM\SOFTWARE\Policies\Micros
HKLM\Software\Policies\Microsoft\FVE!FDVPassphrase, HKLM\Software\Policies\Microsoft\FVE!FDV
HKLM\Software\Policies\Microsoft\FVE!FDVAllowUserCert, HKLM\Software\Policies\Microsoft\FVE!
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE!FDVDenyWriteAccess
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVEncryptionType, HKLM\SOFTWARE\Policies\Microsoft
HKLM\Software\Policies\Microsoft\FVE!UseEnhancedPin
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSManageNKP
HKLM\Software\Policies\Microsoft\FVE!OSAllowSecureBootForIntegrity
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSRecovery, HKLM\SOFTWARE\Policies\Microsoft\FVE!OSM
HKLM\Software\Policies\Microsoft\FVE!MinimumPIN
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation!Enabled, HKLM\SOFTWARE\Policies\Micr
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS!Enabled, HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI!Enabled, HKLM\SOFTWARE\Polic
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSHardwareEncryption, HKLM\SOFTWARE\Policies\Microso
HKLM\Software\Policies\Microsoft\FVE!OSPassphrase, HKLM\Software\Policies\Microsoft\FVE!OSPa
HKLM\Software\Policies\Microsoft\FVE!DisallowStandardUserPINReset
HKLM\Software\Policies\Microsoft\FVE!OSEnablePrebootInputProtectorsOnSlates
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSEncryptionType, HKLM\SOFTWARE\Policies\Microsoft\
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseAdvancedStartup, HKLM\SOFTWARE\Policies\Microso
HKLM\SOFTWARE\Policies\Microsoft\FVE!EnableNonTPM, HKLM\SOFTWARE\Policies\Microsoft\FVE!U
HKLM\Software\Policies\Microsoft\FVE!TPMAutoReseal
HKLM\Software\Policies\Microsoft\FVE!OSUseEnhancedBcdProfile, HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\FVE!RDVDiscoveryVolumeType, HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVRecovery, HKLM\SOFTWARE\Policies\Microsoft\FVE!R
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVHardwareEncryption, HKLM\SOFTWARE\Policies\Micros
HKLM\Software\Policies\Microsoft\FVE!RDVPassphrase, HKLM\Software\Policies\Microsoft\FVE!RD
HKLM\Software\Policies\Microsoft\FVE!RDVAllowUserCert, HKLM\Software\Policies\Microsoft\FVE
HKLM\Software\Policies\Microsoft\FVE!RDVConfigureBDE, HKLM\Software\Policies\Microsoft\FVE!
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE!RDVDenyWriteAccess, HKLM\Software\Pol
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVEncryptionType, HKLM\SOFTWARE\Policies\Microsoft
HKLM\Software\Policies\Microsoft\Windows\CredUI!DisablePasswordReveal
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnumerateAdministrators
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnableSecureCredentialPrompt
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUnsignedGa
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffSidebar
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUserInstalle
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowFlip3d
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowAnimations
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisableAccentGradient
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowColorizationColorChanges
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DefaultColorizationColorState, HKLM\SOFTWAR
HKLM\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDeviceFlags
HKLM\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDriverShims
HKLM\SOFTWARE\Policies\Microsoft\Windows\Digital Locker!DoNotRunDigitalLocker
HKLM\Software\Policies\Microsoft\Windows\EdgeUI!DisableHelpSticker
HKLM\Software\Policies\Microsoft\EMET\AppSettings
HKLM\Software\Policies\Microsoft\EMET\SysSettings!DeepHooks, HKLM\Software\Policies\Microsof
HKLM\Software\Policies\Microsoft\EMET\Defaults!IE
HKLM\Software\Policies\Microsoft\EMET\Defaults!WindowsMediaPlayer, HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\EMET\Defaults, HKLM\Software\Policies\Microsoft\EMET\Defaul
HKLM\Software\Policies\Microsoft\EMET\SysSettings!TrayIconMsg
HKLM\Software\Policies\Microsoft\EMET\SysSettings!AgentStartHidden
HKLM\Software\Policies\Microsoft\EMET\SysSettings!EventLog, HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\EMET\SysSettings!ASLR
HKLM\Software\Policies\Microsoft\EMET\SysSettings!DEP
HKLM\Software\Policies\Microsoft\EMET\SysSettings!SEHOP
HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding!MaxForwardingRate
HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!ChannelAccess
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!ChannelAccess
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!ChannelAccess
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!Enabled
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!ChannelAccess
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!MaxSize
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgram
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgramCommandLineParame
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionURL
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ParentalControls!WPCEnableOnDomai
HKLM\Software\Policies\Microsoft\Windows\Explorer!EnableShellShortcutIconRemotePath
HKLM\Software\Policies\Microsoft\Windows\System!EnableSmartScreen, HKLM\Software\Policies\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableBindDirectlyToPropert
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoNewAppAlert
HKLM\Software\Policies\Microsoft\Windows\Explorer!DefaultLibrariesLocation
HKLM\Software\Policies\Microsoft\Windows\System!DefaultAssociationsConfiguration
HKLM\Software\Policies\Microsoft\Windows\Explorer!AdminInfoUrl
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowHibernateOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowLockOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowSleepOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ExplorerRibbonStartsMinimized, HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoDataExecutionPrevention
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoHeapTerminationOnCorruption
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStrCmpLogical
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavi
HKLM\Software\Policies\Microsoft\Windows\Explorer!CheckSameSourceAndTargetForFRAndDFS
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableLocalPage
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableRemotePage
HKLM\Software\Policies\Microsoft\PreviousVersions!HideBackupEntries
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableLocalRestore
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableBackupRestore
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableRemoteRestore
HKLM\Software\Policies\Microsoft\Windows\FileHistory!Disabled
HKLM\Software\Policies\Microsoft\Windows\GameUX!DownloadGameInfo
HKLM\Software\Policies\Microsoft\Windows\GameUX!GameUpdateOptions
HKLM\Software\Policies\Microsoft\Windows\GameUX!ListRecentlyPlayed
HKLM\Software\Policies\Microsoft\Windows\HomeGroup!DisableHomeGroup
HKLM\Software\Policies\Microsoft\Windows NT\IIS!PreventIISInstall
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocation
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocationScripting
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableSensors
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableWindowsLocationProvider
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Activation Boundary
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Randomized, HKLM\Software\Policies\Microsoft\W
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!WakeUp
HKLM\Software\Policies\Microsoft\Conferencing!NoRDS
HKLM\SOFTWARE\Policies\Microsoft\NetworkAccessProtection\ClientConfig\Qecs\79620!Enabled
HKLM\Software\Policies\Microsoft\NetworkProjector!NetworkProjectionPortNo
HKLM\Software\Policies\Microsoft\NetworkProjector!DisableNetworkProjector
HKLM\Software\Policies\Microsoft\Assistance\Client\1.0!NoActiveHelp
HKLM\Software\Policies\Microsoft\Windows\PswdSync!UpdateRetryInterval_state, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\PswdSync!MaxRetries_state, HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\PswdSync!LoggingLevel
HKLM\Software\Policies\Microsoft\Windows\PswdSync!SNISPasswordSyncEnable
HKLM\System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem!Hibernate
HKLM\System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem!Sleep
HKLM\Software\Policies\Microsoft\PortableOperatingSystem!Launcher
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings!NoPresentationSe
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fSecureLicensing
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fPreventLicenseUpgrade
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowUnsignedFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowSignedFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AuthenticationLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!PromptForCredsOnClient
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!TrustedCertThumbprints
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!fClientDisableUDP
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!fUsbRedirectionEnable
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!PromptOnI
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!VIPAdapte
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\TSMSI!Enable
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!EnableVirt
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!PromptOnI
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDenyTSConnections
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAutoReconnect
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!KeepAliveEnable, HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxInstanceCount
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fSingleSessionPerUser
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SelectNetworkDetect
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SelectTransport
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllUserInstallAgent!LogonWait
HKLM\SOFTWARE\Policies\Microsoft\Windows\Session Manager\Quota System!EnableCpuQuota
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCam
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAudioCapture
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableTimeZoneRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableClip
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCcm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableLPT
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableSmartCard
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisablePNPRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowedAudioQualityMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableTerminalServerTooltip
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicensingMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicenseServers
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCpm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fForceClientLptDef
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RedirectOnlyDefaultClientPrint
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPolicyFallbackPrintDriver, HK
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseUniversalPrinterDriverFirst
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DeleteRoamingUserProfile, HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFProfilePath
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirUNC, HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFDontAppendUserNameToPro
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryClusterName
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryActive
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryExposeServerI
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ParticipateInLoadBalancing
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fAllowDesktopCompositionOnS
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fTurnOffSingleAppMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxCompressionLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ImageQuality
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!GraphicsProfile
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoFontSmoothing
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableVirtualizedGraphics
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoRemoteDesktopWallpaper
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ColorDepth
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxXResolution, HKLM\SOFTWA
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxMonitors
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDisconnect
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNTSecurity
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!InitialProgram, HKLM\SOFTWARE
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableRemoteFXAdvancedR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!bEnumerateHWBeforeSW
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableVirtualizedGraphics
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!VisualExperiencePolicy
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\!VGOptimization_CaptureFrameR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPromptForPassword
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fWritableTSCCPermTab
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEncryptRPCTraffic
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SecurityLayer
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UserAuthentication
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!CertTemplateName
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RemoteAppLogoffTimeLimit
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DeleteTempDirsOnExit
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!PerSessionTempDir
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableFeedPane
HKLM\Software\Policies\Microsoft\Internet Explorer\Feed Discovery!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableEnclosureDownload
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableAddRemove
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!BackgroundSyncStatus
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!AllowBasicAuthInClear
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PrimaryIntranetSearchScopeUrl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!SecondaryIntranetSearchScopeUrl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowIndexingEncryptedStoresOrIt
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowUsingDiacritics
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AlwaysUseAutoLangDetection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!RichAttachmentPreviews
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultExcludedPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultIndexedPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableBackoff
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableRemovableDriveIndexing
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableWebSearch
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWeb
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWebOverMete
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableIndexingDelegateMailboxes
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingUncachedExchange
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableThrottlingOnlineMailboxes,
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DataDirectory
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!HideUNCTab
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!FavoriteLocations
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AutoIndexSharedFolders
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventRemoteQueries
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventModifyingIndexedLocations
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingEmailAttachments
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingOfflineFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingOutlook
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ExcludedExtensionsMultiline0, HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingPublicFolders
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexOnBattery
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventUsingAdvancedIndexingOpt
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventUnwantedAddins
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreviewPaneLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!SearchResultIconSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchSafeSearch, HKLM
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchPrivacy, HKLM\SO
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingLowDiskSpaceMB
HKLM\Software\Policies\Microsoft\Windows NT\Security Center!SecurityCenterInDomain
HKLM\Software\Policies\Microsoft\Windows\Server for NIS!PushInterval_state, HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\Server for NIS!LoggingLevel
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ShutdownSessionTimeout
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableShutdownNamedPipe
HKLM\Software\Policies\Microsoft\Windows\Skydrive!DisableMeteredNetworkFileSync
HKLM\Software\Policies\Microsoft\Windows\Skydrive!DisableFileSync
HKLM\Software\Policies\Microsoft\Windows\Skydrive!DisableLibrariesDefaultSaveToSkyDrive
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowCertificatesWit
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!EnumerateECCCerts
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowIntegratedUnblo
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowSignatureOnlyKe
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowTimeInvalidCertif
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!X509HintsNeeded
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!RootCertificateCleanupOption
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!IntegratedUnblockPro
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!FilterDuplicateCerts
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!ForceReadingAllCertifi
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScPnP!ScPnPNotification
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!DisallowPlaintextPin
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!ReverseSubject
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!CertPropEnabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!EnableRootCertificatePropagation
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScPnP!EnableScPnP
HKLM\SOFTWARE\Policies\Microsoft\SoundRecorder!Soundrec
HKLM\Software\Policies\Microsoft\WindowsStore!AutoDownload
HKLM\Software\Policies\Microsoft\WindowsStore!AutoDownload
HKLM\Software\Policies\Microsoft\WindowsStore!DisableOSUpgrade
HKLM\Software\Policies\Microsoft\WindowsStore!RemoveWindowsStore
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableSettingSync, HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableApplicationSettingSync, HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableAppSyncSettingSync, HKLM\Software\Policies\Microsoft\Wi
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableWebBrowserSettingSync, HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableDesktopThemeSettingSync, HKLM\S
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableSyncOnPaidNetwork
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableWindowsSettingSync, HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableCredentialsSettingSync, HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisablePersonalizationSettingSync, HKLM\S
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableStartLayoutSettingSync, HKLM\Soft
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableInkball
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableNoteWriterPrinting
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableJournal
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPenFeedback
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonBackEscapeMapping
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonApplicationLaunch
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonPressAndHold
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffButtons
HKLM\software\policies\microsoft\TabletTip\1.7!DisablePrediction
HKLM\software\policies\microsoft\TabletTip\1.7!HideIPTIPTarget
HKLM\software\policies\microsoft\TabletTip\1.7!HideIPTIPTouchTarget
HKLM\software\policies\microsoft\TabletTip\1.7!IncludeRareChar
HKLM\software\policies\microsoft\TabletTip\1.7!DisableEdgeTarget
HKLM\software\policies\microsoft\TabletTip\1.7!DisableACIntegration
HKLM\software\policies\microsoft\TabletTip\1.7!PasswordSecurityState, HKLM\software\policies\mi
HKLM\software\policies\microsoft\TabletTip\1.7!ScratchOutState, HKLM\software\policies\microsof
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicksLearningMode
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicks
HKLM\SOFTWARE\Policies\Microsoft\PenTraining!DisablePenTraining
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffTouchInput
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPanning
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows!TurnOffWinCal
HKLM\Software\Policies\Microsoft\Windows\WindowsColorSystem!ProhibitInstallUninstall
HKLM\Software\Policies\Microsoft\SQMClient!CorporateSQMURL
HKLM\Software\Policies\Microsoft\SQMClient\Windows!StudyId, HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\Windows Defender!ServiceKeepAlive
HKLM\Software\Policies\Microsoft\Windows Defender!AllowFastServiceStartup
HKLM\Software\Policies\Microsoft\Windows Defender!DisableLocalAdminMerge
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyBypass, HKLM\Software\Policies\Micro
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyServer, HKLM\Software\Policies\Micro
HKLM\Software\Policies\Microsoft\Windows Defender!RandomizeScheduleTaskTimes
HKLM\Software\Policies\Microsoft\Windows Defender!DisableRoutinelyTakingAction
HKLM\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!CustomDefaultActionToastS
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!Notification_Suppress
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Extensions, HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Paths, HKLM\Software
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Processes, HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReporting
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting, HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS!ThrottleDetectionEvents
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\SKU Differentiation!Nis_C
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS!DisableSignatureRetirem
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableProtocolRecognition
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\Exclusions\IP Ranges!Ni
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\Exclusions\Ports!Nis_Co
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\Exclusions\Processes!Ni
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\Exclusions\Threat IDs!Ni
HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine!LocalSettingOverridePurgeItemsA
HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine!PurgeItemsAfterDelay, HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!LocalSettingOverrideDi
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!LocalSettingOverrideRe
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!RealtimeScanDirection,
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!IOAVMaxSize, HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableOnAccessProtec
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableIOAVProtection
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRealtimeMonito
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableBehaviorMonito
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableInformationProt
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableIntrusionPreve
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScanOnRealtim
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRawWriteNotifi
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!LocalSettingOverrideScan_Sch
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!Scan_ScheduleDay, HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!Scan_ScheduleTime, HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!CriticalFailureTimeout, HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!NonCriticalTimeout, HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!RecentlyCleanedTimeout, HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!AdditionalActionTimeout, HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!DisableGenericRePorts
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!WppTracingComponents, HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!WppTracingLevel, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!AllowPause
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!CheckForSignaturesBeforeRunningScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideAvgCPULoadFacto
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleDay
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleQuickSca
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleTime
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScanParameters
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRestorePoint
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableScanningMappedNetworkDrivesF
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableArchiveScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableScanningNetworkFiles
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisablePackedExeScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRemovableDriveScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleDay, HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!QuickScanInterval, HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ArchiveMaxDepth, HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!AvgCPULoadFactor, HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ArchiveMaxSize, HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScanParameters, HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleQuickScanTime, HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleTime, HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScanOnlyIfIdle
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableCatchupFullScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableCatchupQuickScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableEmailScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableHeuristics
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!PurgeItemsAfterDelay, HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableReparsePointScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ForceUpdateFromMU
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableScheduledSignatu
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureDisableNotificat
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!RealtimeSignatureDeliver
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!UpdateOnStartUp
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DefinitionUpdateFileShare
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureUpdateCatchupIn
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ASSignatureDue, HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!AVSignatureDue, HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!FallbackOrder, HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableUpdateOnStartup
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ScheduleDay, HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureUpdateInterval,
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ScheduleTime, HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableScanOnUpdate
HKLM\Software\Policies\Microsoft\Windows Defender\Threats!Threats_ThreatSeverityDefaultAction
HKLM\Software\Policies\Microsoft\Windows Defender\Threats!Threats_ThreatIdDefaultAction, HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!AutoApproveOSDumps
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWNoExternalURL, HKLM\Software
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!LoggingDisabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!Disabled
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!ShowUI, HKLM\Software\Policies\Mic
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassDataThrottling
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontShowUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassPowerThrottling
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassNetworkCostThrottl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!CorporateWerServer, HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableArchive, HKLM\SOF
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableQueue, HKLM\SOFT
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!AllOrNone, HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeKernelFaults
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeShutdownErrs
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultConsent
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultOverrideB
HKLM\Software\Policies\Microsoft\Windows\Installer!EnableUserControl
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownBrowse
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownPatch
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownMedia
HKLM\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
HKLM\Software\Policies\Microsoft\Windows\Installer!MaxPatchCacheSize
HKLM\Software\Policies\Microsoft\Windows\Installer!EnforceUpgradeComponentRules
HKLM\Software\Policies\Microsoft\Windows\Installer!MsiDisableEmbeddedUI
HKLM\Software\Policies\Microsoft\Windows\Installer!SafeForScripting
HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatch
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableFlyweightPatching
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLUAPatching
HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatchUninstall
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableRollback
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableAutomaticApplicationShutdown
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableUserInstalls
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableBrowse
HKLM\Software\Policies\Microsoft\Windows\Installer!TransformsSecure
HKLM\Software\Policies\Microsoft\Windows\Installer!Logging
HKLM\Software\Policies\Microsoft\Windows\Installer!LimitSystemRestoreCheckpointing
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLoggingFromPackage
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableSharedComponent
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableMSI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!SoftwareSASGeneration
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisplayLastLogonInfo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ReportControllerMissing
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableAutomaticRestartSignO
HKLM\SOFTWARE\Policies\Microsoft\Windows Mail!DisableCommunities
HKLM\SOFTWARE\Policies\Microsoft\Windows Mail!ManualLaunchAllowed
HKLM\Software\Policies\Microsoft\WindowsMediaCenter!MediaCenter
HKLM\Software\Policies\Microsoft\WMDRM!DisableOnline
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!GroupPrivacyAcceptance
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DisableAutoUpdate
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DesktopShortcut
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!PreventLibrarySharing
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!QuickLaunchShortcut
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DontUseFrameInterpolation
HKLM\Software\Policies\Microsoft\Messenger\Client!PreventRun
HKLM\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter!NoMobilityCenter
HKLM\Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp!EnableUpdateHelpDefaultS
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging!EnableModuleLogging, H
HKLM\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts, HKLM\Software\Policies\Mi
HKLM\SOFTWARE\Policies\Microsoft\Windows\Reliability Analysis\WMI!WMIEnable
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowBasic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowCredSSP
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowUnencryptedTraffic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowDigest
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowKerberos
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowNegotiate
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!TrustedHosts, HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowBasic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowCredSSP
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowAutoConfig, HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowUnencryptedTraffic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowKerberos
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowNegotiate
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!DisableRunAs
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!CBTHardeningLevelStatus, HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!HttpCompatibilityListener
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!HttpsCompatibilityListener
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!AllowRemoteShellAccess
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxConcurrentUsers
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!IdleTimeout, HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxMemoryPerShellMB
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxProcessesPerShell
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxShellsPerUser
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!ShellTimeOut
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AutoInstallMinorUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ElevateNonAdmins
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AcceptTrustedPublisherCerts
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AlwaysAutoRebootAtScheduledT
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!DetectionFrequencyEnabled, HKL
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoUpdate, HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RebootWarningTimeoutEnabled,
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DoNotConnectToWindowsUpdateInte
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!TargetGroupEnabled, HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AUPowerManagement
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoRebootWithLoggedOnUse
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RebootRelaunchTimeoutEnabled,
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RescheduleWaitTimeEnabled, HK
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseWUServer, HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!IncludeRecommendedUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!EnableFeaturedSoftware
HKLM\Software\Policies\Microsoft\Windows\WorkFolders!AutoProvision
HKLM\Software\Policies\Microsoft\Windows\WorkplaceJoin!autoWorkplaceJoin
Supported On
At least Windows Server 2012, Windows 8 or Windows RT
At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
At least Windows Vista
At least Windows Server 2003 operating systems or Windows XP Professional
Windows 7 or computers with BITS 3.5 installed.
Windows XP SP2 or Windows Server 2003 SP1, or computers with BITS 2.0 installed.
Windows 8 or Windows Server 2012 or Windows RT or computers with BITS 5 installed.
Windows XP or Windows Server 2003, or computers with BITS 1.5 installed.
At least Windows Server 2008 R2 or Windows 7
At least Windows 7 or Windows Server 2008 R2*
Windows XP Professional only
At least Windows 2000
At least Windows XP Professional with SP2
Windows Server 2003 and Windows XP only
Microsoft Windows Server 2003, Windows XP, and Windows 2000 Service Pack 1 operating systems o
Windows Server 2003, Windows XP, and Windows 2000 only
At least Windows Server 2003 operating systems Service Pack 1, Windows XP Professional Service Pa
At least Windows Vista Service Pack 1
Windows 2000 only
At least Windows Server 2003

Windows Server 2003 only
At least Windows Server 2003 operating systems or Windows XP Professional with SP1
At least Internet Explorer 6 Service Pack 1
tionIncludeCmdLine_Enabled
Windows Server 2008, Windows 7, and Windows Vista
Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP SP2
CurrentControlSet\Policies\EarlyLaunch!DriverLoadPolicy

At least Windows Server 2003 operating systems, Windows XP Professional Service Pack 1, or Windo
At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2
Windows Server 2008, Windows Server 2003, Windows 7, Windows Vista, and Windows XP
Windows Server 2008 R2 and Windows 7
Windows 2000 only
At least Windows Server 2012 R2 or Windows 8.1
Windows Vista only
Windows Vista only
Windows Server 2008 and Windows Server 2008 R2 operating systems only
Windows Server 2008 with Desktop Experience installed or Windows Vista
Windows Server 2008 with Desktop Experience installed or Windows Vista
At least Windows Server 2003 operating systems, Windows XP Professional Service Pack 1, or Windo
Windows Server 2008 and Windows Vista
At least Windows Server 2012 or Windows 8
At least Windows Server 2012, Windows 8 or Windows RT or at least Internet Explorer 10
Client: Windows XP SP3 and later. Server: Windows Server 2003 SP1 and later.
Client: Windows XP SP3 and later. Server: Windows Server 2003 SP1 and later. NOTE: Early Warning
Supported Windows Vista through Windows 7
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Random Delay
at least Windows NetMeeting v3.0

At least Windows Vista with Service Pack 1
At least Windows 8 or Windows RT
At least Windows 7 with Service Pack 1 or Windows Server 2008 R2 with Service Pack 1
At least Windows Server 2008 R2
At least Windows XP and Windows Server 2003 only
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows Vista,
At least Windows 8 Enterprise or Windows Server 2012 R2
At least Windows Server 2003 with Service Pack 1
Windows Server 2003 with Service Pack 1 only
At least Windows Server 2003, Enterprise Edition
Windows Server 2008 R2 only
At least Windows 2000 Terminal Services
At least Windows 2000 Terminal Services
At least Windows Server 2012 R2 or Windows 8.1
At least Windows Server 2012 R2 with RDSH role installed
Windows 7 or Windows Server 2008 R2 (and their subsequent Service Packs) only
At least Internet Explorer 7.0
Microsoft Windows XP, or Windows Server 2003 with Windows Search version 3.01 or later
Microsoft Windows Vista, or any version of Windows with Windows Search 4.0 or later
Microsoft Windows 8 or later
Microsoft Windows XP, Windows Server 2003 with Windows Search version 3.01, or any version of M
Any version of Microsoft Windows with Windows Search 4.0 or later
Microsoft %WINDOWS_CLIENT_VERSION_6_3_BLUE% or later
Any version of Microsoft Windows with Windows Search 4.0
Microsoft Windows Vista or later
Microsoft Windows XP, Windows Server 2003 with Windows Search version 3.01, or any version of
At least Windows 8.1 or Windows RT 8.1
At least Windows Vista Service Pack 1
KLM\Software\Policies\Microsoft\Windows\SettingSync!DisableAppSyncSettingSyncUserOverride
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only

Windows Installer v3.0

Microsoft Windows XP or Windows 2000 with Windows Installer v2.0

Windows Media Player 9 Series and later.
Windows Media Player 11 for Windows XP or Windows Media Player 11 for Windows Vista or later.
At least Microsoft Windows 7 or Windows Server 2008 family
Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3
At least Windows Server 2003 operating systems or Windows XP Professional with SP1, excluding W
At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3, excluding Window
Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2003, Windows XP SP2, Wind
Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP SP2
Help Text
This policy setting controls whether the lock screen appears for users.If you enable this policy setting, users that are not requir
Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.By de
This setting allows you to force a specific default lock screen image by entering the path (location) of the image file.This setting
Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it.If this se
Prevents users from changing the background image shown when the machine is locked.By default, users can change the back
Prevents users from changing the look of their start menu background, such as its color or accent.By default, users can change
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.By
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.By defaul
This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not
This policy setting controls which UI language is used for computers with more than one UI language installed.If you enable th
This policy setting restricts the Windows UI language for all users.This is a policy setting for computers with more than one UI
This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning
This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account
This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain contro
This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific
This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache componen
This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is e
This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is
This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to
This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the t
This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transf
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers f
This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs
This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the t
This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can us
This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background tra
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned
This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. Th
This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to mainta
This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer na
This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by se
This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client comp
This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy i
This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is ap
This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on clien
This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the
Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting
Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those confi
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes
Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.An un
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update
Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Un
Specifies that responses from link local name resolution protocols received over a network interface that is higher in the bindi
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.To use this policy setti
Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.With devolution, a DNS
Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolu
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of
Specifies if DNS client computers will register PTR resource records.By default, DNS clients configured to perform dynamic DN
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to comp
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.This policy
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this p
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.LLMNR is a secondary name resoluti
Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance
Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over
Specifies the security level for dynamic DNS updates.To use this policy setting, click Enabled and then select one of the followi
Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level d
This policy setting defines whether Wi-Fi hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol
This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that
This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) h
This policy setting changes the operational behavior of the Mapper I/O network protocol driver.LLTDIO allows a computer to d
This policy setting changes the operational behavior of the Responder network protocol driver.The Responder allows a compu
By default, when a Peer Group is created that allows for password-authentication (or the password for such a Group is change
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to st
This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) clo
This setting sets the seed server for the global cloud to a specified node in the enterprise. The Peer Name Resolution Protocol
This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in th
This policy setting enables or disables PNRP cloud creation.PNRP is a distributed name resolution protocol allowing Internet ho
This setting sets the seed server for the link local cloud to a specified node in the enterprise.The Peer Name Resolution Protoc
This setting sets the seed server for the site local cloud to a specified node in the enterprise.The Peer Name Resolution Protoc
Specifies whether or not the "local access only" network icon will be shown.When enabled, the icon for Internet access will be
Determines whether a user can install and configure the Network Bridge.Important: This settings is location aware. It only app
Prohibits use of Internet Connection Firewall on your DNS domain network.Determines whether users can enable the Internet
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet con
This policy setting determines whether to require domain users to elevate when setting a network's location.If you enable this
This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whet
Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport.If you enable this po
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICM
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 44
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC)
Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389.If you e
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices, such as routers with bui
Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows
Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Wind
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.If you enable this pol
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Firewall uses two port exce
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exce
Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firew
Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.If you enable this po
Turns on Windows Firewall.If you enable this policy setting, Windows Firewall runs and ignores the "Computer Configuration\A
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICM
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 44
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC)
Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389.If you e
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices, such as routers with bui
Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows
Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Wind
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.If you enable this pol
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Firewall uses two port exce
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exce
Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firew
Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.If you enable this po
Turns on Windows Firewall.If you enable this policy setting, Windows Firewall runs and ignores the "Computer Configuration\A
This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolutio
This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful reso
This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachab
This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current do
This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network s
This setting does not apply to desktop apps.A semicolon-separated list of Internet proxy server IP addresses. These addresses
This setting does not apply to desktop apps.A semicolon-separated list of intranet proxy server IP addresses. These addresses
This setting does not apply to desktop apps.A comma-separated list of IP address ranges that are in your corporate network.If
This setting does not apply to desktop apps.Turns off Windows Network Isolation's automatic proxy discovery in the domain c
This setting does not apply to desktop apps.Turns off Windows Network Isolation's automatic discovery of private network ho
Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files
This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the us
Deletes local copies of the user's offline files when the user logs off.This setting specifies that automatically and manually cach
This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any use
Configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below t
This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files
Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.This setting also
This policy setting enables administrators to block certain file types from being created in the folders that have been made ava
This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on
This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files
This policy setting determines whether offline files are encrypted.Offline files are locally cached copies of files from a network
Determines which events the Offline Files feature records in the event log.Offline Files records events in the Application log in
Lists types of files that cannot be used offline.This setting lets you exclude certain types of files from automatic and manual ca
Determines how long the first reminder balloon for a network status change is displayed.Reminder balloons appear when the
This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by autom
Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the
Disables the Offline Files folder.This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot u
Prevents users from enabling, disabling, or changing the configuration of Offline Files.This setting removes the Offline Files tab
Determines how often reminder balloon updates appear.If you enable this setting, you can select how often reminder balloon
Determines how long updated reminder balloons are displayed.Reminder balloons appear when the user's connection to a ne
This policy setting prevents users from making network files and folders available offline.If you enable this policy setting, users
This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" com
This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offl
This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files an
Makes subfolders available offline whenever their parent folder is made available offline.This setting automatically extends th
Determines whether offline files are fully synchronized when users log off.This setting also disables the "Synchronize all offline
Determines whether offline files are fully synchronized when users log on.This setting also disables the "Synchronize all offline
Determines whether offline files are synchonized before a computer is suspended.If you enable this setting, offline files are syn
Hides or displays reminder balloons, and prevents users from changing the setting.Reminder balloons appear above the Offlin
This policy setting allows you to turn on economical application of administratively assigned Offline Files.If you enable or do no
Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets re
Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth r
Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Sch
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (Ser
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (S
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (Se
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (Ser
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (S
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (Se
Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). Th
Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlle
Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed)
Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetwor
Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Sc
Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). T
This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.S
This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP)
This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.Simple Network Man
This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).If you enable this policy setting, SSL ciph
This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 ne
This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interv
This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology t
This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connec
This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.If you
This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and
This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, th
This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Tere
This policy setting allows you to configure the Teredo refresh rate.Note: On a periodic basis (by default, every 30 seconds), Ter
This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client com
This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides u
This policy setting allows you to configure IP Stateless Autoconfiguration Limits.If you enable or do not configure this policy se
This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify con
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enable
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are t
This policy setting specifies that power management is disabled when the machine enters connected standby mode. If this
This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Wind
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at
This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming
This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.If this policy setting is enabled
This policy setting configures the cost of 3G connections on the local machine.If this policy setting is enabled, a drop-down list
This policy setting configures the cost of 4G connections on the local machine. If this policy setting is enabled, a drop-down
Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Interne
If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display
This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an u
This policy controls whether the print spooler will accept client connections.When the policy is unconfigured or enabled, the s
Determines whether the computer's shared printers can be published in Active Directory. If you enable this setting or do
Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer.
Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer ins
When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass
Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. If y
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 8.1, Windows RT 8.1 and W
Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setti
If this policy setting is enabled, it specifies the default location criteria used when searching for printers. This setting is a c
By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also inc
Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operationa
Sets the priority of the pruning thread. The pruning thread, which runs only on domain controllers, deletes printer objec
Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before prunin
Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have ac
This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optiona
This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When pri
This policy setting allows you to manage where client computers search for Point and Printer drivers.If you enable this policy s
Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolati
Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer befor
This policy restricts clients computers to use package point and print only.If this setting is enabled, users will only be able to po
This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print d
Restricts package point and print to approved servers.This policy setting restricts package point and print connections to appro
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. T
Enables the physical Location Tracking setting for Windows printers.Use Location Tracking to design a location scheme for you
Announces the presence of shared printers to print browse master servers for the domain.On domains with Active Directory, s
Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished
For more information about LocalAccountTokenFilterPolicy, see http://support.microsoft.com/kb/951016.
Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information, see http://technet.micro
Enable LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx
This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can
This policy setting allows you to manage whether backups of a machine can run to locally attached storage or not.If you enabl
This policy setting allows you to manage whether backups of a machine can run to a network share or not.If you enable this po
This policy setting allows you to manage whether backups of a machine can run to an optical media or not.If you enable this p
This policy setting allows you to manage whether run-once backups of a machine can be run or not.If you enable this policy se
This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
Specifies the Start screen layout for users.This setting lets you specify the Start screen layout for users and prevents them from
This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.The system state data file
Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on
This policy setting directs the system to display highly detailed status messages.This policy setting is designed for advanced use
The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions t
This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.If you enable this policy s
This policy setting allows you to turn off the automatic display of the Manage Your Server page. If you enable this policy settin
This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. Th
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that
This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a sche
This policy setting suppresses system status messages.If you enable this setting, the system does not display a message remind
This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specifi
This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, yo
This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabl
Specifies an alternate location for Windows installation files.If you enable this policy setting, enter the fully qualified path to th
Specifies an alternate location for Windows Service Pack installation files.If you enable this policy setting, enter the fully qualifi
This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Pr
This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types
This policy setting determines what information is logged in security audit events when a new process has been created.This s
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).This polic
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).If you ena
When running in restricted mode, participating apps do not expose credentials to remote computers (regardless of the delega
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, r
This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If y
Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure. This
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would norm
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this p
Windows has a feature that allows a device driver to request additional software through the Windows Error Reporting infrast
This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with d
This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable
This policy setting allows you to specify the search server that Windows uses to find updates for device drivers.If you enable th
This policy setting allows you to turn off "Found New Hardware" balloons during device installation.If you enable this policy se
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers fo
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allo
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Wi
This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a p
This policy setting allows you to display a custom message to users in a notification when a device installation is attempted an
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy settin
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is pre
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Wi
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when t
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change
This policy setting prevents redirection of specific USB devices.If you enable this setting, an alternate driver for the USB device
This policy setting prevents redirection of USB devices.If you enable this setting, an alternate driver for USB devices cannot be
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.If you enable this policy
This policy setting turns off power save mode on the hybrid hard disks in the system.If you enable this policy setting, the hard
This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you ha
This policy setting turns off the solid state mode for the hybrid hard disks. If you enable this policy setting, frequently written fi
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.If you disable
This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users fro
This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting.If you enab
This policy setting determines whether the system records an event in the local Application log when users reach their disk qu
This policy setting determines whether the system records an event in the Application log when users reach their disk quota w
This policy setting specifies the default disk quota limit and warning level for new users of the volume.This policy setting deter
Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" li
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation s
This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the
Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the In
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early
This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing on
This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable o
This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engine
This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.If you e
This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.If you enable this
This policy setting configures whether or not Windows will activate an Enhanced Storage device.If you enable this policy settin
This policy setting locks Enhanced Storage devices when the computer is locked.This policy setting is supported in Windows Se
This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer.The Classifica
This policy setting controls which set of properties is available for classifying files on affected computers.Administrators can de
Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled.VSS for SMB2 File Share
Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operati
Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable
Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and cre
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creati
TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Please enable it if you want to use
Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing over
These settings provide control over whether or not short names are generated during file creation. Some applications require
This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to im
This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Progra
This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously when logging on through R
This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logo
This policy setting lets you always use local ADM files for the Group Policy snap-in.By default, when you edit a Group Policy Ob
This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (t
This policy setting allows you to configure when preference items in the Applications preference extension are updated.If you
This policy setting allows you to configure when preference items in the Data Sources preference extension are updated.If you
This policy setting allows you to configure when preference items in the Devices preference extension are updated.If you enab
This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection
This policy setting determines when disk quota policies are updated.This policy setting affects all policies that use the disk quo
This policy setting allows you to configure when preference items in the Drive Maps preference extension are updated.If you e
This policy setting determines when encryption policies are updated.This policy setting affects all policies that use the encrypti
This policy setting allows you to configure when preference items in the Environment preference extension are updated.If you
This policy setting allows you to configure when preference items in the Files preference extension are updated.If you enable
This policy setting allows you to configure when preference items in the Folder Options preference extension are updated.If yo
This policy setting determines when folder redirection policies are updated.This policy setting affects all policies that use the fo
This policy setting allows you to configure when preference items in the Folders preference extension are updated.If you enab
This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy
This policy setting defines a slow connection for purposes of applying and updating Group Policy.If the rate at which data is tra
This policy setting allows you to configure when preference items in the Ini Files preference extension are updated.If you enab
This policy setting determines when Internet Explorer Maintenance policies are updated.This policy setting affects all policies t
This policy setting allows you to configure when preference items in the Internet Settings preference extension are updated.If
This policy setting determines when IP security policies are updated.This policy setting affects all policies that use the IP securi
This policy setting allows you to configure when preference items in the Local Users and Groups preference extension are upd
Enter ΓÇ£0ΓÇ¥ to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy clie
This policy setting allows you to configure when preference items in the Network Options preference extension are updated.If
This policy setting allows you to configure when preference items in the Network Shares preference extension are updated.If y
This policy setting allows you to configure when preference items in the Power Options preference extension are updated.If yo
This policy setting allows you to configure when preference items in the Printers preference extension are updated.If you enab
This policy setting allows you to configure when preference items in the Regional Options preference extension are updated.If
This policy setting determines when registry policies are updated.This policy setting affects all policies in the Administrative Te
This policy setting allows you to configure when preference items in the Registry preference extension are updated.If you ena
This policy setting allows you to configure when preference items in the Scheduled Tasks preference extension are updated.If
This policy setting determines when policies that assign shared scripts are updated.This policy setting affects all policies that u
This policy setting determines when security policies are updated.This policy setting affects all policies that use the security co
This policy setting allows you to configure when preference items in the Services preference extension are updated.If you ena
This policy setting allows you to configure when preference items in the Shortcuts preference extension are updated.If you en
This policy setting determines when software installation policies are updated.This policy setting affects all policy settings that
This policy setting allows you to configure when preference items in the Start Menu preference extension are updated.If you e
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a co
This policy setting determines when policies that assign wired network settings are updated.This policy setting affects all polici
This policy setting determines when policies that assign wireless network settings are updated.This policy setting affects all po
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.By default, interactively logged
Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being use
This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this p
This policy setting allows you to control a user's ability to invoke a computer policy refresh.If you enable this policy setting, use
This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background)
This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the backgroun
This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy proce
This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy pr
This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group
This policy setting prevents the Group Policy Client Service from stopping when idle.
This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.By default, the policy settings in Local G
This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.RSoP logs information o
This policy setting allows you to configure the level of detail recorded by event logging for the Applications preference extensi
This policy setting allows you to configure the level of detail recorded by event logging for the Data Sources preference extens
This policy setting allows you to configure the level of detail recorded by event logging for the Devices preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Drive Maps preference extensio
This policy setting allows you to configure the level of detail recorded by event logging for the Environment preference extens
This policy setting allows you to configure the level of detail recorded by event logging for the Files preference extension, and
This policy setting allows you to configure the level of detail recorded by event logging for the Folder Options preference exten
This policy setting allows you to configure the level of detail recorded by event logging for the Folders preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Ini Files preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Internet preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Local User and Local Group pref
This policy setting allows you to configure the level of detail recorded by event logging for the Network Options preference ex
This policy setting allows you to configure the level of detail recorded by event logging for the Network Shares preference exte
This policy setting allows you to configure the level of detail recorded by event logging for the Power Options preference exten
This policy setting allows you to configure the level of detail recorded by event logging for the Printers preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Regional Options preference ex
This policy setting allows you to configure the level of detail recorded by event logging for the Registry preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Scheduled Tasks preference ext
This policy setting allows you to configure the level of detail recorded by event logging for the Services preference extension, a
This policy setting allows you to configure the level of detail recorded by event logging for the Shortcuts preference extension
This policy setting allows you to configure the level of detail recorded by event logging for the Start Menu preference extensio
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.If yo
This policy setting allows you to remove access to Windows Update.If you enable this policy setting, all Windows Update featu
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file typ
This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically, a
This policy setting specifies whether to allow this client to download print driver packages over HTTP.To set up HTTP printing,
This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.The E
Turns off data sharing from the handwriting recognition personalization tool.The handwriting recognition personalization tool
Turns off the handwriting recognition error reporting tool.The handwriting recognition error reporting tool enables users to re
This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.This content is dynamic
This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Se
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering w
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandl
This policy setting specifies whether to allow printing over HTTP from this client.Printing over HTTP allows a client to print to p
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.If you
This policy setting specifies whether Search Companion should automatically download content updates during local and Inter
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.The Orde
This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger so
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Im
This policy setting controls whether or not errors are reported to Microsoft.Error Reporting is used to report information abou
This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determ
This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device
If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins
If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed.
If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be change
If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are
If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are
If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that ar
If enabled then new targets may not be manually configured by entering the target name and target portal; already discovere
If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually confi
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS serv
If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals
This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Ac
This policy setting controls whether the domain controller provides information about previous logons to client computers.If y
This policy setting allows you to configure a domain controller to request compound authentication.Note: For a domain contro
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolv
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos a
This policy setting controls whether a device always sends a compound authentication request when the resource domain req
This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.If you
This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.If you enable
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate
This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context tok
This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names
This policy setting controls configuring the device's Active Directory account for compound authentication.Support for providi
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part ser
This policy setting prevents users from changing their user geographical location (GeoID).If you enable this policy setting, users
This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to th
This policy setting prevents the user from customizing their locale by changing their user overrides.Any existing overrides in pl
This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales t
This policy setting allows you to control whether or not the user may alter the time before a password is required when a devi
This policy setting forces the user to log on to the computer using the classic logon screen. By default, a workgroup is set to us
This policy setting ignores Windows Logon Background.This policy setting may be used to make Windows give preference to a
This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the netwo
This policy setting specifies a default logon domain, which might be a different domain than the domain to which the compute
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.If you en
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.If you
This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy se
This policy setting ignores the customized run list.You can create a customized list of additional programs and documents that
This policy setting ignores customized run-once lists.You can create a customized list of additional programs and documents th
This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon U
This policy setting allows the administrator to exclude the specifiedcredential providers from use during authentication.Note:
This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager.If you en
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the s
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the fi
This policy setting allows you to prevent app notifications from appearing on the lock screen.If you enable this policy setting, n
This policy setting allows you to control whether a domain user can sign in using a picture password.If you enable this policy se
This policy setting turns off the Windows Startup sound and prevents its customization in the Sound item of Control Panel.The
This policy setting allows you to control whether a domain user can sign in using a PIN.If you enable this policy setting, a doma
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in
This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with th
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) sh
This policy setting determines the interval at which Netlogon performs the following scavenging operations:- Checks if a passw
This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) sho
This policy setting specifies the additional time for the computer to wait for the domain controllerΓÇÖs (DC) response when lo
This policy setting specifies the level of debug output for the Net Logon service.The Net Logon service outputs debug informati
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when loggi
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could no
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs th
This policy setting specifies the Active Directory site to which computers belong.An Active Directory site is one or more well-co
This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain c
This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform perio
This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domai
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs th
This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).Note:
This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm pr
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.The Domain Controller Lo
This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP
This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this se
This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Log
This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which th
This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not m
This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.If you enable this pol
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. T
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied
This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resour
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resourc
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same th
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records fo
This policy setting specifies whether the computers to which this setting is applied attemps DNS name resolution of single-labl
This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-lab
This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan
This policy setting specifies the active power plan from a specified power planΓÇÖs GUID. The GUID for a custom power plan G
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.Possible actions include:-
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.Possible actions include:-
This policy setting specifies the action that Windows takes when a user presses the power button.Possible actions include:-Tak
This policy setting specifies the action that Windows takes when a user presses the power button.Possible actions include:-Tak
This policy setting specifies the action that Windows takes when a user presses the sleep button.Possible actions include:-Take
This policy setting specifies the action that Windows takes when a user presses the sleep button.Possible actions include:-Take
This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.If you enable thi
This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.If you enable thi
This policy setting specifies the period of inactivity before Windows turns off the hard disk.If you enable this policy setting, you
This policy setting specifies the period of inactivity before Windows turns off the hard disk.If you enable this policy setting, you
This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level.
This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action.If
This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level.If y
This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action.If you
This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode.If you enable t
This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level.
This policy setting allows applications and services to prevent automatic sleep.If you enable this policy setting, any application
This policy setting allows applications and services to prevent automatic sleep.If you enable this policy setting, any application
This policy setting allows you to manage automatic sleep with open network files.If you enable this policy setting, the compute
This policy setting allows you to manage automatic sleep with open network files.If you enable this policy setting, the compute
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep st
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep st
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.If you e
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.If you e
This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.If you ena
This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.If you ena
This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.If you enable t
This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.If you enable t
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user
This policy setting allows you to turn off hybrid sleep.If you enable this policy setting, a hiberfile is not generated when the sys
This policy setting allows you to turn off hybrid sleep.If you enable this policy setting, a hiberfile is not generated when the sys
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.If you ena
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.If you ena
This policy setting allows you to specify the period of inactivity before Windows automatically reduces brightness of the displa
This policy setting allows you to specify the period of inactivity before Windows automatically reduces brightness of the displa
This policy setting allows you to specify the brightness of the display when Windows automatically reduces brightness of the d
This policy setting allows you to specify the brightness of the display when Windows automatically reduces brightness of the d
This policy setting allows you to manage how long a computer must be inactive before Windows turns off the computerΓÇÖs d
This policy setting allows you to manage how long a computer must be inactive before Windows turns off the computerΓÇÖs d
This policy setting allows you to specify the period of inactivity before Windows turns off the display.If you enable this policy s
This policy setting allows you to specify the period of inactivity before Windows turns off the display.If you enable this policy s
This policy setting allows you to specify if Windows should enable the desktop background slideshow.If you enable this policy
This policy setting allows you to specify if Windows should enable the desktop background slideshow.If you enable this policy
Requirements: Windows 7 Description: This policy setting controls whether users can access the options in Recovery (in Con
This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers ru
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.If you enable this p
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.If you enable this po
This policy setting lets you customize warning messages.The "Display warning message before sharing control" policy setting a
This policy setting allows you to improve performance in low bandwidth scenarios.This setting is incrementally scaled from "N
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assis
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making
This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.The constraine
This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much inform
This policy setting controls whether the RPC runtime generates extended error information when an error occurs.Extended er
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.This po
This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where
Configure access to all removable storage classes.This policy setting takes precedence over any individual removable storage p
This policy setting grants normal users direct access to removable storage devices in remote sessions.If you enable this policy
This policy setting denies execute access to the CD and DVD removable storage class.If you enable this policy setting, execute a
This policy setting denies read access to the CD and DVD removable storage class.If you enable this policy setting, read access
This policy setting denies write access to the CD and DVD removable storage class.If you enable this policy setting, write acces
This policy setting denies read access to custom removable storage classes.If you enable this policy setting, read access is deni
This policy setting denies write access to custom removable storage classes.If you enable this policy setting, write access is den
This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives.If you enab
This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.If you enable t
This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.If you enable
This policy setting denies execute access to removable disks.If you enable this policy setting, execute access is denied to this re
This policy setting denies read access to removable disks.If you enable this policy setting, read access is denied to this removab
This policy setting denies write access to removable disks.If you enable this policy setting, write access is denied to this remova
This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a c
This policy setting denies execute access to the Tape Drive removable storage class.If you enable this policy setting, execute ac
This policy setting denies read access to the Tape Drive removable storage class.If you enable this policy setting, read access is
This policy setting denies write access to the Tape Drive removable storage class.If you enable this policy setting, write access
This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays,
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays
This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS o
This policy setting displays the instructions in shutdown scripts as they run.Shutdown scripts are batch files of instructions tha
This policy setting displays the instructions in startup scripts as they run.Startup scripts are batch files of instructions that run b
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface progr
This policy setting lets the system run startup scripts simultaneously.Startup scripts are batch files that run before the user is i
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during co
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during us
This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total
This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updat
This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows
This policy setting allows you to turn off the automatic display of Server Manager at logon.If you enable this policy setting, Ser
This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enable
This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level win
Allows you to disable System Restore configuration through System Protection.This policy setting allows you to turn off System
Allows you to disable System Restore.This policy setting allows you to turn off System Restore.System Restore enables users, i
This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios.If you enable this policy setting,
This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.If you enable this policy
This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Com
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compa
This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:Regular: Detection, t
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T
This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. Self-Monitoring And Reporting Techno
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption pr
This policy setting determines the execution level for Microsoft Support Diagnostic Tool.Microsoft Support Diagnostic Tool (MS
This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool.Microsoft Support Diagnostic Tool (
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider.
This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:Prompt for Reso
Determines whether scheduled diagnostics will run to proactively detect and resolve system problems.If you enable this policy
This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publ
This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control P
This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted
Determines the execution level for Windows Boot Performance Diagnostics.If you enable this policy setting, you must select a
This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems.If you enable or do no
This policy setting specifies whether to enable or disable tracking of responsiveness events.If you enable this policy setting, res
Determines the execution level for Windows Resource Exhaustion Detection and Resolution.If you enable this policy setting, y
Determines the execution level for Windows Shutdown Performance Diagnostics.If you enable this policy setting, you must se
Determines the execution level for Windows Standby/Resume Performance Diagnostics.If you enable this policy setting, you m
Determines the execution level for Windows System Responsiveness Diagnostics.If you enable this policy setting, you must sel
This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local com
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windo
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) comm
This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) comman
This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted
This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted P
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TP
This policy setting adds the Administrator security group to the roaming user profile share.Once an administrator has configur
This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network spee
This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive w
This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used with
This policy setting disables the detection of slow network connections. Slow link detection measures the speed of the connecti
This policy setting disables the more secure default setting for the user's roaming user profile folder.After an administrator has
This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to
This policy setting will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user
This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers
This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user p
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based softwar
This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. Wh
This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users
This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their pr
This policy setting provides users with the ability to download their roaming profile, even when a slow network connection wit
This policy setting controls how long Windows waits for a response from the network before logging on a user without a remo
This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all us
This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy s
This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon sessio
This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps.If you enable this
This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain info
This policy setting directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow
This policy setting hides the file scan progress window. This window provides status information to sophisticated users, but it m
This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.W
This policy setting allows you to set when Windows File Protection scans protected files. This policy setting directs Windows Fi
This policy setting specifies an alternate location for the Windows File Protection cache.If you enable this policy setting, enter
This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for doma
This policy setting specifies a set of parameters for controlling the Windows NTP Client.If you enable this policy setting, you ca
This policy setting specifies whether the Windows NTP Client is enabled.Enabling the Windows NTP Client allows your comput
This policy setting allows you to specify whether the Windows NTP Server is enabled.If you enable this policy setting for the W
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX con
This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX
By default, Add features to Windows 8.1 is available for all administrators. If you enable this policy setting, the wizard will not
This policy setting allows you to manage the installation of trusted line-of-business (LOB) Windows Store apps.If you enable th
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special pro
Allows or denies development of Windows Store applications without installing a developer license. If you enable this setti
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Be
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI schem
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launc
This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on t
This policy controls the state of the application compatibility engine in the system.The engine is part of the loader and looks th
The policy controls the state of the Application Telemetry engine in the system.Application Telemetry is a mechanism that trac
This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devic
This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the
This policy setting controls the state of Steps Recorder.Steps Recorder keeps a record of steps taken by the user. The data gen
The policy controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides ge
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay i
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected.
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.i
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert
This policy setting determines whether users with a domain account can log on or elevate User Account Control (UAC) permiss
This policy setting allows or prevents the Windows Biometric Service to run on this computer. If you enable or do not confi
This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics.
This policy setting specifies the number of seconds a pending fast user switch event will remain active before the switch is initi
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard pr
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy se
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy se
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied
This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption re
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This
This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the require
This policy setting allows you to manage BitLockerΓÇÖs use of hardware-based encryption on fixed data drives and specify wh
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to p
This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protecte
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. Thi
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.Enhanced startup PIN
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (
This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setti
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the
This policy setting allows you to manage BitLockerΓÇÖs use of hardware-based encryption on operating system drives and spe
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-T
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provid
This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an addition
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started followin
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation.If y
This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and vi
This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the re
This policy setting allows you to manage BitLockerΓÇÖs use of hardware-based encryption on removable data drives and speci
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choos
This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected re
This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLo
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.If you
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running applicatio
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the
This policy setting allows you to turn off desktop gadgets that have been installed by the user.If you enable this setting, Windo
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the W
This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maxim
This policy setting controls the Start background visuals.If you enable this policy setting, the Start background will use a solid c
This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent user
This policy setting controls the default color for window frames when the user does not specify a color. If you enable this polic
Changes behavior of Microsoft bus drivers to work with specific devices.
Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.
Specifies whether Digital Locker can run.Digital Locker is a dedicated download manager associated with Windows Marketplac
Disables help tips that Windows shows to the user.By default, Windows will show the user help tips until the user has successf
Custom EMET configuration for applications
Configure default action after detection and advanced ROP mitigation settings
Apply recommended EMET protections to Internet Explorer
Apply
This suggested
policy settingEMET
allowsprotections to other
you to configure thepopular
server software
address, refresh interval, and issuer certificate
authority (CA) of a target Subscription Manager.
Apply recommended EMET protections to WordPad, Microsoft Office, Adobe Acrobat, Adobe Acrobat Reader, and Oracle Java
IfConfigure
This
youpolicy asetting
enable custom Traysetting,
controls
this policy Icon Message
resource canfor
you usage EMET
for theAgent
configure to notify
forwarder
the Source users
(source computer)
Computer by controlling
to contact the
a specific FQDN
events/per
Configure second
EMET sent
Agent to the Event
visibility at Collector.
startup
(Fully Qualified Domain Name) or IP Address and request subscription specifics.
Configure
If you reporting
enable (Windows Event
this policy Log, Tray Icon, Early Warning)
Use the following syntaxsetting, you can
when using the control the volume
HTTPS protocol: of events sent to the Event Collector by
System-wide
the source Address
computer. Space
This mayLayout
be Randomization
required in high setting
volume environments.
Server=https://<FQDN of the collector>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh
System-wide
interval Data Execution Prevention
in seconds>,IssuerCA=<Thumb setting
print of the client authentication certificate>. When using
If
theyou disable
HTTP or do use
protocol, not port
configure
5985. this policy setting, forwarder resource usage is not specified.
System-wide Structured Exception Handler Overwrite Protection setting
This
If yousetting
disableapplies
or do across all subscriptions
not configure this policyfor the forwarder
setting, the Event(source computer).
Collector computer will not be
specified.
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain o
This policy setting specifies to use the security descriptor for the log using the Security Descriptor Definition Language (SDDL) s
This policy setting controls Event Log behavior when the log file reaches its maximum size.If you enable this policy setting and
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and sh
This policy setting specifies the maximum size of the log file in kilobytes.If you enable this policy setting, you can configure the
This policy setting turns on logging.If you enable or do not configure this policy setting, then events can be written to this log.I
This is the program that will be invoked when the user clicks the events.asp link.
This specifies the command line parameters that will be passed to the events.asp program
This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to u
This policy setting allows you to configure the Family Safety feature.If you enable this policy setting, the Family Safety control
This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.If you enable this policy setti
This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer b
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorag
This policy removes the end-user notification for new application associations. These associations are based on file types (e.g.
This policy setting allows you to specify a location where all default Library definition files for users/machines reside.If you ena
This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol d
Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by
Shows or hides hibernate from the power options menu. If you enable this policy setting, the hibernate option will be shown i
Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be shown in the User Tile me
Shows or hides sleep from the power options menu. If you enable this policy setting, the sleep option will be shown in the Pow
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are o
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explore
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical orde
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full fun
This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new an
This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come fr
This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from th
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backu
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a p
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous
This policy setting allows you to turn off File History.If you enable this policy setting, File History cannot be activated to create
Manages download of game box art and ratings from the Windows Metadata Services.If you enable this setting, game informa
Manages download of game update information from Windows Metadata Services.If you enable this setting, game update inf
Tracks the last play time of games in the Games folder.If you enable this setting the last played time of games will not be recor
This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a h
This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting
This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature is t
This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location featur
This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature is turn
This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the
This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boun
This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance random de
This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy speci
Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use it for controlling their co
This policy setting allows the Network Access Protection (NAP) client to support the Windows XP version of the 802.1x Enforce
This policy setting allows you to select the TCP port that the Network Projector uses to send packets. If you enable this policy s
This policy setting disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. If
This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help view
This policy setting allows a Password Synchronization administrator to configure the interval, in seconds, between synchroniza
This policy setting allows an administrator to set the number of password synchronization retries that Password Synchronizati
This policy setting allows an administrator to turn on extensive logging for Password Synchronization.If you enable this policy s
This policy setting allows an administrator to turn on the Windows to Network Information Service (NIS) password synchroniza
Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace.If you enab
Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace.If you enable t
This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace
This policy setting turns off Windows presentation settings.If you enable this policy setting, Windows presentation settings can
This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remo
This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote De
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files fro
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signe
This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the
Controls whether passwords can be saved on this computer from Remote Desktop Connection.If you enable this setting the pa
This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote con
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted
This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. If you enab
This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redire
This policy setting specifies whether a session uses the IP address of the Remote Desktop Session Host server if a virtual IP add
This policy setting specifies the IP address and network mask that corresponds to the network adapter used for virtual IP addr
This policy setting specifies whether Windows Installer RDS Compatibility runs on a per user basis for fully installed application
This policy setting specifies whether Remote Desktop IP Virtualization is turned on. By default, Remote Desktop IP Virtualizatio
This policy setting specifies whether a session uses the IP address of the Remote Desktop Session Host server if a virtual IP add
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.If you enable this po
Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host s
This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is co
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off
Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server.You can use this setti
This policy setting allows you to restrict users to a single Remote Desktop Services session.If you enable this policy setting, use
This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth an
This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server.I
If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option
This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user
Fair Share CPU Scheduling dynamically distributes processor time across all Remote Desktop Services sessions on the same RD
This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remot
This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services
This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services ses
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote co
This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Rem
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redire
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services se
This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session.If you enab
This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices
This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of
This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with
This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to
This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop licen
This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services session
This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a sessio
This policy setting allows you to specify whether the default client printer is the only printer redirected in Remote Desktop Ser
This policy setting allows you to specify the RD Session Host server fallback printer driver behavior.By default, the RD Session H
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client pr
This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting on
This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles.By defa
Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's h
This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting re
This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the fa
This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and red
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Co
This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote D
This policy setting allows you to specify whether to use the RD Connection Broker load balancing feature to balance the load b
This policy setting allows you to specify whether desktop composition is allowed for remote desktop sessions. This policy settin
This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initi
This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use.By default, serve
This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remot
This policy setting allows you to specify whether font smoothing is allowed for remote connections.Font smoothing provides C
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host
Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services.You can use this s
This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections
This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Re
This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session
This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop
Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this
Configures Remote Desktop Services to run a specified program automatically upon connection.You can use this setting to spe
This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, liv
This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions on
This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtual
This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. R
This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.You
This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desk
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecu
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients a
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically
This policy setting specifies whether to require the use of a specific encryption level to secure communications between client
This policy setting Sspecifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be i
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active be
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.You can use this po
This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconnected state after closing
This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff.You can
This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders.You can us
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Win
This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's compute
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice.If you enable this policy setting, the
This policy setting controls whether to have background synchronization for feeds and Web Slices.If you enable this policy setti
This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypte
Enabling this policy allows you to add a primary intranet search location within Windows Desktop Search. The value of this tex
Enabling this policy allows you to add intranet search locations in addition to the primary intranet search location defined in th
This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and
This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setti
This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing histor
Enabling this policy defines a semicolon-delimited list of file extensions which will be allowed to have rich attachment preview
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths
Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude the
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity i
This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this poli
Enabling this policy removes the option of searching the Web from Windows Desktop Search.When this policy is disabled or n
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are disp
This policy setting allows you to control whether or not Search can perform queries on the web over metered connections, an
Enabling this policy allows indexing of items for online delegate mailboxes on a Microsoft Exchange server. This policy affects o
Enabling this policy allows indexing of mail items on a Microsoft Exchange server when Microsoft Outlook is not running in cac
When using Microsoft Office Outlook in online mode, you can enable this policy to control how fast online mail is indexed on a
Store indexer database in this directory. This directory must be located on a local fixed drive.
Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Pa
This policy setting allows you to enable or disable the Add/Remove location options on the All Locations menu as well as any d
This policy setting configures how Windows Search adds shared folders to the search index.If you enable this policy setting, W
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that
If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can
If you enable this policy setting, you specify a list of paths to exclude from indexing. The user cannot enter any path that starts
Enable this policy setting to prevent the indexing of the content of e-mail attachments. If enabled, indexing service componen
If enabled, files on network shares made available offline are not indexed. Otherwise they are indexed. Disabled by default.
Enable this policy to prevent indexing of any Microsoft Outlook items. The default is to automatically index Outlook items. If th
Enabling this policy allows you to edit the list of file types to exclude from indexing. The end user cannot modify this list. You s
Enable this policy to prevent indexing public folders in Microsoft Office Outlook. When this policy is disabled or not configured
If enabled, the indexer pauses whenever the computer is running on battery. If disabled, the indexing follows the default beha
This policy setting hides or displays the Advanced Options dialog for Search and Indexing Options in the Control Panel.If you en
Enabling this policy prevents Windows Desktop Search from using iFilters and protocol handlers unless they are specified in th
Enabling this policy allows you to set the location of the preview pane in the Desktop Search results. You can also turn off the
Enabling this policy allows you to specify whether you want large icon or small icon view for your Desktop Search results. The
This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this poli
This policy setting allows you to control what information is shared with Bing in Search.If you enable this policy setting, you ca
This policy setting lets you prevent apps and features from working with files on SkyDrive.
Enabling
If you enable this policy prevents
this policy indexing from continuing after less than the specified amount of hard drive space is left on the sa
setting:
This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory do
*This Users can’t
policy access
setting SkyDrive
allows fromfor
a Server theNIS
SkyDrive app andtofile
administrator picker. an update interval for pushing Network Information Servi
configure
* Windows Store apps can’t access SkyDrive using the WinRT API.
This policy doesn’t
* SkyDrive setting allows
appearaninadministrator
the navigationtopane
configure
in Fileextensive
Explorer. logging for computers that are running Server for Network In
*ThisSkyDrive
policy files aren’t
setting kept in the
configures syncnumber
with theofcloud.
minutes the system waits for the hung logon sessions before proceeding with the
*This
Users can’t automatically upload photos and videos from
policy setting controls the legacy remote shutdown the camera
interface (named rollpipe).
folder.
The named pipe remote shutdown interface i
This
If youpolicy setting
disable or doallows configuration
not configure of SkyDrive
this policy setting,file sync
apps behavior
and featuresoncan
metered connections.
work with SkyDrive file
storage.
This policy setting lets you select the local PC as the default save location. It does not prevent apps and users from saving files
This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.In versions of Wind
This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to lo
This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI)
This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.If you enable this p
This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.Under previous v
This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user
This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root c
This policy setting allows you to manage the displayed message when a smart card is blocked.If you enable this policy setting,
This policy settings lets you configure if all your valid logon certificates are displayed.During the certificate renewal period, a u
This policy setting allows you to manage the reading of all certificates from the smart card for logon.During logon Windows wi
This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is instal
This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Creden
This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.If you enable or
This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.If you enab
This policy setting allows you to control whether Smart Card Plug and Play is enabled.If you enable or do not configure this po
Specifies whether Sound Recorder can run.Sound Recorder is a feature of Microsoft Windows Vista that can be used to record
Enables or disables the automatic download and installation of app updates.If you enable this setting, the automatic download
Enables or disables the automatic download of app updates on PCs running Windows 8.If you enable this setting, the automati
Enables or disables the Store offer to update to the latest version of Windows.If you enable this setting, the Store application w
Denies or allows access to the Store application.If you enable this setting, access to the Store application is denied. Access to t
Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" pag
Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync y
Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync y
Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop person
Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on
Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Window
Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sy
Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "
Prevents start of InkBall game.If you enable this policy, the InkBall game will not run.If you disable this policy, the InkBall game
Prevents printing to Journal Note Writer.If you enable this policy, the Journal Note Writer printer driver will not allow printing
Prevents the snipping tool from running.If you enable this policy setting, the Snipping Tool will not run.If you disable this policy
Prevents start of Windows Journal.If you enable this policy, the Windows Journal accessory will not run.If you disable this polic
Disables visual pen action feedback, except for press and hold feedback.If you enable this policy, all visual pen action feedback
Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this beha
Prevents the user from launching an application from a Tablet PC hardware button.If you enable this policy, applications canno
Prevents press and hold actions on hardware buttons, so that only one action is available per button.If you enable this policy,
Turns off Tablet PC hardware buttons.If you enable this policy, no actions will occur when the buttons are pressed, and the bu
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from prov
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is availa
Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.Tablet PC Input Panel is a Tablet PC accessory th
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is av
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and W
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture
Makes pen flicks learning mode unavailable.If you enable this policy, pen flicks are still available but learning mode is not. Pen
Makes pen flicks and all related features unavailable.If you enable this policy, pen flicks and all related features are unavailabl
Turns off Tablet PC Pen Training.If you enable this policy setting, users cannot open Tablet PC Pen Training.If you disable or do
Turn off Tablet PC touch inputTurns off touch input, which allows the user to interact with their computer using their finger.If
Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a tou
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from the last page of the Sched
Prevents users from viewing and changing the properties of an existing task.This setting removes the Properties item from the
Prevents users from starting and stopping tasks manually.This setting removes the Run and End Task items from the context m
Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for exi
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.This setting disabl
Prevents users from creating new tasks.This setting removes the Add Scheduled Task item that starts the New Task Wizard. Al
Prevents users from deleting tasks from the Scheduled Tasks folder.This setting removes the Delete command from the Edit m
Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing
This policy setting affects the ability of users to install or uninstall color profiles.If you enable this policy setting, users cannot in
If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Man
This policy setting will enable tagging of Windows Customer Experience Improvement data when a study is being conducted.If
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispy
This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service
This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Pol
This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specifie
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the ne
This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition
This policy setting allows you to configure whether Windows Defender automatically takes action on all detected threats. The
This policy setting turns off Windows Defender.If you enable this policy setting, Windows Defender does not run, and compute
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an ac
This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the fol
This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scannin
This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qu
This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes
This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Grou
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to r
This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities wi
This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be ad
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilitie
This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilitie
This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified I
This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. Port numbers shou
This policy setting defines processes from which outbound network traffic will not be inspected. Process names should be add
This policy setting defines threats which will be excluded from detection during network traffic inspection. Threats should be a
This policy setting configures a local override for the configuration of the number of days items should be kept in the Quaranti
This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.If you enab
This policy setting configures a local override for the configuration of monitoring for file and program activity on your compute
This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This se
This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This s
This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Grou
This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabili
This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set
This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring en
This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.If you ena
This policy setting allows you to configure monitoring for file and program activity.If you enable or do not configure this setting
This policy setting allows you to configure scanning for all downloaded files and attachments.If you enable or do not configure
This policy setting turns off real-time protection prompts for known malware detection.Windows Defender alerts you when m
This policy setting allows you to configure behavior monitoring.If you enable or do not configure this setting, behavior monitor
This policy setting allows you to configure Information Protection Control (IPC).If you enable this setting, IPC will be enabled.If
This policy setting allows you to configure network protection against exploits of known vulnerabilities.If you enable or do not
This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malwa
This policy setting controls whether raw volume write notifications are sent to behavior monitoring.If you enable or do not con
This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remedi
This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete re
This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remedi
This policy setting configures the time in minutes before a detection in the ΓÇ£critically failedΓÇ¥ state to moves to either the
This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared"
This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" sta
This policy setting allows you to configure whether or not Watson events are sent.If you enable or do not configure this setting
This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing lev
This policy setting allows you to manage whether or not end users can pause a scan in progress.If you enable or do not configu
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a sca
This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This
This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group
This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by
This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Grou
This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This settin
This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable
This policy setting allows you to configure scanning mapped network drives.If you enable this setting, mapped network drives
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.If y
This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning rema
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the content
This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be config
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the num
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are u
This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for th
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The valu
This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:1 = Quick Scan (de
This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented a
This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented a
This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.If you enable
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated bec
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated b
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the eng
This policy setting defines the number of days items should be kept in the scan history folder before being permanently remov
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible
This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates
This policy setting allows you to configure definition updates when the computer is running on battery power.If you enable or
This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in re
This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft MAPS. If the serv
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after se
This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacte
This policy setting allows you to define the number of days after which a catch-up definition update will be required. By defau
This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of da
This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date.
This policy setting allows you to define the order in which different definition update sources should be contacted. The value o
This policy setting allows you to configure definition updates on startup when there is no antimalware engine present.If you e
This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be co
This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as t
This policy setting allows you to specify the time of day at which to check for definition updates. The time value is represented
This policy setting allows you to configure the automatic scan which starts after a definition update has occurred.If you enable
This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat
This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automa
This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporti
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event lo
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal s
This policy setting controls whether users are shown an error dialog box that lets them report an error.If you enable this policy
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.If you en
This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CA
This policy setting prevents the display of the user interface for critical errors.If you enable this policy setting, Windows Error R
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. B
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amo
This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send err
This policy setting controls the behavior of the Windows Error Reporting archive.If you enable this policy setting, you can confi
This policy setting determines the behavior of the Windows Error Reporting report queue.If you enable this policy setting, you
This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is en
This policy setting specifies applications for which Windows Error Reporting should always report errors.To create a list of app
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is
This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reportin
This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled.If you ena
This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.If you
This policy setting determines the default consent behavior of Windows Error Reporting.If you enable this policy setting, you c
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.If you enable this poli
This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.If y
This policy setting permits users to change installation options that typically are available only to system administrators.If you
This policy setting allows users to search for installation files during privileged installations.If you enable this policy setting, the
This policy setting allows users to patch elevated products.If you enable this policy setting, all users are permitted to install pat
This policy setting allows users to install programs from removable media during privileged installations.If you enable this polic
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.If you ena
This policy controls the percentage of disk space available to the Windows Installer baseline file cache. The Windows Insta
This policy setting causes the Windows Installer to enforce strict rules for component upgrades.If you enable this policy setting
This policy setting controls the ability to prevent embedded UI.If you enable this policy setting, no packages on the system can
This policy setting allows Web-based programs to install software on the computer without notifying the user.If you disable or
This policy setting prevents users from using Windows Installer to install patches.If you enable this policy setting, users are pre
This policy setting controls the ability to turn off all patch optimizations.If you enable this policy setting, all Patch Optimization
This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the applicatio
This policy setting controls the ability for users or administrators to remove Windows Installer based updates.This policy settin
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuc
This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate o
This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-dow
This policy setting prevents users from searching for installation files when they add features or components to an installed pr
This policy setting saves copies of transform files in a secure location on the local computer.Transform files consist of instructi
Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appear
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed.
This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installati
This policy setting controls the ability to turn off shared components.If you enable this policy setting, no packages on the syste
This policy setting restricts the use of Windows Installer.If you enable this policy setting, you can prevent users from installing
This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).If you enable this policy
This policy setting controls whether or not the system displays information about previous logons and logon failures to the use
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts
Windows Mail will not check your newsgroup servers for Communities support.
Denies or allows access to the Windows Mail application.If you enable this setting, access to the Windows Mail application is d
This policy setting allows or prevents Windows Media Center to run.Windows Media Center is a digital media player and video
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).When enabled, Window
This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode
This policy setting allows you to turn off do not show first use dialog boxes.If you enable this policy setting, the Privacy Options
This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.If you enable th
This policy setting allows you to prevent media sharing from Windows Media Player.If you enable this policy setting, any user o
This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.If you enable this
This policy setting allows you to prevent video smoothing from occurring.If you enable this policy setting, video smoothing is p
This policy setting allows you to prevent Windows Messenger from running.If you enable this policy setting, Windows Messen
This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting, Window
This policy setting turns off Windows Mobility Center.If you enable this policy setting, the user is unable to invoke Windows M
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.If you enable th
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pip
This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.If you enable this
This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilitymetrics and W
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authenticatio
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentica
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unen
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authenticati
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentic
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authenti
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentic
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authe
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens o
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives une
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos crede
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate auth
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs cr
This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to
This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote
This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote
This policy setting configures access to remote shells.If you enable this policy setting and set it to False, new remote shell conn
This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the syst
This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is
This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote
This policy setting configures the maximum number of processes a remote shell is allowed to launch.If you enable this policy s
This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.Any
This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured.
Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor
This policy setting allows you to control whether non-administrative users will receive update notifications based on the "Confi
This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft
If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, inste
Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wai
Specifies whether this computer will receive security updates and other important downloads through the Windows automati
Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.If the status is set to E
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choic
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve infor
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Wi
Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.If
Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the syst
Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the status
Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled ins
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically upd
Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update
This policy setting allows you to control whether users see detailed enhanced notification messages about featured software f
This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If y
This setting lets you configure how domain joined client computers become workplace joined with domain users at your organ
g, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.If you disable or d
cified in hex as #RGB.By default, users can change the background and accent colors.If this setting is enabled, the background and accent c
f the image file.This setting lets you specify the default lock screen image shown when no user is signed in, and also sets the specified imag
r from changing it.If this setting is set to zero or not configured, then Start uses the default background, and users can change it.If this setti
users can change the background image shown when the machine is locked.If you enable this setting, the user will not be able to change t
default, users can change the look of their start menu background, such as its color or accent.If you enable this setting, the user will be as
ked on the lock screen.By default, users can enable invocation of an available camera on the lock screen.If you enable this setting, users w
the lock screen.By default, users can enable a slide show that will run after they lock the machine.If you enable this setting, users will no l
on a machine but are not used by any users on that machine. If you enable this policy setting, language packs that are installed as pa
e installed.If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is res
rs with more than one UI language installed.If you enable this policy setting, the UI language of Windows menus and dialogs for systems w
zation. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recogn
em to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.Note: Th
to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes.If you ena
ure is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's o
s Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (do
when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (d
S) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not bee
e, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache
ake to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumu
uses for background transfers. (This policy setting does not affect foreground transfers.) You can specify a limit to use during a specifi
does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers, by def
s the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS
y default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or l
ed to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this polic
es in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If yo
S) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the
uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is
uses for background transfers during the work and nonwork days and hours. The work schedule is defined using a weekly calendar, which
b is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be
ers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based o
d mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache v
provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client co
f hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's curre
data cache on client computers.If you enable this policy setting, you can configure the age for segments in the data cache.If you disable or
uters to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on c
s to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client
hCache disk cache on client computers.If you enable this policy setting, you can configure the percentage of total disk space to allocate for
y is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache m
sequent DNS queries if the original name query fails.A name containing dots, but not dot-terminated, is called an unqualified multi-label n
u enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in a
NS suffixes, and those configured using DHCP.To use this policy setting, click Enabled, and then enter a string value representing the DNS su
policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabl
query for that name.An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a
tically register and update their DNS resource records with a DNS server.If you enable this policy setting, or you do not configure this polic
eprep form, a canonical Unicode representation of the string.If this policy setting is enabled, IDNs are converted to the Nameprep form.If t
that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link
tion.To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.Import
ss.With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primar
on during the name resolution process.With devolution, a DNS client creates queries by appending a single-label, unqualified domain name
s with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concaten
d to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding
etting only applies to computers performing dynamic DNS updates.Computers configured to perform dynamic DNS registration of A and PT
ng IP addresses.This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secur
computers to which this policy setting is applied.To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 1
e when the computer is on non-domain networks with no WINS servers configured.If this policy setting is enabled, IDNs are not converted
a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a c
ng improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries a
on-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link
n select one of the following values:Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynami
e also known as top-level domain zones, for example: "com."By default, a DNS client that is configured to perform dynamic DNS update w
roaming (WISPr) protocol support.If a Wi-Fi hotspot supports the WISPr protocol, users can submit credentials when manually connecting
information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services ro
1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shar
DIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requ
Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the netw
for such a Group is changed), Peer Grouping validates that the password meets the password complexity requirements for the local system
pendent applications to stop working.Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution
lution Protocol (PNRP) cloud.This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client com
Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol, in some ca
rs on the local subnet in the global cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6
otocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then
r Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol, in some
rs on the local subnet in the link local cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IP
r Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol, in some
rs on the local subnet in the site local cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IP
for Internet access will be shown in the system tray even when a user is connected to a network with local access only.If you disable this
ocation aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was
ers can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a comp
feature of an Internet connection and if the ICS service can run on the computer.ICS lets administrators configure their system as an Inter
location.If you enable this policy setting, domain users must elevate when setting a network's location.If you disable or do not configure t
internal network or whether the client accesses the Internet directly.When a remote client computer connects to an internal network usi
sport.If you enable this policy setting, you must type a security descriptor containing a list of computers or groups of computers. If a comp
llows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If y
and TCP ports 139 and 445.If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jo
nagement Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445.
ens TCP port 3389.If you enable this policy setting, Windows Firewall opens this port so that this computer can receive Remote Desktop re
s, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900.If you enable this policy setti
t exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the "Windows Firewall: Define inbound port exce
gram exceptions list. Windows Firewall uses two program exceptions lists; the other is defined by the "Windows Firewall: Define inbound
eives.If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and max
irewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component
all uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component
es all other Windows Firewall policy settings that allow such messages.If you enable this policy setting, in the Windows Firewall componen
Windows Firewall add the program to the program exceptions list.If you enable this policy setting, Windows Firewall prevents the display o
sages.If you enable this policy setting, and this computer sends multicast or broadcast messages to other computers, Windows Firewall blo
"Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your D
llows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If y
and TCP ports 139 and 445.If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jo
nagement Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445.
ens TCP port 3389.If you enable this policy setting, Windows Firewall opens this port so that this computer can receive Remote Desktop re
s, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900.If you enable this policy setti
t exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the "Windows Firewall: Define inbound port exce
gram exceptions list. Windows Firewall uses two program exceptions lists; the other is defined by the "Windows Firewall: Define inbound
eives.If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and max
irewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component
all uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component
es all other Windows Firewall policy settings that allow such messages.If you enable this policy setting, in the Windows Firewall componen
Windows Firewall add the program to the program exceptions list.If you enable this policy setting, Windows Firewall prevents the display o
sages.If you enable this policy setting, and this computer sends multicast or broadcast messages to other computers, Windows Firewall blo
"Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your D
robe. Successful resolution of the host name to this address indicates corporate connectivity.
e network. Successful resolution of this host name to the expected address indicates corporate connectivity.
rate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
probe is performed.
determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL de
throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the pa
dresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Clie
ddresses. These addresses are categorized as private by Windows Network Isolation and are accessible to apps that have the Home/Work
your corporate network.If you enable this policy setting, it ensures that apps with the Home/Work Networking capability have appropriat
discovery in the domain corporate environment.If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy
very of private network hosts in the domain corporate environment.If you enable this policy setting, it turns off Windows Network Isolatio
he server hosting the files.This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents
of network files on the user's computer for use when the computer is not connected to the network.If you enable this policy setting, Offlin
atically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system
ode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configur
ny network speed below this value is considered to be slow.When a connection is considered slow, Offline Files automatically adjust its be
omputers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not d
ffline files.This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This preve
s that have been made available offline.If you enable this policy setting, a user will be unable to create files with the specified file extensio
d result in extra charges on cell phone or broadband plans.If you enable this setting, synchronization can occur in the background when th
cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads fr
es of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache wit
ts in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage
automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside o
balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first
s the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the
This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" se
As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot us
moves the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and d
ow often reminder balloons updates appear and also prevent users from changing this setting.Reminder balloons appear when the user's c
user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is
le this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local cop
Make Available Offline" command.If you enable this policy setting, the "Make Available Offline" command is not available for the files and f
ually changing whether Offline Files is in online mode or offline mode.If you enable this policy setting, the "Work offline" command is not d
s that the specified files and folders are available offline to users of the computer.If you enable this policy setting, the files you enter are a
g automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of e
he "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option wh
he "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option whi
setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only tha
ns appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and ar
Files.If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at
of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls belo
he combined bandwidth reservations of all programs running on the system.By default, the Packet Scheduler limits the system to 80 perce
ansmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry.If yo
est Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets
ontrolled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of t
Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pack
Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of
Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packet
est Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets
ontrolled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of t
Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pack
Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of
Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packet
ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable th
type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If yo
(ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enabl
type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If y
pecification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable this setting,
(ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable
Protocol (SNMP) service.SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and
work Management (SNMP) agent running on the client computer.Simple Network Management Protocol is a protocol designed to give a us
gent.Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network
his policy setting, SSL cipher suites are prioritized in the order specified.If you disable or do not configure this policy setting, the factory de
efault gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available
lay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.If you enable this policy setting, you can s
atic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses
tocol to provide IP connectivity to a remote network.If you disable or do not configure this policy setting, the local host settings are used.I
or an ISATAP router.If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IP
, an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast
u leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system,
alification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.If you disa
ult, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Adve
d on the Teredo client computer where this policy setting is applied.If you enable this policy setting, you can specify a Teredo server name
echnology that provides unicast IPv6 connectivity across the IPv4 Internet.If you disable or do not configure this policy setting, the local ho
ot configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured a
n algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Wind
The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 Wi-Fi, through the Wind
y setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set
d standby mode. If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power cons
er the Internet or to a Windows domain. By default, when this policy setting value is Not Configured, it is enabled. If this policy settin
domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network
is registered on a roaming provider network. If this policy setting is enabled, all automatic and manual connection attempts to roaming
his policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from
enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the
g is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set t
nd used across the Internet or an intranet. If you enable this policy setting, Internet printing is activated on this server. If you dis
Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-
lay on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop o
nfigured or enabled, the spooler will always accept client connections.When the policy is disabled, the spooler will not accept client conne
ou enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish sh
blished by this computer. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the
se a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages.This setting may improve the performance of the XP
ss print jobs itself, or pass them on to the server to do the work.This policy setting only effects printing to a Windows print server.If you en
in Active Directory. If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers.
1, Windows RT 8.1 and Windows Server 2012 R2. If you enable this group policy setting, the default MXDW output format is the lega
Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies publish
ers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by
th printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy
eir printers are operational. The pruning service periodically contacts computers that have published printers. If a computer does no
llers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This proc
a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printe
rnel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors.If you disa
ers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device
eparate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print s
.If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update
em into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.Not all applications
contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published
sers will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers
ity reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility
print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent fro
ndows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a do
a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the stand
ins with Active Directory, shared printer resources are available in Active Directory and are not announced.If you enable this setting, the p
automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies
51016.
, see http://technet.microsoft.com/en-us/library/dn408187.aspx
h OS and data volumes can be backed up.If you enable this policy setting, machine administrator/backup operator can backup only volume
torage or not.If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups
or not.If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to a ne
or not.If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to an o
f you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-on
rs and prevents them from changing its configuration. The Start screen layout you specify must be stored in an XML file that was generate
The system state data file contains information about the basic system state as well as the state of all running processes.If you enable this
DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volum
designed for advanced users who require this information.If you enable this policy setting, the system displays status messages that reflec
an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the co
r.If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.If you disable or d
ou enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. If you disable
s shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start men
el (COM) components that a program requires.Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the CO
rent time to disk on a schedule controlled by the Timestamp Interval.If you enable this policy setting, you are able to specify how often the
t display a message reminding users to wait while their system starts or shuts down, or while users log on or off.If you disable or do not co
p (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strong
nable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file
m corruption and for enabling optional features that have had their payload files removed.If you enable this policy setting and specify the n
he fully qualified path to the new location in the "Windows Setup file path" box. If you disable or do not configure this policy setting, the W
tting, enter the fully qualified path to the new location in the "Windows Service Pack Setup file path" box.If you disable or do not configure
nforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exc
er. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an
ss has been created.This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the comm
top Connection).This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.If you
top Connection).This policy setting applies when server authentication was achieved via NTLM.If you enable this policy setting, you can sp
top Connection).This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.If you enab
top Connection).This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.If you enab
top Connection).If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (d
top Connection).If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fre
top Connection).If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (sa
s (regardless of the delegation method). Restricted mode may limit access to resources located on other servers or networks beyond the t
enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setti
ation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the inst
orting infrastructure. This policy allows you to disable the feature.If you enable this policy setting, an error report is not sent when a gene
e activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driv
t. If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setti
ows Error Reporting infrastructure. This policy allows you to disable the feature.If you enable this policy setting, Windows will not send an
rtificate are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardl
evice drivers. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, o
ice drivers.If you enable this policy setting, you can select whether Windows searches Windows Update (WU), searches a Managed Server
f you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.If you disable or do not co
l and update the drivers for any device, regardless of other policy settings.If you enable this policy setting, members of the Administrators
evices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other poli
for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described b
lation is attempted and a policy setting prevents the installation.If you enable this policy setting, Windows displays the text you type in the
stallation is attempted and a policy setting prevents the installation.If you enable this policy setting, Windows displays the text you type in
d by any other policy setting.If you enable this policy setting, Windows is prevented from installing or updating the device driver for any de
evices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows t
for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allow
sidered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universa
order to enforce a change in device installation restriction policies.If you enable this policy setting, set the amount of seconds you want th
e driver for the USB device cannot be loaded.If you disable or do not configure this setting, an alternate driver for the USB device can be lo
for USB devices cannot be loaded.If you disable or do not configure this setting, an alternate driver for USB devices can be loaded.
m.If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.If you disable this pol
is policy setting, the hard disks are not put into NV cache power save mode and no power savings are achieved.If you disable this policy se
system. To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV
etting, frequently written files such as the file system metadata and registry may not be stored in the NV cache.If you disable this policy setti
vable media.If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTF
ter, and prevents users from changing the setting.If you enable this policy setting, disk quota management is turned on, and users cannot
ging the setting.If you enable this policy setting, disk quota limits are enforced. If you disable this policy setting, disk quota limits are not en
n users reach their disk quota limit on a volume, and prevents users from changing the logging setting.If you enable this policy setting, the
rs reach their disk quota warning level on a volume.If you enable this policy setting, the system records an event. If you disable this policy
me.This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. I
urity Check exemptions" list.If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (a
om the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the ot
nistrator members of the built-in Users group may install on the system.If you enable this policy setting, members of the Users group may
device drivers using the Internet.Note: This setting only has effect if "Turn off Windows Update device driver searching" in "Administrativ
on determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following
s are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data
roduct ID that are usable on your computer.If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer a
cal and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.If you enable this policy setting, only IEEE 16
on your computer.If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.If you dis
e device.If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.If you disable or do not configu
ou enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.If you disable or do not configure this policy
supported in Windows Server SKUs only.If you enable this policy setting, the Enhanced Storage device remains locked when the compute
File Explorer.The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the
ters.Administrators can define the properties for the organization by using Active Directory Domain Services (AD DS), and then group thes
ed.VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS a
due to a file delete operation.A value of 0, the default, will enable delete notifications for all volumes. A value of 1 will disable delete notifi
ectively enable or disable the evaluation of these types of symbolic links:Local Link to a Local TargetLocal Link to a Remote TargetRemote
prevent access to and creation of compressed files.
revent access to and creation of encrypted files
nable it if you want to use the APIs.
also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
Some applications require short names for compatibility, but short names have a negative performance impact on the system.If you enab
policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want t
d names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and lega
when logging on through Remote Desktop Services. Asynchronous user Group Policy processing is the default processing mode for Window
scripts for interactive logons across forests.This policy setting affects all user accounts that interactively log on to a computer in a different
you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group
synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) w
ension are updated.If you enable this policy setting, you can configure processing options for Application preference items.If you disable o
tension are updated.If you enable this policy setting, you can configure processing options for Data Sources preference items.If you disabl
on are updated.If you enable this policy setting, you can configure processing options for Device preference items.If you disable or do not c
fast network connection for the purposes of applying and updating Group Policy. When Group Policy detects the bandwidth speed of a D
icies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk
nsion are updated.If you enable this policy setting, you can configure processing options for Drive Maps preference items.If you disable or
licies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings.It ov
tension are updated.If you enable this policy setting, you can configure processing options for Environment Variable preference items.If yo
are updated.If you enable this policy setting, you can configure processing options for File preference items.If you disable or do not configu
extension are updated.If you enable this policy setting, you can configure processing options for Folder Options, Open With, and File Type
s all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only
on are updated.If you enable this policy setting, you can configure processing options for Folder preference items.If you disable or do not c
o not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves app
he rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the
on are updated.If you enable this policy setting, you can configure processing options for Ini Files preference items.If you disable or do not
setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Inter
e extension are updated.If you enable this policy setting, you can configure processing options for Internet preference items.If you disable
icies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\I
ference extension are updated.If you enable this policy setting, you can configure processing options for Local User and Local Group prefe
long the Group Policy client waits after logon before running scripts. By default, the Group Policy client waits five minutes before
e extension are updated.If you enable this policy setting, you can configure processing options for VPN Connection and DUN Connection p
extension are updated.If you enable this policy setting, you can configure processing options for Network Shares preference items.If you d
extension are updated.If you enable this policy setting, you can configure processing options for Power Options and Power Scheme prefere
on are updated.If you enable this policy setting, you can configure processing options for Shared Printer, TCP/IP Printer, and Local Printer p
e extension are updated.If you enable this policy setting, you can configure processing options for Regional Options preference items.If yo
es in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the p
on are updated.If you enable this policy setting, you can configure processing options for Registry preference items.If you disable or do no
e extension are updated.If you enable this policy setting, you can configure processing options for Scheduled Task and Immediate Task pre
g affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized setti
es that use the security component of Group Policy, such as those in Windows Settings\Security Settings.This policy setting overrides custo
on are updated.If you enable this policy setting, you can configure processing options for Service preference items.If you disable or do not
sion are updated.If you enable this policy setting, you can configure processing options for Shortcut preference items.If you disable or do n
ects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software I
nsion are updated.If you enable this policy setting, you can configure processing options for Start Menu preference items.If you disable or
y user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laborato
icy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network P
policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Net
fault, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.If you enable this policy setting, interactive users
DFS shares as is being used for Active Directory.
nes. If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache save
able this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when a
in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.In
running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.By defa
during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or t
ns during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is
y setting applies to Group Policy for computers, users, and domain controllers.If you enable this policy setting, the system waits until the c
he policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users an
er.RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Gro
cations preference extension, and to turn on tracing for the Applications extension. Logging and tracing provide diagnostic information for
Sources preference extension, and to turn on tracing for the Data Sources extension. Logging and tracing provide diagnostic information fo
es preference extension, and to turn on tracing for the Devices extension. Logging and tracing provide diagnostic information for troublesh
Maps preference extension, and to turn on tracing for the Drive Maps extension. Logging and tracing provide diagnostic information for tr
onment preference extension, and to turn on tracing for the Environment extension. Logging and tracing provide diagnostic information fo
preference extension, and to turn on tracing for the Files extension. Logging and tracing provide diagnostic information for troubleshooting
r Options preference extension, and to turn on tracing for the Folder Options extension. Logging and tracing provide diagnostic informatio
rs preference extension, and to turn on tracing for the Folders extension. Logging and tracing provide diagnostic information for troublesh
es preference extension, and to turn on tracing for the Ini Files extension. Logging and tracing provide diagnostic information for troublesh
net preference extension, and to turn on tracing for the Internet extension. Logging and tracing provide diagnostic information for troubles
User and Local Group preference extension, and to turn on tracing for the Local User and Local Group extension. Logging and tracing prov
ork Options preference extension, and to turn on tracing for the Network Options extension. Logging and tracing provide diagnostic inform
ork Shares preference extension, and to turn on tracing for the Network Shares extension. Logging and tracing provide diagnostic informati
r Options preference extension, and to turn on tracing for the Power Options extension. Logging and tracing provide diagnostic informatio
rs preference extension, and to turn on tracing for the Printers extension. Logging and tracing provide diagnostic information for troubles
nal Options preference extension, and to turn on tracing for the Regional Options extension. Logging and tracing provide diagnostic inform
try preference extension, and to turn on tracing for the Registry extension. Logging and tracing provide diagnostic information for troubles
uled Tasks preference extension, and to turn on tracing for the Scheduled Tasks extension. Logging and tracing provide diagnostic informa
es preference extension, and to turn on tracing for the Services extension. Logging and tracing provide diagnostic information for troubles
cuts preference extension, and to turn on tracing for the Shortcuts extension. Logging and tracing provide diagnostic information for troub
Menu preference extension, and to turn on tracing for the Start Menu extension. Logging and tracing provide diagnostic information for tr
re Internet resources.If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set
all Windows Update features are removed. This includes blocking access to the Windows Update website at http://windowsupdate.micro
with an unhandled file type or protocol association.When a user opens a file type or protocol that is not associated with any applications o
date website. Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue
P.To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.Note: This policy setting does not prevent the client from p
t Viewer application.The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In
nition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing sam
ng tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Micro
er.This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-d
Help and Support Center.The Knowledge Base is an online source of technical support information and self-help tools for Microsoft produ
wnload a list of Internet Service Providers (ISPs).If you enable this policy setting, the "Choose a list of Internet Service Providers" path in th
shing and online ordering wizards.These wizards allow users to select from a list of companies that provide services such as online storage
pen a file with an unhandled file association.When a user opens a file that has an extension that is not associated with any applications on
allows a client to print to printers on the intranet as well as the Internet.Note: This policy setting affects the client side of Internet printing
r online registration.If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users can
ates during local and Internet searches.When users search the local computer or the Internet, Search Companion occasionally connects to
Windows folders.The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.If you enabl
he Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.The Web Publishing Wiz
w Windows Messenger software and service is used.With the Customer Experience Improvement program, users can allow Microsoft to c
s Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and
o report information about a system or application that has failed or has stopped responding and is used to improve the quality of the pro
Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network.As part of determining th
o local drivers for a device are present.If you enable this policy setting, Windows Update is not searched when a new device is installed.If y
no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established.
ame may be changed.
HAP secret may be changed.
then connections that are configured for IPSec or connections not configured for IPSec may be established.
bled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.
abled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if th
t portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually con
ets may be manually configured. Note: if enabled there may be cases where this will break VDS.
servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via th
tals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on tho
hentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.If you enable this policy setting, client comp
ns to client computers.If you enable this policy setting, the domain controller provides the information message about previous logons.Fo
Note: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Ke
when attempting to resolve two-part service principal names (SPNs).If you enable this policy setting, the KDC will search the forests in this
t issued during Kerberos authentication. The ticket size warnings are logged in the System log.If you enable this policy setting, you can set
n the resource domain requests compound identity.Note: For a domain controller to request compound authentication, the policies "KDC
to a Kerberos realm.If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Ke
eros V5 realms, as defined by this policy setting. If you enable this policy setting, you can view and change the list of interoperable Kerb
proxy server.If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos clie
red when communicating with a domain controller.Warning: When a domain does not support Kerberos armoring by enabling "Support D
ynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this
ard and system certificate logon. If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the
ains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for
size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens
on their DNS suffix names.If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain c
cation.Support for providing compound authentication which is used for access control will require enough domain controllers in the reso
ting to resolve two-part service principal names (SPNs).If you enable this policy setting, the Kerberos client searches the forests in this list, i
ble this policy setting, users cannot change their GeoID.If you disable or do not configure this policy setting, users may select any GeoID.If y
sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the
The user is restricted to the set of locales that are installed with the operating system.This does not affect the selection of replacement loc
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to
cks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an ad
y, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a
rd is required when a device that supports connected standby's screen turns off. If you enable this policy setting, a user on a device that su
t, a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain.If you enable this polic
dows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom b
mputers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy
main to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to whi
the logon screen.If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.If y
me the user logs on.If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this poli
f you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers.If you disable or do no
rams and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 P
rograms and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to t
his policy setting, Logon UI will enumerate all local users on domain-joined computers.If you disable or do not configure this policy setting
ring authentication.Note: credential providers are used to process and validate usercredentials during logon or when authentication is req
he Task Manager.If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logge
hen a user logs on to the system.If you enable this policy setting, you can specify which programs can run at the time the user logs on to th
n to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are
enable this policy setting, no app notifications are displayed on the lock screen.If you disable or do not configure this policy setting, users c
.If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy s
item of Control Panel.The Microsoft Windows Startup sound is heard during system startup and cold startup, and can be turned on or off
this policy setting, a domain user can set up and sign in with a PIN. If you disable or don't configure this policy setting, a domain user can't
lgorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer a
provided by a client with the PDC emulator if the DC failed to validate the password.Contacting the PDC emulator is useful in case the clien
a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.If you enable this policy setting, the
rations:- Checks if a password on a secure channel needs to be modified, and modifies it if necessary.- On the domain controllers (DC), dis
domain controller (DC) should support compatibility in file sharing semantics with earlier applications.When this setting is enabled, the SYS
Ös (DC) response when logging on to the network.To specify the expected dial-up delay at logon, click Enabled, and then enter the desired
e outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.If yo
windir%\debug when logging is enabled.By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum
n controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, D
pplied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the ca
site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specif
odic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum
cations that perform periodic searches for domain controllers (DC) that are unable to find a DC.The default value for this setting is 10 minu
eriodic searches for Domain Controllers (DCs) are unable to find a DC.For example, the retry intervals may be set at 10 minutes, then 20 m
pplied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller progra
ssive when trying to locate a domain controller (DC).When an environment has a large number of DCs running both old and new operating
main controller (DC).Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from
e DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS dom
.The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When
C Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address w
ollers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate th
e registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (D
ontrollers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used t
ose IP address does not map to any configured site.Domain controllers use the client IP address during a DC locator ping request to compu
rvice.If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS
urce records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to
which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorith
directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These rec
DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where
C locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where
link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location str
site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). The
me resolution of single-lablel domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS
me resolution of a single-label domain names.By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSe
ecify a custom power plan, use the Custom Active Power Plan setting.If you enable this policy setting, specify a power plan from the Active
for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. If you enable this policy s
.Possible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting, you must select the desired action.If
.Possible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting, you must select the desired action.If
ossible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting, you must select the desired action.If yo
ossible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting, you must select the desired action.If yo
sible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting, you must select the desired action.If you
sible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting, you must select the desired action.If you
er button.If you enable this policy setting, select one of the following actions:-Sleep-Hibernate-Shut downIf you disable this policy or do no
er button.If you enable this policy setting, select one of the following actions:-Sleep-Hibernate-Shut downIf you disable this policy or do no
able this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the ha
able this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the ha
l battery notification level.If you enable this policy setting, select one of the following actions:-Take no action-Sleep-Hibernate-Shut downI
ttery notification action.If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers
attery notification level.If you enable this policy setting, select one of the following actions:-Take no action-Sleep-Hibernate-Shut downIf yo
ry notification action.If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the
ower mode.If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve p
battery notification level.If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the l
cy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inac
cy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inac
policy setting, the computer automatically sleeps when network files are open.If you disable or do not configure this policy setting, the com
policy setting, the computer automatically sleeps when network files are open.If you disable or do not configure this policy setting, the com
the computer in a sleep state.If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.If you dis
the computer in a sleep state.If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.If you dis
sumes from sleep.If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from
sumes from sleep.If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from
em to hibernate.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before
em to hibernate.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before
em to sleep.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Win
em to sleep.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Win
automatically when a user is not present at the computer.If you enable this policy setting, you must provide a value, in seconds, indicating
automatically when a user is not present at the computer.If you enable this policy setting, you must provide a value, in seconds, indicating
ot generated when the system transitions to sleep (Stand By).If you disable or do not configure this policy setting, users control this setting
ot generated when the system transitions to sleep (Stand By).If you disable or do not configure this policy setting, users control this setting
m from sleeping.If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, o
m from sleeping.If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, o
es brightness of the display.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should el
es brightness of the display.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should el
educes brightness of the display.If you enable this policy setting, you must provide a value, in percentage, indicating the display brightness
educes brightness of the display.If you enable this policy setting, you must provide a value, in percentage, indicating the display brightness
ns off the computerΓÇÖs display.If you enable this policy setting, Windows automatically adjusts the setting based on what users do with t
ns off the computerΓÇÖs display.If you enable this policy setting, Windows automatically adjusts the setting based on what users do with t
.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns
.If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns
w.If you enable this policy setting, desktop background slideshow is enabled.If you disable this policy setting, the desktop background slide
w.If you enable this policy setting, desktop background slideshow is enabled.If you disable this policy setting, the desktop background slide
ptions in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image. If you enable or
so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Rem
mputer.If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsol
puter.If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use in
ng control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.The "Displ
rementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting.For e
folder under Remote Assistance.If you enable this policy setting, log files are generated.If you disable this policy setting, log files are not ge
n the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all se
requested.The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a secu
tem, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is req
n error occurs.Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer o
ting to RPC servers.This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with cautio
g is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running
vidual removable storage policy settings. To manage individual classes, use the policy settings available for each class.If you enable this pol
s.If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions.If you disable or
his policy setting, execute access is denied to this removable storage class.If you disable or do not configure this policy setting, execute acc
policy setting, read access is denied to this removable storage class.If you disable or do not configure this policy setting, read access is allow
policy setting, write access is denied to this removable storage class.If you disable or do not configure this policy setting, write access is all
setting, read access is denied to these removable storage classes.If you disable or do not configure this policy setting, read access is allowe
setting, write access is denied to these removable storage classes.If you disable or do not configure this policy setting, write access is allow
B Floppy Drives.If you enable this policy setting, execute access is denied to this removable storage class.If you disable or do not configure
oppy Drives.If you enable this policy setting, read access is denied to this removable storage class.If you disable or do not configure this po
oppy Drives.If you enable this policy setting, write access is denied to this removable storage class.If you disable or do not configure this p
e access is denied to this removable storage class.If you disable or do not configure this policy setting, execute access is allowed to this rem
s is denied to this removable storage class.If you disable or do not configure this policy setting, read access is allowed to this removable sto
ss is denied to this removable storage class.If you disable or do not configure this policy setting, write access is allowed to this removable
boot in order to enforce a change in access rights to removable storage devices.If you enable this policy setting, you can set the number of
s policy setting, execute access is denied to this removable storage class.If you disable or do not configure this policy setting, execute acce
olicy setting, read access is denied to this removable storage class.If you disable or do not configure this policy setting, read access is allow
olicy setting, write access is denied to this removable storage class.If you disable or do not configure this policy setting, write access is allo
phones, auxiliary displays, and CE devices.If you enable this policy setting, read access is denied to this removable storage class.If you disa
phones, auxiliary displays, and CE devices.If you enable this policy setting, write access is denied to this removable storage class.If you dis
configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.If you en
ch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instruction
es of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.I
e Explorer interface program and creates the desktop.If you enable this policy setting, File Explorer does not start until the logon scripts ha
hat run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup
owerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scrip
owerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you e
This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the
erver Manager with updated information about which roles and features are installed on servers that you are managing by using Server M
dow at logon on Windows Server 2008 and Windows Server 2008 R2. If you enable this policy setting, the Initial Configuration Tasks windo
able this policy setting, Server Manager is not displayed automatically when a user logs on to the server.If you disable this policy setting, Se
res hibernate to be enabled.If you disable or do not configure this policy setting, the local setting is used.
without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt t
ows you to turn off System Restore configuration through System Protection.System Restore enables users, in the event of a problem, to r
m Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By de
enable this policy setting, you must select an execution level from the drop-down menu. If you select problem detection and troubleshoo
ata.If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed trou
onfigure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Ad
plication and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, fa
tates:Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will
a disk reports a S.M.A.R.T. fault. If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The c
ring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a
ng any heap corruption problems.If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically a
upport Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.If you enable this policy setting, administrator
ft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems, MSDT may prompt the
with the support provider. MSDT gathers diagnostic data for analysis by support professionals.If you enable this policy setting, users can us
ree states:Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will
ms.If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will p
e signed by untrusted publishers.If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diag
Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.If you enable or do not
ting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting
setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagn
ems.If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default.If you disable this p
able this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft throug
nable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshootin
policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the
e this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting on
policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the
e registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system a
mmands blocked by Windows.If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on
tform Module (TPM) commands.If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM command
rm Module (TPM) commands.If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and
ndard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard U
zation failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authoriza
ard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration fo
usted Platform Module (TPM) owner information. TPM owner information includes a cryptographic hash of the TPM owner password. Cert
administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the locati
two tests of network speed. To determine the network performance characteristics, a connection is made to the file share storing the use
al computer's hard drive when the user logs off. Roaming profiles reside on a network server. By default, when users with roaming profiles
at have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accesse
s the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system de
After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at
there are open handles to the per-user registry keys. Note: This policy setting should only be used for cases where you may be running int
ws cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a tempo
user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on compu
r profile for roaming user profiles.The default user profile is applied when the user does not respond to messages explaining that any of th
roup Policy based software installation data on their profile deletion.By default Windows deletes all information related to a roaming user
ortion of a user profile. When the number of trials specified by this policy setting is exhausted, the system stops trying. As a result, the use
hen roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on
the server copy of their profile.By default, when a user with a roaming profile logs on to a computer, the roaming profile is copied down to
w network connection with their roaming profile server is detected.If you enable this policy setting, users will be allowed to define wheth
on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in w
user profile path for all users logging onto this computer.To use this policy setting, type the path to the network share in the form \\Comp
e (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles ar
me folder for a logon session.If you enable this policy setting, the user's home folder is configured to the specified local or network location
oss apps.If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps.If you disable o
t picture, and domain information.If you enable this policy setting, sharing of user name, picture and domain information may be controlle
, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not re
ophisticated users, but it might confuse novices.If you enable this policy setting, the file scan window does not appear during file scanning
le Protection file cache.Windows File Protection adds protected files to the cache until the cache content reaches the quota. If the quota i
setting directs Windows File Protection to enumerate and scan all system files for changes.If you enable this policy setting, select a rate fro
e this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.If you disable this setting or do not
rvice (W32time) for domain controllers including RODCs.If you enable this policy setting, you can specify the following Clock discipline, Ge
this policy setting, you can specify the following parameters for the Windows NTP Client.If you disable or do not configure this policy setti
Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide
his policy setting for the Windows NTP Server, your computer can service NTP requests from other computers.If you disable or do not confi
n use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex In
this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. If you disable or do not configu
etting, the wizard will not run.If you disable this policy setting or set it to Not Configured, the wizard will run.
tore apps.If you enable this policy setting, you can install any LOB Windows Store app (which must be signed with a certificate chain that c
gned in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off:Roamin
If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Windows Store apps without
that require an account to sign in. This policy only affects Windows Store apps that support it.If you enable this policy setting, Windows S
ktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store
sktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI schem
at were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a com
his setting affects the launching of 16-bit applications in the operating system.You can use this setting to turn off the MS-DOS subsystem, w
ell extension is visible on the property context-menu of any program shortcut or executable file.The compatibility property page displays
of the loader and looks through a compatibility database every time an application is started on the system. If a match for the applicatio
ry is a mechanism that tracks anonymous usage of specific Windows system components by applications.Turning Application Telemetry off
es applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose
ors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with re
by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers
mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new be
s policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting,
hen a device is connected. If you enable this policy setting, AutoPlay prompts the user to choose what to do when a device is connect
nerally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media
drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
unt Control (UAC) permissions using biometrics.By default, domain users cannot use biometrics to log on. If you enable this policy setting,
you enable or do not configure this policy setting, the Windows Biometric Service is available, and users can run applications that use biom
missions using biometrics. By default, local users will be able to log on to the local computer, but the "Allow domain users to log on using b
ve before the switch is initiated. By default, a fast user switch event is active for 10 seconds before becoming inactive.If you enable this po
Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is app
Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already
Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already
play and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. T
his policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting app
abled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows yo
Locker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to preve
cker-protected drive. This policy setting is applied when you turn on BitLocker.The object identifier is specified in the enhanced key usage
n be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Window
he absence of the required credentials. This policy setting is applied when you turn on BitLocker.The "Allow data recovery agent" check bo
data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can imp
drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the
s to the BitLocker-protected fixed data drives on a computer.If you enable this policy setting smart cards can be used to authenticate user
ritable on a computer. This policy setting is applied when you turn on BitLocker.If you enable this policy setting, all fixed data drives that ar
his policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if en
ocker.Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This p
wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automa
grity provider for BitLocker operating system drives.Secure Boot ensures that the PC's pre-boot environment only loads firmware that is di
ered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.The "Allow certificate
tartup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have
rity hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or
ting system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption
ting system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requi
ocker volume PINs, provided they are able to provide the existing PIN first.This policy setting is applied when you turn on BitLocker.If you e
e-boot environment, even if the platform lacks pre-boot input capability.The Windows touch keyboard (such as that used by tablets) isn't
h time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is ap
able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you
Windows is started following BitLocker recovery.If you enable this policy setting, platform validation data will be refreshed when Windows
ng platform validation.If you enable this policy setting, you will be able to add additional settings, remove the default settings, or both.If y
em can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or W
ed in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.The "Allow data recovery agent" ch
able data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption ca
e data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and con
s to BitLocker-protected removable data drives on a computer.If you enable this policy setting smart cards can be used to authenticate us
ed when you turn on BitLocker.When this policy setting is enabled you can select property settings that control how users can configure Bi
write data to a removable data drive.If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mo
try user experiences.If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the
levate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application
prevent a Trojan horse or other types of malicious code from stealing the userΓÇÖs Windows credentials.Note: This policy affects nonlogo
e deployed as compressed files, either digitally signed or unsigned.If you enable this setting, gadgets that have not been digitally signed w
ormation or utilities on the desktop.If you enable this setting, desktop gadgets will be turned off.If you disable or do not configure this setti
enable this setting, Windows will not run any user-installed gadgets.If you disable or do not configure this setting, Windows will run user-i
user to view items on the Windows desktop as they are being flipped through in three dimensions. If you enable this policy setting, Flip 3D
ng, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. If you disable or do not confi
ckground will use a solid color.If you disable or do not configure this policy setting, the Start background will use the default visuals.Note:
y setting, you prevent users from changing the default window frame color. If you disable or do not configure this policy setting, you allow
or. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a colo
with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the use
until the user has successfully completed the scenarios.If this setting is enabled, Windows will not show any help tips to the user.
at Reader, and Oracle Java
effect only if the "Retain old events" policy setting is enabled.If you enable this policy setting and the "Retain old events" policy setting is e
efinition Language (SDDL) string.If you enable this policy setting, only those users matching the security descriptor can access the log.If you
ble this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.If you disable or do not co
e Event Log service and should only be accessible to administrators.If you enable this policy setting, the Event Log uses the path specified i
tting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kil
efinition Language (SDDL) string. You cannot configure write permissions for this log.If you enable this policy setting, only those users whos
efinition Language (SDDL) string.If you enable this policy setting, only those users matching the security descriptor can access the log.If you
can be written to this log.If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regar
efinition Language (SDDL) string.If you enable this policy setting, only users whose security descriptor matches the configured value can ac
e this value if you want to use a different Web server to handle event information requests.
the Family Safety control panel is visible on a domain joined computer.If you disable or do not configure this policy setting, the Family Saf
ou enable this policy setting, file shortcut icons are allowed to be obtained from remote paths.If you disable or do not configure this polic
een helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sen
to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This behavior is con
e based on file types (e.g. *.txt) or protocols (e.g. http:)If this group policy is enabled, no notifications will be shown. If the group policy is
machines reside.If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside
ns file type and protocol default application associations. This file can be created using the DISM tool. For example:Dism.exe /Online /Expo
program that is blocked by policy.
ate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware).If you disable this policy settin
shown in the User Tile menu.If you disable this policy setting, the lock option will never be shown in the User Tile menu.If you do not confi
n will be shown in the Power Options menu (as long as it is supported by the machine's hardware).If you disable this policy setting, the sle
File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explo
t terminating Explorer.
ithout terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
her than in numerical order. If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111
ve. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the func
edirection, and the new and old targets point to the same network share, but have different network paths.If you enable this policy setting
ous versions could come from the on-disk restore points or from backup media.If you enable this policy setting, users cannot list or restore
ous versions come from the on-disk restore points on the file share.If you enable this policy setting, users cannot list or restore previous ve
version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.If you enable this po
n the user has selected a previous version of a local file.If you enable this policy setting, the Restore button is disabled when the user select
n the user has selected a previous version of a local file, in which the previous version is stored on a backup.If you enable this policy setting
ser has selected a previous version of a file on a file share.If you enable this policy setting, the Restore button is disabled when the user se
not be activated to create regular, automatic backups.If you disable or do not configure this policy setting, File History can be activated to
this setting, game information including box art and ratings will not be downloaded. If you disable or do not configure this setting, game in
s setting, game update information will not be downloaded. If you disable or do not configure this setting, game update information will b
of games will not be recorded in Games folder. This setting only affects the Games folder. If you disable or do not configure this setting, th
add their computer to a homegroup on a private network.If you enable this policy setting, users cannot add computers to a homegroup.
u enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components
g, the location feature is turned off, and all programs on this computer are prevented from using location information from the location fe
ipts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run.
, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. If you disable or do not configure t
ble this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use
aintenance activation boundary is the daily schduled time at which Automatic Maintenance starts If you enable this policy setting, thi
e maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary.
nance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note
e it for controlling their computers remotely.
rsion of the 802.1x Enforcement Client component.If you enable this policy setting, NAP allows the Windows XP version of the 802.1x Wire
. If you enable this policy setting, you can enter a TCP port number for the Network Projector. If you select a TCP port that is already in us
to a network projector. If you enable this policy setting, users cannot use the Connect to a Network Projector Wizard to connect to a proje
By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.If yo
onds, between synchronization retries in the event that a synchronization attempt fails.If you enable this policy setting, the specified retry
at Password Synchronization can attempt, in the event a synchronization attempt fails.If you enable this policy setting, the number of retri
n.If you enable this policy setting, all affected computers that are running Password Synchronization log intermediate steps for password s
NIS) password synchronization for UNIX-based user accounts that have been migrated to Active Directory Domain Services.If you enable t
Go workspace.If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC.If you disable or
workspace.If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby states to make the PC s
Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control
s presentation settings cannot be invoked.If you disable this policy setting, Windows presentation settings can be invoked. The presentatio
nse server will offer Remote Desktop Services client access licenses (RDS CALs).You can use this policy setting to control which RD Session
nse (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-
rdp) files and .rdp files from unknown publishers on the client computer.If you enable or do not configure this policy setting, users can run
from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client,
ion Host server when the client cannot authenticate the RD Session Host server.If you enable this policy setting, you must specify one of t
u enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save
edentials for a remote connection to an RD Session Host server.If you enable this policy setting, a user will be prompted on the client com
nts that represent trusted Remote Desktop Protocol (.rdp) file publishers.If you enable this policy setting, any certificate with an SHA1 thu
ktop Protocol. If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol.If you disable or do not confi
rom this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer.If you enable this policy settin
ost server if a virtual IP address is not available.If you enable this policy setting, the IP address of the RD Session Host server is not used if a
er used for virtual IP addresses. The IP address and network mask should be entered in Classless Inter-Domain Routing notation; for exam
r fully installed applications. Windows Installer allows one instance of the msiexec process to run at a time. By default, Windows Installer R
ote Desktop IP Virtualization is turned off.If you enable this policy setting, Remote Desktop IP Virtualization is turned on. You can select the
ost server if a virtual IP address is not available.If you enable this policy setting, the IP address of the RD Session Host server is not used if a
rvices.If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect re
ns on an RD Session Host server if their network link is temporarily lost. By default, a maximum of twenty reconnection attempts are mad
D Session Host server is consistent with the client state.After an RD Session Host server client loses the connection to an RD Session Host s
sole of a server can log off an administrator currently logged on to the console.This policy is useful when the currently connected administ
erver.You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is e
able this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or d
work quality (bandwidth and latency).You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time D
RDP) access to this server.If you enable this policy setting, you must specify if you would like RDP to use UDP.You can select one of the follo
ession based on the option selected. Select the desired level of control and permission from the options list:1. No remote control allowed:
he Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the ba
s sessions on the same RD Session Host server, based on the number of sessions and the demand for processor time within each session.
d video output in a Remote Desktop Services session.Users can specify where to play the remote computer's audio output by configuring t
a Remote Desktop Services session.Users can specify whether to record audio to the remote computer by configuring the remote audio se
mote Desktop Services session.If you enable this policy setting, clients that are capable of time zone redirection send their time zone infor
tion) between a remote computer and a client computer during a Remote Desktop Services session.You can use this setting to prevent use
remote computer in a Remote Desktop Services session.You can use this setting to prevent users from redirecting data to COM port perip
rvices session (drive redirection).By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives a
emote Desktop Services session.You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remo
ervices session.If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Ser
Windows Portable Devices, to the remote computer in a Remote Desktop Services session.By default, Remote Desktop Services allows red
on. Limiting the quality of audio playback can improve connection performance, particularly over slow links.If you enable this policy settin
n there are problems with RD Licensing that affect the RD Session Host server.By default, notifications are displayed on an RD Session Hos
DS CAL) that is required to connect to this RD Session Host server.You can use this policy setting to select one of two licensing modes: Per
ate Remote Desktop license servers.If you enable this policy setting, an RD Session Host server first attempts to locate the specified licens
e Desktop Services sessions.You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a prin
default printer in a session on an RD Session Host server.By default, Remote Desktop Services automatically designates the client default
ed in Remote Desktop Services sessions.If you enable this policy setting, only the default client printer is redirected in Remote Desktop Se
y default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that m
d first to install all client printers. If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remo
ive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed.Note: If you want to
ming user profiles.By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this polic
as the root of the user's home directory for a Remote Desktop Services session.To use this setting, select the location for the home direct
for all users connecting remotely to the RD Session Host server.If you enable this policy setting, Remote Desktop Services uses the path sp
nection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, y
erver uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Re
Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced
cts to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Ho
ature to balance the load between servers in an RD Session Host server farm. If you enable this policy setting, RD Connection Broker redire
p sessions. This policy setting does not apply to RemoteApp sessions.Desktop composition provides the user interface elements of Window
emote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote c
m to use.By default, servers use an RDP compression algorithm that is based on the server's hardware configuration.If you enable this poli
omputer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual qu
op Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available
Font smoothing provides ClearType functionality for a remote connection. ClearType is a technology for displaying computer fonts so that
mote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server
Services.You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP P
ktop Services connections. You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting th
onitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection
e Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection perfor
og box in Remote Desktop Services sessions.You can use this policy setting to prevent users from using this familiar method to disconnect
p clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently.If the statu
can use this setting to specify a program to run automatically when a user logs on to a remote computer.By default, Remote Desktop Serv
upport for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and doe
esktop Services sessions on a Remote Desktop Session Host (RD Session Host) server.If you enable this policy setting, all Remote Desktop S
ualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server.When deployed on an RD Virtu
esktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience.By default, Remo
Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type
ord upon connection.You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they
sions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user gro
ll clients or allows unsecured communication.You can use this setting to strengthen the security of RPC communication with clients by allo
ications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.If you enable this policy setting,
ons to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authe
certificate is automatically selected to authenticate an RD Session Host server.A certificate is needed to authenticate an RD Session Host s
unications between client computerss and RD Session Host servers during Remote Desktop Protocol (RDP) connections.If you enable this
nstead of disconnecting it.You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and th
p Services session can be idle (without user input) before it is automatically disconnected.If you enable this policy setting, you must select
es session can be active before it is automatically disconnected.If you enable this policy setting, you must select the desired time limit in th
ssions.You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By
nected state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.By default, if a user cl
y folders at logoff.You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user lo
mporary folders.You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each sessio
g has no impact on the Windows RSS Platform.If you enable this policy setting, the user cannot access the feed list in the Favorites Center.
ed or Web Slice is available for an associated webpage.If you enable this policy setting, the user does not receive a notification on the tool
eed to the user's computer.If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through th
ble this policy setting, the menu command to subscribe to a feed and the menu command to delete a feed are disabled, and access to Web
you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off.If you disable or do not confi
cheme over an unencrypted HTTP connection.If you enable this policy setting, the Windows RSS Platform authenticates feeds to servers by
earch. The value of this text should be:name,urlFor example:Intranet,http://intranetsearch.aspx?k=$w You must provide the following:1) A
earch location defined in the Add Primary Intranet Search Location policy. The value of this text should be:name1,url1;name2,url2;...nameN
will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service compo
you enable this policy setting, words that only differ in diacritics are treated as different words. If you disable this policy setting, words with
it relies on indexing history. If you enable this policy setting, Windows will always use automatic language detection to index (as it did in W
e rich attachment previews.When this policy is disabled or not configured the default settings will be set to .bmp;.emf;.gif;.jpg;.jpeg;.png;.
r may override these paths and include them in indexing.
ese paths and exclude them from indexing.
ven when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Defau
s. If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drive
this policy is disabled or not configured, the Web option is available and users can search the Web via their default browser search engine
if the web results are displayed in Search.If you enable this policy setting, queries won't be performed on the web and web results won't
metered connections, and if the web results are displayed in Search.If you enable this policy setting, queries won't be performed on the w
server. This policy affects only delegate mailboxes that are online. Microsoft Outlook 2007 allows users to cache portions of delegate mail
utlook is not running in cached mode. The default behavior for search is to not index uncached Exchange folders. Disabling this policy will b
online mail is indexed on a Microsoft Exchange server. The lower you set this policy, the lower the burden will be on the corresponding M
exing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed.When this p
tions menu as well as any defined locations that were made by a user. When this policy is not configured, the default behavior is to allow u
able this policy setting, Windows Search is prevented from automatically adding shared folders to the index. Windows Search does not au
wsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will us
ns dialog. Otherwise it can be opened. Disabled by default.
enter any path that starts with one of the paths you specified.If you enable and then disable this policy setting, users can index any path n
ndexing service components (including non-Microsoft components) are expected not to index e-mail attachments. Consider enabling this p
ed. Disabled by default.
y index Outlook items. If this policy is enabled then the user's Outlook items will not be added to the index and the user will not see them
nnot modify this list. You should separate each extension type with a semicolon.Note that limitations of Group Policy Object Editor require
disabled or not configured, the user has the option to index cached public folders in Outlook. Public folders are only indexed when using O
g follows the default behavior. Default is disabled.
the Control Panel.If you enable this policy setting, the Advanced Options dialog for Search and Indexing Options in the Control Panel canno
ess they are specified in the allow list. However, This policy will not prevent iFilters or protocol handlers from being installed, nor will it pre
You can also turn off the preview pane. The four options are:- Auto- Right- Bottom- OffYou should consider enabling this policy to turn off
sktop Search results. The two options are:- Large Icon- Small Icon.If you have disabled the preview pane because your organization does n
rch. If you enable this policy setting, you can specify one of three SafeSearch settings, which users won't be able to change: -Strict: Filter
this policy setting, you can specify one of four settings, which users won't be able to change: -User info and location: Share a user's sear
drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.Enable this policy if computers in your en
d to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the c
Network Information Service (NIS) maps to NIS subordinate servers.If you enable this policy setting, the map update interval specified in th
ning Server for Network Information Service (NIS).If you enable this policy setting, intermediate steps of NIS map updates or propagations
efore proceeding with the system shutdown.If you enable this policy setting, the system waits for the hung logon sessions for the number
mote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.If you e
nd users from saving files on SkyDrive. If you enable this policy setting, files will be saved locally by default. Users will still be able to chang
r logon.In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU
mart card can be used to log on to a domain.If you enable this policy setting, ECC certificates on a smart card can be used to log on to a do
e logon User Interface (UI).In order to use the integrated unblock feature your smart card must support this feature. Please check with you
r logon.If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logo
yet valid.Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certific
evation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.If you e
s policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then
enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. Note: The following policy s
ficate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusio
During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in
card device driver is installed.If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart c
this policy setting, Credential Manager does not return a plaintext PIN. If you disable or do not configure this policy setting, plaintext PINs
playing it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distingu
s inserted.If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.If yo
ard is inserted.If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart
r do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device d
that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.If you enabl
g, the automatic download and installation of app updates is turned off.If you disable this setting, the automatic download and installation
e this setting, the automatic download of app updates is turned off.If you disable this setting, the automatic download of app updates is tu
tting, the Store application will not offer updates to the latest version of Windows.If you disable or do not configure this setting the Store ap
ation is denied. Access to the Store is required for installing app updates.If you disable or don't configure this setting, access to the Store ap
he "sync your settings" page in PC Settings.If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync yo
app settings" group on the "sync your settings" page in PC settings.If you enable this policy setting, the "app settings" group will not be syn
Sync" group on the "sync your settings" page in PC settings.If you enable this policy setting, the "AppSync" group will not be synced.Use th
wser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites.If you
sables the "desktop personalization" group on the "sync your settings" page in PC settings.If you enable this policy setting, the "desktop pe
bles "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.If you enable this policy setting, sy
sables the "Other Windows settings" group on the "sync your settings" page in PC settings.If you enable this policy setting, the "Other Win
sswords" group on the "sync your settings" page in PC settings.If you enable this policy setting, the "passwords" group will not be synced.U
ersonalize" group on the "sync your settings" page in PC settings.If you enable this policy setting, the "personalize" group will not be synce
tart layout" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "Start layout" group will not be s
his policy, the InkBall game will run.If you do not configure this policy, the InkBall game will run.
ver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail.If you disable this
un.If you disable this policy setting, the Snipping Tool will run.If you do not configure this policy setting, the Snipping Tool will run.
run.If you disable this policy, the Windows Journal accessory will run.If you do not configure this policy, the Windows Journal accessory wi
visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen c
that subscribe to this behavior.If you enable this policy, a button assigned to Back will not map to ESC.If you disable this policy, Back->ESC
s policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for
.If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Som
ns are pressed, and the buttons tab in Tablet PC Control Panel will be removed.If you disable this policy, user and OEM defined button acti
Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab w
here this behavior is available. This policy applies only when using a tablet pen as an input device.Tablet PC Input Panel is a Tablet PC acce
here this behavior is available. This policy applies only when a user is using touch input.Tablet PC Input Panel is a Tablet PC accessory that
xt. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. Th
s a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard short
s where this behavior is available.Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keybo
Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching
shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out in
learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applicatio
ed features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen
aining.If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.
puter using their finger.If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch
compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on th
the last page of the Scheduled Task Wizard. This policy is only designed to simplify task creation for beginning users.The checkbox, when
e Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, u
k items from the context menu that appears when you right-click a task. As a result, users cannot start tasks manually or force tasks to end
scheduled program for existing tasks.This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the
s folder.This setting disables the Cut, Copy, Paste, and Paste Shortcut items on the context menu and the Edit menu in Scheduled Tasks. It
s the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Schedu
command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also, the system
sonal calendars, publishing them, and subscribing to other users calendars.If you enable this setting, Windows Calendar will be turned off.I
licy setting, users cannot install new color profiles or uninstall previously installed color profiles.If you disable or do not configure this polic
Microsoft Operations Manager server.If you disable this setting uploads are not redirected to a Microsoft Operations Manager server.If you
tudy is being conducted.If you enable this setting then Windows CEIP data uploaded will be tagged.If you do not configure this setting or d
when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled.If you enable this setting, the
will allow for faster service startup, but may impact performance.If you enable or do not configure this setting, the antimalware service w
re merged with Group Policy settings. This setting applies to lists such as threats and Exclusions.If you enable or do not configure this setti
unicating with the specified IP addresses. The address value should be entered as a valid URL.If you enable this setting, the proxy server w
empts to connect to the network for definition updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the fo
d the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be us
n all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-de
does not run, and computers are not scanned for malware or other potentially unwanted software.If you disable or do not configure this p
hey need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the co
ey need to perform the following actions:Run a full scanDownload the latest virus and spyware definitions Download Standalone System Sw
om, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair,
pecified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed a
of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be ad
ng can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Group Policy.If you disable
helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.Yo
f known vulnerabilities will be logged. Logging will be limited to not more often than one event per the defined interval. The interval value
on set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should b
oits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it ag
its of known vulnerabilities.If you enable or do not configure this setting, protocol recognition will be enabled.If you disable this setting, pr
m inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. Each entry must be listed as a nam
sabled. Port numbers should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name
ocess names should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be
ection. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should
uld be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy.If you enable this setting, the local
being removed.If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.If you disab
m activity on your computer. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take pri
utgoing file activity. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take priority ove
es and attachments. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take priority ov
ng can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Group Policy.If you disable
ploits of known vulnerabilities. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take p
his setting can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Group Policy.If you
g to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for pe
t will be scanned.If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.If you disable
o not configure this setting, monitoring for file and program activity will be enabled.If you disable this setting, monitoring for file and prog
enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.If you disable this setting, scanni
fender alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.If you enable this
s setting, behavior monitoring will be enabled.If you disable this setting, behavior monitoring will be disabled.
tting, IPC will be enabled.If you disable or do not configure this setting, IPC will be disabled.
es.If you enable or do not configure this setting, the network protection will be enabled.If you disable this setting, the network protection
This helps to catch malware which could start when real-time protection is turned off.If you enable or do not configure this setting, a proc
If you enable or do not configure this setting, raw write notifications will be enabled.If you disable this setting, raw write notifications be d
l scan to complete remediation. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take
an in order to complete remediation. The scan can also be configured to run every day or to never run at all.This setting can be configured
order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is
te to moves to either the ΓÇ£additional actionΓÇ¥ state or the ΓÇ£clearedΓÇ¥ state.
te moves to the "cleared" state.
s to the "cleared" state.
moves to the "cleared" state.
o not configure this setting, Watson events will be sent.If you disable this setting, Watson events will not be sent.
ftware Tracing). Tracing levels are defined as:1 - Error2 - Warning3 - Info4 - Debug
u enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.If you d
occur before running a scan. This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no eff
utilization during scan. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take priority o
g can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Group Policy.If you disable o
s setting can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Group Policy.If you di
ng can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Group Policy.If you disable o
cheduled scan. This setting can only be set by Group Policy.If you enable this setting, the local preference setting will take priority over Gr
to cleaning. If you enable this setting, a system restore point will be created.If you disable or do not configure this setting, a system restor
g, mapped network drives will be scanned.If you disable or do not configure this setting, mapped network drives will not be scanned.
chive files such as .ZIP or .CAB files.If you enable or do not configure this setting, archive files will be scanned.If you disable this setting, arc
not enable this setting.If you enable this setting, network files will be scanned.If you disable or do not configure this setting, network files
this type of scanning remain enabled.If you enable or do not configure this setting, packed executables will be scanned.If you disable this
ed software in the contents of removable drives, such as USB flash drives, when running a full scan.If you enable this setting, removable dr
The scan can also be configured to run every day or to never run at all.This setting can be configured with the following ordinal number va
is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, int
s such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.If you enable this setting, archive files will be sc
g a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no
t will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
ons are:1 = Quick Scan (default)2 = Full ScanIf you enable this setting, the scan type will be set to the specified value.If you disable or do no
time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default,
me value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, t
ut not in use.If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use.If you dis
a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer w
is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the compute
gine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e
before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do no
being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept foreve
canned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scan
if the Automatic Updates default server is configured to another download source such as Windows Update.If you enable this setting, defi
ery power.If you enable or do not configure this setting, definition updates will occur as usual regardless of power state.If you disable this s
individual definitions in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable definitions th
Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest definition update has definitions for a
occur immediately after service startup.If you enable this setting, a check for new definitions will occur after service startup.If you disable
s. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the d
will be required. By default, the value of this setting is 1 day.If you enable this setting, a catch-up definition update will occur after the spe
ns are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including fal
e considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling
be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. P
re engine present.If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalwar
s. The check can also be configured to run every day or to never run at all.This setting can be configured with the following ordinal numbe
e value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).If you e
time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default
has occurred.If you enable or do not configure this setting, a scan will start following a definition update.If you disable this setting, a scan w
h threat alert level.Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. T
t is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The
e sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other tha
en Windows Error Reporting is enabled.This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Re
ges to the system event log.If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.If yo
her Microsoft or internal servers within your organization when software unexpectedly stops working or fails.If you enable this policy setti
or.If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the err
oft automatically.If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting r
vel report data even if a CAB file containing data about the same event types has already been uploaded to the server.If you enable this po
y setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.If you disable or do n
nning on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload add
olicy that restricts the amount of data that is sent over the network.If you enable this policy setting, WER does not check for network cost
ou do not want to send error reports to Microsoft).If you enable this policy setting, you can specify the name or IP address of an error repo
olicy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for ea
ble this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pul
dows Error Reporting is enabled.If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu
rors.To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applic
Windows Error Reporting is turned on.If you enable this policy setting, you can create a list of applications that are never included in error
n Windows Error Reporting is turned on.If you enable this policy setting, you can create a list of applications that are never included in err
orting is enabled.If you enable this policy setting, Windows Error Reporting includes operating system errors.If you disable this policy settin
reporting is enabled.If you enable this policy setting, error reporting includes unplanned shutdown events.If you disable this policy setting
le this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that
ypes.If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name
ustom consent settings.If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other co
tem administrators.If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installatio
able this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files
are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or up
ons.If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs,
m on the system.If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for program
he. The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is u
u enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrad
ackages on the system can run embedded UI.If you disable or do not configure this policy setting, embedded UI is allowed to run.
g the user.If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a pro
olicy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those
ng, all Patch Optimization options are turned off during the installation.If you disable or do not configure this policy setting, it enables fast
ly signed by the application vendor.Non-administrator updates provide a mechanism for the author of an application to create digitally sig
d updates.This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment
se an interrupted or unsuccessful installation.If you enable this policy setting, Windows Installer is prevented from recording the original st
anager API can eliminate or reduce the number of system restarts that are required to complete an installation or update.If you enable th
led and use the drop-down list to select the behavior you want.If you do not configure this policy setting, or if the policy setting is enabled
mponents to an installed program. If you enable this policy setting, the Browse button beside the "Use feature from" list in the Window
m files consist of instructions to modify or customize a program during installation.If you enable this policy setting, the transform file is sa
n. The log, Msi.log, appears in the Temp directory of the system volume. When you enable this policy setting, you can specify the type
an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state withou
ng property in an installation package can be used to enable automatic logging of all install operations for the package.If you enable this p
, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Co
vent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You
AS).If you enable this policy setting, you have one of four options:If you set this policy setting to "None," user mode software cannot simula
nd logon failures to the user.For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional lev
ontacted during logon and he has been logged on using previously stored account information.If enabled, a notification popup will be disp
Windows Update restarts the system.If you enable or do not configure this policy setting, the device securely saves the user's credentials (
ndows Mail application is denied.If you disable or do not configure this setting, access to the Windows Mail application is allowed.
tal media player and video recorder that allows users to organize and play music and videos, and to view and record live television.If you e
t).When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrade
Media Player is in skin mode.If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the
etting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows M
s desktop.If you enable this policy setting, users cannot add the Player shortcut icon to their desktops.If you disable or do not configure th
is policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other compu
nch bar.If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar.If you disable or do not co
tting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Sm
setting, Windows Messenger does not run.If you disable or do not configure this policy setting, Windows Messenger can be used.Note: If
this policy setting, Windows Messenger is not loaded automatically when a user logs on.If you disable or do not configure this policy settin
able to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not
elp cmdlet.If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath par
able this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Ev
d to run.If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.The "Allow only signed scripts" policy
bilityStabilitymetrics and Win32_ReliabilityRecords to provide data to Reliability Monitor in the Action Center control panel, and to respon
nt uses Basic authentication.If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTT
nt uses CredSSP authentication.If you enable this policy setting, the WinRM client uses CredSSP authentication.If you disable or do not con
nt sends and receives unencrypted messages over the network.If you enable this policy setting, the WinRM client sends and receives unen
nt uses Digest authentication.If you enable this policy setting, the WinRM client does not use Digest authentication.If you disable or do not
nt uses Kerberos authentication directly.If you enable this policy setting, the Windows Remote Management (WinRM) client does not use K
nt uses Negotiate authentication.If you enable this policy setting, the WinRM client does not use Negotiate authentication.If you disable or
nt uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.If you enable this policy setting, the Win
ice accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service accepts Basic authentication
ice accepts CredSSP authentication from a remote client. If you enable this policy setting, the WinRM service accepts CredSSP authenti
ice automatically listens on the network for requests on the HTTP transport over the default HTTP port.If you enable this policy setting, th
ice sends and receives unencrypted messages over the network.If you enable this policy setting, the WinRM client sends and receives une
ice accepts Kerberos credentials over the network. If you enable this policy setting, the WinRM service does not accept Kerberos crede
ice accepts Negotiate authentication from a remote client. If you enable this policy setting, the WinRM service does not accept Negoti
ice will not allow RunAs credentials to be stored for any plug-ins.If you enable this policy setting, the WinRM service will not allow the Run
RM) service with regard to channel binding tokens. If you enable this policy setting, the WinRM service uses the level specified in Harde
s in the Windows Remote Management (WinRM) service. If you enable this policy setting, the HTTP listener always appears. If you
es in the Windows Remote Management (WinRM) service. If you enable this policy setting, the HTTPS listener always appears. If yo
se, new remote shell connections are rejected by the server.If you disable or do not configure this policy setting, new remote shell connec
hell operations on the system.The value can be any number from 1 to 100.If you enable this policy setting, the new shell connections are r
any user activity until it is automatically deleted.Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute)
ated by any active remote shell and all its child processes.Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, w
.If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero
n on the same system.Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells.If you enable this policy s
Configured.
rupt Windows services nor restart Windows.If the status is set to Enabled, Automatic Updates will immediately install these updates once
ations based on the "Configure Automatic Updates" policy setting. If you enable this policy setting, Windows Automatic Update and Mi
tities other than Microsoft when the update is found on an intranet Microsoft update service location. If you enable this policy setting, Aut
s important updates, instead of first notifying users on the login screen for at least two days.The restart timer can be configured to start w
ble updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For e
gh the Windows automatic updating service.Note: This policy does not apply to Windows RT.This setting lets you specify whether automa
tart.If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.If the sta
wed to be the default choice in the Shut Down Windows dialog.If you enable this policy setting, the user's last shut down choice (Hibernate
l periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other s
ayed in the Shut Down Windows dialog box.If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in
Microsoft update service.If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update serv
matically wake up the system from hibernation, if there are updates scheduled for installation.Windows Update will only automatically wa
be restarted by any user who is logged on, instead of causing the computer to restart automatically.If the status is set to Enabled, Autom
ed restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for r
eding with a scheduled installation that was missed previously.If the status is set to Enabled, a scheduled installation that did not take plac
rvice to automatically update computers on your network.This setting lets you specify a server on your network to function as an internal
from the Windows Update update service.When this policy is enabled, Automatic Updates will install recommended updates as well as im
about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installatio
affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. Th
domain users at your organization.If this setting is enabled, domain-joined client computers will automatically become workplace-joined up
king their PC.If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in w
d, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will n
nd also sets the specified image as the default for all users (it replaces the inbox default image).To use this setting, type the fully qualified
users can change it.If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the spe
ser will not be able to change their lock screen image, and they will instead see the default image.
this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.If the "Force a
ou enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be
able this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. If you
more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disab
enus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI langua
help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing message
es to a company logo.Note: The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The de
s every 15 minutes.If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. Thi
server specified by the job's owner. If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other
dows Branch Cache by default. If you enable this policy setting, the BITS client does not use Windows Branch Cache. If you disabl
s) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer use the BIT
s) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer cache dow
peer cache that have not been accessed in the past 90 days. If you enable this policy setting, you can specify in days the maximum ag
ilable to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the p
nloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. By default BITS uses a maxim
y a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00
by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if
the maximum number of BITS jobs a user can create. If you enable this policy setting, BITS will limit the maximum number of BITS job
this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting, BITS will limit the maxim
n. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. If you
mber ranges per file. If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the
havior policies further limit the network usage of background transfers. If you enable this policy setting, you can define a default dow
the network bandwidth that is used for background transfers. If you enable this policy setting, you can define a separate set of netwo
sing a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule
After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
ntent from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a
t use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of Bran
d cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in th
ociated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is appli
he data cache.If you disable or do not configure this policy setting, the age is set to 28 days.Policy configurationSelect one of the following
e" to enable BranchCache on client computers.In distributed cache mode, client computers download content from BranchCache-enabled
enable BranchCache on client computers.When a client computer is configured as a hosted cache mode client, it is able to download cach
total disk space to allocate for the cache.If you disable or do not configure this policy setting, the cache is set to 5 percent of the total disk
he mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cach
d an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is a
ch as "www.example.com" in addition to single-label names. If you disable this policy setting, or if you do not configure this policy setting,
value representing the DNS suffix.If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections
this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you
name. This is different from a fully qualified domain name such as "example.microsoft.com."Client computers that receive this policy setti
you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have conn
ted to the Nameprep form.If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Namepr
inding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP
xample: microsoft.com.Important: In order for changes to this policy setting to be applied on computers that receive it, you must restart W
the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or a
abel, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if t
these records with a concatenation of its computer name and the primary DNS suffix.By default, a DNS client performing dynamic DNS reg
registered the corresponding A resource record.If you enable this policy setting, registration of PTR records will be determined by the opti
ic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed
NS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a
seconds (for example, 900 is 15 minutes).If you enable this policy setting, the TTL value that you specify will be applied to DNS resource re
abled, IDNs are not converted to Punycode.If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to
nk on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does n
S over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is u
esolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).If you enable this policy setting,
only when nonsecure dynamic updates are refused.Only unsecure - computers send only nonsecure dynamic updates.Only secure - comp
rform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a to
als when manually connecting to the network. If authentication is successful, users will be connected automatically on subsequent attemp
s that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.Policy configuratio
ated based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported, content informa
nitiate Quality-of-Service requests such as bandwidth estimation and network health analysis.If you enable this policy setting, additional op
vered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation an
quirements for the local system. Thus, it will not allow any passwords to be used for a Peer Group that are weaker than what would be all
boration, content distribution and distributed processing.If you enable this setting, peer-to-peer protocols will be turned off.If you disable
arios. For example, a client computer can detect other computers to initiate chat sessions, but other computers cannot detect that client a
mber. The protocol, in some cases, requires a seed server from which to get bootstrapped.Any node running peer to peer can be used as a
esolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the sam
address. Other hosts can then resolve the name, retrieve the corresponding address, and establish peer-to-peer (P2P) connections. The P
number. The protocol, in some cases, requires a seed server from which to get bootstrapped. This setting allows for setting the seed server
d resolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the s
number. The protocol, in some cases, requires a seed server from which to get bootstrapped. This setting allows for setting the seed serve
d resolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the s
access only.If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network
ected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was
wall service can run on a computer.Important: This setting is location aware. It only applies when a computer is connected to the same DN
figure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing thr
u disable or do not configure this policy setting, domain users can set a network's location without elevating.
ects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establis
roups of computers. If a computer on that list authenticates using IPsec, Windows Firewall does not block its unsolicited messages. This po
he echo request message. If you do not enable the "Allow inbound echo request" message type, Windows Firewall blocks echo request m
computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these in
opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Comp
can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In t
00.If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You mu
wall: Define inbound port exceptions" policy setting.If you enable this policy setting, the Windows Firewall component in Control Panel allo
ows Firewall: Define inbound program exceptions" policy setting.If you enable this policy setting, the Windows Firewall component in Con
e the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to r
Windows Firewall component in Control Panel.If you enable this policy setting, you can view and change the inbound port exceptions list d
Windows Firewall component in Control Panel.If you enable this policy setting, you can view and change the program exceptions list defin
e Windows Firewall component of Control Panel, the "Block all incoming connections" check box is selected and administrators cannot clea
Firewall prevents the display of these notifications.If you disable this policy setting, Windows Firewall allows the display of these notificatio
mputers, Windows Firewall blocks the unicast responses sent by those other computers.If you disable or do not configure this policy settin
Connection Firewall on your DNS domain network" policy setting.If you disable this policy setting, Windows Firewall does not run. This is t
he echo request message. If you do not enable the "Allow inbound echo request" message type, Windows Firewall blocks echo request m
computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these in
opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Comp
can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In t
00.If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You mu
wall: Define inbound port exceptions" policy setting.If you enable this policy setting, the Windows Firewall component in Control Panel allo
ows Firewall: Define inbound program exceptions" policy setting.If you enable this policy setting, the Windows Firewall component in Con
e the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to r
Windows Firewall component in Control Panel.If you enable this policy setting, you can view and change the inbound port exceptions list d
Windows Firewall component in Control Panel.If you enable this policy setting, you can view and change the program exceptions list defin
e Windows Firewall component of Control Panel, the "Block all incoming connections" check box is selected and administrators cannot clea
Firewall prevents the display of these notifications.If you disable this policy setting, Windows Firewall allows the display of these notificatio
mputers, Windows Firewall blocks the unicast responses sent by those other computers.If you disable or do not configure this policy settin
Connection Firewall on your DNS domain network" policy setting.If you disable this policy setting, Windows Firewall does not run. This is t
rk). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
e the options to control the passive polling behavior.
pps that have the Internet Client or Internet Client/Server capabilities.If you enable this policy setting, apps on proxied networks can acces
pps that have the Home/Work Networking capability.If you enable this policy setting, it allows an administrator to configure a set of proxie
ing capability have appropriate access to your corporate network. These addresses are only accessible to apps if and only if the app has d
ork Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritativ
off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts
Offline Files tab. This prevents users from trying to change the option while a setting controls it.If you enable this setting, you can use the "
enable this policy setting, Offline Files is enabled and users cannot disable it.If you disable this policy setting, Offline Files is disabled and us
n the user logs off, the system deletes all local copies of offline files.If you disable this setting or do not configure it, automatically and man
w-link mode, use the "Configure slow-link mode" policy setting.If you enable this policy setting, you can control when Windows synchronize
iles automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the p
er's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file req
he Offline Files tab. This prevents users from trying to change the option while a setting controls it.Automatic caching can be set on any ne
with the specified file extensions in any of the folders that have been made available offline.If you disable or do not configure this policy se
ur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phon
ntly cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandw
om the Offline Files cache without proper permissions.If you enable this policy setting, all files in the Offline Files cache are encrypted. Th
y when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to
etting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offl
eriodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displaye
be automatically cached if the user accesses a file on an automatic caching network share.This setting also disables the ability to adjust, th
ction on server disconnect" setting.To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type th
omputer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.This setting do
ffline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the
oons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first rem
e first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can
ndows will still cache local copies of files that reside on network shares designated for automatic caching.If you disable or do not configur
not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Val
ork offline" command is not displayed in File Explorer.If you disable or do not configure this policy setting, the "Work offline" command is
tting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents
ers do not have the option of excluding subfolders.If you enable this setting, when you make a folder available offline, all folders within tha
rying to change the option while a setting controls it.If you enable this setting, offline files are fully synchronized. Full synchronization ensu
ying to change the option while a setting controls it.If you enable this setting, offline files are fully synchronized at logon. Full synchronizati
on to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files
tion to a networked file and are working on a local copy of the file. Users can then decide how to proceed.If you enable this setting, the sys
ed folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later.If you disab
ers until the number falls below this limit."Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapte
er limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default.If you enable this s
by the value of this entry.If you enable this setting, you can override the default timer resolution established for the system, usually units
n the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting, you can
SCP value in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this settin
ue in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting, you c
DSCP value in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setti
in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting, you ca
n the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting, y
SCP value in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable th
ue in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this settin
DSCP value in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable t
in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting,
of the packets.If you enable this setting, you can change the default priority value associated with the Best Effort service type.If you disabl
r-2 header of the packets.If you enable this setting, you can change the default priority value associated with the Controlled Load service t
der of the packets.If you enable this setting, you can change the default priority value associated with the Guaranteed service type.If you d
er-2 header of the packets.If you enable this setting, you can change the default priority value associated with the Network Control servic
ets.If you enable this setting, you can change the default priority value associated with nonconforming packets.If you disable this setting,
r of the packets.If you enable this setting, you can change the default priority value associated with the Qualitative service type.If you disa
mputer network, by polling and setting terminal values and monitoring network events.A valid community is a community recognized by th
protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monito
manage a computer network by polling and setting terminal values and monitoring network events.This policy setting allows you to config
s policy setting, the factory default cipher suite order is used. SSL2, SSL3, TLS 1.0 and TLS 1.1 cipher suites:TLS_RSA_WITH_AES_128_C
o4 connectivity is not available on the host.If you enable this policy setting, you can specify a relay name for a 6to4 host.If you disable or d
le this policy setting, you can specify the value for the duration at which the relay name is resolved periodically.If you disable or do not con
ss the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of th
e local host settings are used.If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTP
ATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required.If you disable or do not config
hat is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.If you disable or do not configure this policy setti
is already in use by a system, the Teredo client will fail to initialize.If you enable this policy setting, you can customize a UDP port for the T
of a dormant state.If you disable or do not configure this policy setting, the local host setting is used.This policy setting contains only one
do server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the tra
specify a Teredo server name that applies to a Teredo client.If you disable or do not configure this policy setting, the local settings on the
this policy setting, the local host settings are used.If you enable this policy setting, you can configure Teredo with one of the following setti
e number of autoconfigured addresses and routes.If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled an
oxes that don't interpret Window Scaling option correctly.If you do not configure this policy setting, the local host settings are used.If you e
02.11 Wi-Fi, through the Windows Portable Device API (WPD), and via USB Flash drives.Additional options are available to allow discovery
n related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. If you disable or do not config
r radios to reduce power consumption when the machine enters connected standby mode. If this policy setting is not configured or is d
bled. If this policy setting is enabled, when the computer has at least one active connection to the Internet, a new automatic connec
utomatic and manual network connection attempts based on the following circumstances: Automatic connection attempts - Whe
nnection attempts to roaming provider networks are blocked until the client registers with the home provider network. If this policy
e of the following values from the list will set the cost of all WLAN connections on the local machine:- Unrestricted: Use of this connection
values from the list will set the cost of all 3G connections on the local machine:- Unrestricted: Use of this connection is unlimited and not r
g values from the list will set the cost of all 4G connections on the local machine:- Unrestricted: Use of this connection is unlimited and no
on this server. If you disable this policy setting or do not configure it, Internet printing is not activated. Internet printing is an ex
main controller, e.g. a domain-joined laptop on a corporate network.) If this policy setting is disabled, the network scan page will not b
e.g. a domain-joined laptop on a home network.)If this setting is disabled, the network scan page will not be displayed.If this setting is not
ler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared.The spooler
rties' Sharing tab to publish shared printers in Active Directory. If you disable this setting, this computer's shared printers cannot be
cts from Active Directory if the computer that published them does not respond to contact requests. When the computer that published t
ove the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU
Windows print server.If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them
publishes all shared printers. If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you c
XDW output format is the legacy Microsoft XPS (*.xps). If you disable or do not configure this policy setting, the default MXDW output
he system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. To
ng, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. When Location Tracking is enabled, th
If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your e
rinters. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (delete
to contact attempts. This process keeps printer information in Active Directory current. The thread priority influences the order in w
ers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact messag
an cause stop errors.If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the loc
provide access to more device features, but this may not be appropriate for all enterprises. If you enable this policy setting, then all pri
ailure will not cause the print spooler service to fail.If you enable or do not configure this policy setting, the print spooler will execute print
drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache.If you disab
tion crash.Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain ot
omputers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact
nt and print, client computers will check the driver signature of all drivers that are downloaded from print servers.If this setting is disabled
does not report compatibility.If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Dr
is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connec
uters that are members of a domain. If you enable this policy setting: -Windows XP and later clients will only download print driv
n Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP a
f you enable this setting, the print spooler announces shared printers to the print browse master servers.If you disable this setting, shared
0 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published ou
erator can backup only volumes hosting OS components and no data only volumes can be backed up.If you disable or do not configure this
Server Backup to run backups to a locally attached storage or disk.If you disable or do not configure this policy setting, there is no restricti
Backup to run backups to a network share.If you disable or do not configure this policy setting, there is no restriction on network share be
Backup to run backups to an optical media.If you disable or do not configure this policy setting, there is no restriction on optical media be
p to run non-scheduled run-once backups.If you disable or do not configure this policy setting, there is no restriction on running run-once b
an XML file that was generated by the Export-StartLayout PowerShell cmdlet.To use this setting, you must first manually configure a devic
ng processes.If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or rest
e moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT c
ys status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system.If you disable or d
y you are shutting down the computer.If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event
ypted folder.If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted
n to the server. If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator
ly selected using the Start menu or Task Manager user interfaces. Applications such as UPS software may rely on Windows shutdown beh
interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registere
e able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timest
off.If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts
the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If yo
s policy setting, enter the file names names of the programs you want to restrict, separated by commas. If you disable or do not c
policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling op
figure this policy setting, the Windows Setup source path will be the location used during the last time Windows Setup was run on the syst
you disable or do not configure this policy setting, the Windows Service Pack Setup source path will be the location used during the last tim
de that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system m
sers with the ability to send an email to request access to the file or folder to which they were denied access.If you enable this policy setti
e this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Aud
certificate or Kerberos.If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegate
this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that
ficate or Kerberos.If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh
this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you
ficate or Kerberos.If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (save
this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you
entials cannot be delegated (default credentials are those that you use when first logging on to Windows).If you disable or do not configur
ntials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).If you disable or do not
ntials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).If you di
vers or networks beyond the target computer because credentials are not delegated.Participating apps:Remote Desktop ClientIf you enab
o not configure this policy setting, remote connections to the Plug and Play interface are not allowed.
fy before terminating the installation.If you disable or do not configure this policy setting, Windows waits 300 seconds for a device installa
eport is not sent when a generic driver is installed.If you disable or do not configure this policy setting, an error report is sent when a gene
s restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily
m the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security >
ng, Windows will not send an error report to request additional software even if this is specified by the device driver.If you disable or do n
d installation process. Regardless of this policy setting, a signed driver is still preferred over a driver that is not signed at all.If you enable o
ows Update unconditionally, only if necessary, or not at all.Note that searching always implies that Windows will attempt to search Windo
U), searches a Managed Server, or a combination of both.Note that if both are specified, then Windows will first search the Managed Serve
led.If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless t
members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for an
es not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence o
tion of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take p
splays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.If you disa
ws displays the text you type in the Detail Text box when a policy setting prevents device installation.If you disable or do not configure this
ng the device driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" or t
setting that allows Windows to install a device.If you enable this policy setting, Windows is prevented from installing a device whose hard
other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing or upda
vable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is co
mount of seconds you want the system to wait until a reboot.If you disable or do not configure this policy setting, the system does not for
er for the USB device can be loaded.
evices can be loaded.
resume.If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the da
ved.If you disable this policy setting, the hard disks are put into an NV cache power saving mode. In this mode, the system tries to save pow
and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning
he.If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to
older apply to fixed-media NTFS volumes only. Note: When this policy setting is applied, the computer will apply the disk quota to both fixe
turned on, and users cannot turn it off.If you disable the policy setting, disk quota management is turned off, and users cannot turn it on.
ng, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users ex
enable this policy setting, the system records an event when the user reaches their limit. If you disable this policy setting, no event is reco
vent. If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresp
em volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes t
DCOM server application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled), DCOM will look for an entry in
this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting
mbers of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows
r searching" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled or
driver can return the following classifications for each boot-start driver:- Good: The driver has been signed and has not been tampered wi
orized USB device reading data on an Enhanced Storage device.If you enable this policy setting, only USB root hub connected Enhanced Sto
that contain a manufacturer and product ID specified in this policy are usable on your computer.If you disable or do not configure this poli
this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.If you disable o
d on your computer.If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your co
you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device.
or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
ains locked when the computer is locked.If you disable or do not configure this policy setting, the Enhanced Storage device state is not cha
Administrators can define the properties for the organization by using Group Policy, and supplement these with properties defined on ind
(AD DS), and then group these properties into lists. Administrators can supplement these properties on individual file servers by using File
t backup and restore of VSS aware applications storing data on SMB2 File Shares.By default, the RPC protocol message between File Serve
e of 1 will disable delete notifications for all volumes.
nk to a Remote TargetRemote Link to Remote TargetRemote Link to Local TargetFor further information please refer to the Windows Help
e encrypted.
act on the system.If you enable short names on all volumes then short names will always be generated. If you disable them on all volume
here the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.To desig
he parent Start Menu and legacy My Documents folder respectively.If you enable this policy setting, Windows Vista, Windows 7, Windows
t processing mode for Windows Vista and Windows XP.By default, Window Server processes user Group Policy settings synchronously.If yo
on to a computer in a different forest when a trust across forests or a two-way forest trust exists.If you do not configure this policy setting:
from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to crea
uter startup and user logon) when a slow network connection is detected. If you enable this policy setting, when a slow network connecti
eference items.If you disable or do not configure this policy setting, Application preference items are allowed to process across a slow netw
preference items.If you disable or do not configure this policy setting, Data Sources preference items are allowed to process across a slow
tems.If you disable or do not configure this policy setting, Device preference items are allowed to process across a slow network connecti
ts the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If G
rative Templates\System\Disk Quotas.This policy setting overrides customized settings that the program implementing the disk quota poli
ference items.If you disable or do not configure this policy setting, Drive Maps preference items are allowed to process across a slow netw
Settings\Security Settings.It overrides customized settings that the program implementing the encryption policy set when it was installed.
Variable preference items.If you disable or do not configure this policy setting, Environment Variable preference items are allowed to proc
f you disable or do not configure this policy setting, File preference items are allowed to process across a slow network connection, to be a
ons, Open With, and File Type preference items.If you disable or do not configure this policy setting, Folder Options, Open With, and File Ty
older Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy object
ems.If you disable or do not configure this policy setting, Folder preference items are allowed to process across a slow network connectio
session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground m
n this group is slower than the rate specified by this setting, the system considers the connection to be slow.The system's response to a slo
items.If you disable or do not configure this policy setting, Ini Files preference items are allowed to process across a slow network connec
ose in Windows Settings\Internet Explorer Maintenance.This policy setting overrides customized settings that the program implementing
reference items.If you disable or do not configure this policy setting, Internet preference items are allowed to process across a slow netwo
ws Settings\Security Settings\IP Security Policies on Local Machine.This policy setting overrides customized settings that the program imple
al User and Local Group preference items.If you disable or do not configure this policy setting, Local User and Local Group preference item
ient waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention.
ection and DUN Connection preference items.If you disable or do not configure this policy setting, VPN Connection and DUN Connection p
hares preference items.If you disable or do not configure this policy setting, Network Shares preference items are allowed to process acros
ons and Power Scheme preference items.If you disable or do not configure this policy setting, Power Options and Power Scheme preferenc
P/IP Printer, and Local Printer preference items.If you disable or do not configure this policy setting, Shared Printer, TCP/IP Printer, and Loc
Options preference items.If you disable or do not configure this policy setting, Regional Options preference items are allowed to process ac
customized settings that the program implementing a registry policy set when it was installed.If you enable this policy setting, you can use
e items.If you disable or do not configure this policy setting, Registry preference items are allowed to process across a slow network conne
Task and Immediate Task preference items.If you disable or do not configure this policy setting, Scheduled Task and Immediate Task prefe
ts. It overrides customized settings that the program implementing the scripts policy set when it was installed.If you enable this policy setti
s policy setting overrides customized settings that the program implementing the security policy set when it was installed.If you enable thi
items.If you disable or do not configure this policy setting, Service preference items are allowed to process across a slow network connec
nce items.If you disable or do not configure this policy setting, Shortcut preference items are allowed to process across a slow network con
n Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, n
ference items.If you disable or do not configure this policy setting, Start Menu preference items are allowed to process across a slow netw
hose in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.By d
ows Settings\Wired Network Policies.It overrides customized settings that the program implementing the wired network set when it was in
WindowsSettings\Wireless Network Policies.It overrides customized settings that the program implementing the wireless network set when
policy setting, interactive users cannot generate RSoP data.If you disable or do not configure this policy setting, interactive users can gener
essing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foregrou
e applied at startup or when an official policy refresh occurs.If you disable or do not configure this policy setting, the default behavior appl
mputer Configuration folder.In addition to background updates, Group Policy for the computer is always updated when the system starts.B
hen the system starts.By default, Group Policy on the domain controllers is updated every five minutes.If you enable this setting, you can
til the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked
until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not b
ng, the system waits until the current user logs off the system before updating the computer and user settings.If you disable or do not confi
ngs can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only do
udes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that we
ide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the
ovide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for th
ostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Devices
e diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the D
vide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for th
nformation for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Files extension
provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing fo
ostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Folders e
ostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Ini Files e
nostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Interne
sion. Logging and tracing provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logg
acing provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on traci
ng provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing
provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing fo
ostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Printers
cing provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on traci
nostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Registry
ing provide diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracin
nostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Service
agnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the Shor
e diagnostic information for troubleshooting.If you enable this policy setting, you can configure event logging and turn on tracing for the S
cation settings" section are set such that their respective features cannot access the Internet.If you disable this policy setting, all of the the
http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Ex
ociated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an a
ecure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted c
s not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are n
ernet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Micros
g style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition
s and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in futu
rt Center, and provides up-to-date information about Windows and the computer.If you enable this policy setting, the Help and Support Ce
help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options.If you en
t Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, w
ervices such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in
iated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an app
client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared prin
line registration and users cannot register their copy of Windows online.If you disable or do not configure this policy setting, users can con
anion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display re
rder prints online.If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.If yo
olders.The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.If you enable this p
users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the prod
how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other p
improve the quality of the product.If you enable this policy setting, users are not given the option to report errors.If you disable or do not
work.As part of determining the connectivity level, NCSI performs one of two active tests: downloading a page from a dedicated Web serv
n a new device is installed.If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are prese
ay be established.
established.
be established. Note that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one.
d targets may be manually configured. Note: if enabled there may be cases where this will break VDS.
s new targets discovered via those iSNS servers; existing iSNS servers may be removed.
new targets discovered on those portals; existing target portals may be removed.
his policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor
sage about previous logons.For Windows Logon to leverage this feature, the "Display information about previous logons during user logon
pound authentication, and Kerberos armoring" must be configured and enabled. If you enable this policy setting, domain controllers will r
C will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a glob
this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication
hentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authenticati
d DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then clic
the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setti
is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. Warning: When revoc
moring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from compute
se features. If you enable this policy setting, the client computers will request claims, provide information required to create compounded
s X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 ce
s server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by genera
um size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group membe
for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, ena
domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Suppo
arches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to th
sers may select any GeoID.If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you d
Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. If the policy is Enabled, the
e selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization
first reset the user(s) values to the defaults and then apply this policy.When this policy setting is enabled, users can still choose alternate lo
ever, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.The
ngs; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.To set this poli
tting, a user on a device that supports connected standby may configure the amount of time after the device's screen turns off before a pa
domain.If you enable this policy setting, the classic log on screen is presented to the user at logon, rather than the simple logon screen.If y
ys attempts to load a custom background instead of the Windows-branded logon background. If you disable or do not configure this policy
ient computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at
n for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fab
hout signing into Windows.If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can con
to a computer where this policy is applied.Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welc
mputers.If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers.
essional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system sta
These programs are added to the standard list of programs and services that the system starts.If you enable this policy setting, the system
ot configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
or when authentication is required.Windows Vista provides two default credential providers:Password and Smart Card. An administrator
ttempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the
the time the user logs on to this computer that has this policy applied.To specify values for this policy setting, click Show. In the Show Con
nitial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for
ure this policy setting, users can choose which apps display notifications on the lock screen.
or don't configure this policy setting, a domain user can set up and use a picture password.Note that the user's domain password will be c
p, and can be turned on or off in the Sound item of Control Panel.Enabling or disabling this setting automatically prevents users from custo
cy setting, a domain user can't set up and use a PIN.Note that the user's domain password will be cached in the system vault when using th
r are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.By default, Net Logon will not al
lator is useful in case the clientΓÇÖs password was recently changed and did not propagate to the DC yet. Users may want to disable this f
u enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the
he domain controllers (DC), discovers a DC that has not been discovered.- On the PDC, attempts to add the <DomainName>[1B] NetBIOS n
this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share
ed, and then enter the desired value in seconds (for example, the value "60" is 1 minute).If you do not confihgure this policy setting, it is n
bug information is logged.If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Highe
his policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak
n the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.The default value for this setting is 45 seco
g the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the
ccess and replication.To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a compu
ccording to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more re
value for this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value
e set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes t
formation to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967
ng both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operati
or first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to eac
very fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.NetBIOS-bas
tive Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location a
, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC
rvice and are used to locate the DC.The Priority field in the SRV record sets the preference for target hosts (specified in the SRV recordΓÇÖ
cate the domain controller (DC).To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for exam
n service, and they are used to locate the DC.The Weight field in the SRV record can be used in addition to the Priority value to provide a l
locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an
ctions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.Select the mnemonics from the
d by the Locator algorithm to locate the DC.If you enable this policy setting, DCs to which this setting is applied dynamically register DC Lo
used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.DCs configured to perfor
RV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, a
ds registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those
registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those
est site during DC Location streamlines network traffic more effectively.The DC Locator service is used by clients to find domain controller
for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.If y
OS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabe
s used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosti
a power plan from the Active Power Plan list.If you disable or do not configure this policy setting, users control this setting.
ool. If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX
ust select the desired action.If you disable this policy setting or do not configure it, users can see and change this setting.
ust select the desired action.If you disable this policy setting or do not configure it, users can see and change this setting.
select the desired action.If you disable this policy setting or do not configure it, users can see and change this setting.
select the desired action.If you disable this policy setting or do not configure it, users can see and change this setting.
elect the desired action.If you disable this policy setting or do not configure it, users can see and change this setting.
elect the desired action.If you disable this policy setting or do not configure it, users can see and change this setting.
ou disable this policy or do not configure this policy setting, users control this setting.
ou disable this policy or do not configure this policy setting, users control this setting.
efore Windows turns off the hard disk.If you disable or do not configure this policy setting, users can see and change this setting.
efore Windows turns off the hard disk.If you disable or do not configure this policy setting, users can see and change this setting.
n-Sleep-Hibernate-Shut downIf you disable or do not configure this policy setting, users control this setting.
the battery level that triggers the critical notification.To set the action that is triggered, see the "Critical Battery Notification Action" policy
eep-Hibernate-Shut downIf you disable or do not configure this policy setting, users control this setting.
e battery level that triggers the low notification.To set the action that is triggered, see the "Low Battery Notification Action" policy setting.I
evel that triggers the reserve power notification.If you disable or do not configure this policy setting, users can see and change this setting
apacity remaining equals the low battery notification level. To configure the low battery notification level, see the "Low Battery Notificatio
eep after a period of user inactivity.If you disable or do not configure this policy setting, applications, services, or drivers do not prevent W
eep after a period of user inactivity.If you disable or do not configure this policy setting, applications, services, or drivers do not prevent W
ure this policy setting, the computer does not automatically sleep when network files are open.
ure this policy setting, the computer does not automatically sleep when network files are open.
uter in a sleep state.If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.
uter in a sleep state.If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.
when the system resumes from sleep.If you disable this policy setting, the user is not prompted for a password when the system resumes f
when the system resumes from sleep.If you disable this policy setting, the user is not prompted for a password when the system resumes f
dle time should elapse before Windows transitions to hibernate.If you disable or do not configure this policy setting, users control this setti
dle time should elapse before Windows transitions to hibernate.If you disable or do not configure this policy setting, users control this setti
time should elapse before Windows transitions to sleep.If you disable or do not configure this policy setting, users control this setting.If the
time should elapse before Windows transitions to sleep.If you disable or do not configure this policy setting, users control this setting.If the
a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended
a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended
tting, users control this setting.
tting, users control this setting.
ping (Hybrid Sleep, Stand By, or Hibernate).If you disable or do not configure this policy setting, users control this setting.
ping (Hybrid Sleep, Stand By, or Hibernate).If you disable or do not configure this policy setting, users control this setting.
how much idle time should elapse before Windows automatically reduces the brightness of the display.Windows will only reduce the brig
how much idle time should elapse before Windows automatically reduces the brightness of the display.Windows will only reduce the brig
dicating the display brightness when Windows automatically reduces brightness of the display.If you disable or do not configure this policy
dicating the display brightness when Windows automatically reduces brightness of the display.If you disable or do not configure this policy
based on what users do with their keyboard or mouse to keep the display on.If you disable this policy setting, Windows uses the same setti
based on what users do with their keyboard or mouse to keep the display on.If you disable this policy setting, Windows uses the same setti
d elapse before Windows turns off the display.If you disable or do not configure this policy setting, users control this setting.If the user has
d elapse before Windows turns off the display.If you disable or do not configure this policy setting, users control this setting.If the user has
the desktop background slideshow is disabled.If you disable or do not configure this policy setting, users control this setting.
the desktop background slideshow is disabled.If you disable or do not configure this policy setting, users control this setting.
tem image. If you enable or do not configure this policy setting, the items "Use a system image you created earlier to recover your comp
icy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote
upport staff using Offer (Unsolicited) Remote Assistance.If you disable this policy setting, users on this computer cannot get help from thei
or help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote
is or her computer.The "Display warning message before connecting" policy setting allows you to specify a custom message to display bef
ous optimization setting.For example:"Turn off background" will include the following optimizations:-No full window drag-Turn off backgro
licy setting, log files are not generated.If you do not configure this setting, application-based settings are used.
s running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. If you disable this policy setti
egation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_Q
monly needed state data, is required for troubleshooting RPC problems.If you disable this policy setting, the RPC runtime defaults to "Auto
nd the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error info
ng should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change
ut than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be time
ach class.If you enable this policy setting, no access is allowed to any removable storage class.If you disable or do not configure this policy
mote sessions.If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices i
this policy setting, execute access is allowed to this removable storage class.
icy setting, read access is allowed to this removable storage class.
olicy setting, write access is allowed to this removable storage class.
y setting, read access is allowed to these removable storage classes.
cy setting, write access is allowed to these removable storage classes.
ou disable or do not configure this policy setting, execute access is allowed to this removable storage class.
ble or do not configure this policy setting, read access is allowed to this removable storage class.
able or do not configure this policy setting, write access is allowed to this removable storage class.
e access is allowed to this removable storage class.
s allowed to this removable storage class.
s is allowed to this removable storage class.Note: To require that users write data to BitLocker-protected storage, enable the policy setting
ng, you can set the number of seconds you want the system to wait until a reboot.If you disable or do not configure this setting, the opera
is policy setting, execute access is allowed to this removable storage class.
cy setting, read access is allowed to this removable storage class.
icy setting, write access is allowed to this removable storage class.
vable storage class.If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
ovable storage class.If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
g on to the computer.If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons witho
oes not display the instructions in the shutdown script.If you enable this policy setting, the system displays each instruction in the shutdow
tructions in the startup script.If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructio
start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user star
efore it runs the next startup script.If you enable this policy setting, the system does not coordinate the running of startup scripts. As a res
on-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell
ws PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before
Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and re
e managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers.If you e
tial Configuration Tasks window is not displayed when an administrator logs on to the server. If you disable this policy setting, the Initial Co
u disable this policy setting, Server Manager is displayed automatically when a user logs on to the server.If you do not configure this policy
y terminated if they attempt to cancel shutdown or block it indefinitely.If you enable this setting, console applications or GUI applications
in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setti
osing personal data files. By default, System Restore is turned on for the boot volume.If you enable this policy setting, System Restore is tu
em detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will b
ed in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.If you disable or do not confi
r Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
ring application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detecte
imal UI display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery beha
disk diagnostic message. The custom text may not exceed 512 characters. If you disable or do not configure this policy setting, Windows di
Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S
mpts to resolve automatically any heap corruption problems.If you disable this policy setting, Windows cannot detect, troubleshoot, and att
s policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.If you disa
oblems, MSDT may prompt the user to download additional tools for troubleshooting.These tools are required to completely troubleshoot
this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.By default, the su
ll be turned on. Windows will prompt the user with a dialog box when application reinstallation is required. This is the default recovery be
eshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolu
alidates the signer of any diagnostic package and runs only those signed by trusted publishers.If you disable or do not configure this policy
puters.If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting C
om within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the mo
roubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their
by default.If you disable this policy setting, the DPS is not able to diagnose memory leak problems.This policy setting takes effect only unde
ansmitted to Microsoft through SQM.if you disable this policy setting, responsiveness events are not processed.If you do not configure thi
detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt
and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to deter
ection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and atte
and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determ
ocally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization witho
om being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129
list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. The default list of bloc
of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.The local list of blocked T
in the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trust
commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands req
rd users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending comman
he TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these comman
profile is created at the location that is specified by the administrator.For the Windows XP Professional and Windows 2000 Professional o
o the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's late
en users with roaming profiles log off, the system also saves a copy of their roaming profile on the hard drive of the computer they are usi
ecific user profile was accessed.If you enable this policy setting, the User Profile Service will automatically delete on the next system restar
r profile. When the system detects a slow link, the related policy settings in this folder tell the computer how to respond.If you enable this
ogin. The profile is created at the location that is specified by the administrator.For Windows 2000 Professional pre-SP4 and Windows XP
where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable th
logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from
curity for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a
sages explaining that any of the following events has occurred:-- The system detects a slow connection between the user's computer and
tion related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is d
ops trying. As a result, the user profile might not be current, and local and roaming user profiles might not match.When a user logs off of t
If they have already logged on to this computer in the past, the roaming profile is merged with the local profile. Similarly, when the user lo
ming profile is copied down to the local computer. If the user has logged on to the computer in the past, the roaming profile is merged wi
ill be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is de
tting is useful for the cases in which a network might take typically longer to initialize, such as with a wireless network.Note: Windows does
work share in the form \\Computername\Sharename\. It is recommended to use a path such as \\Computername\Sharename\%USERNAM
er data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming
cified local or network location, creating a new folder for each user name.To use this policy setting, in the Location list, choose the location
es across apps.If you disable or do not configure this policy setting, users can control whether apps can use the advertising ID for experien
n information may be controlled by setting one of the following options:"Always on" - users will not be able to change this setting and the
w connection, but does not respond in the time allowed.This policy setting and related policy settings in this folder together define the sy
not appear during file scanning.If you disable or do not configure this policy setting, the file scan progress window appears.
aches the quota. If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the
policy setting, select a rate from the "Scanning Frequency" box. You can use this setting to direct Windows File Protection to scan files mo
disable this setting or do not configure it, the Windows File Protection cache is located in the %Systemroot%\System32\Dllcache director
e following Clock discipline, General and RODC parameters for this service.If you disable or do not configure this policy setting, Windows T
o not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters.NtpServerThe Domain Na
sable this service if you decide to use a third-party time provider.If you enable this policy setting, you can set the local computer clock to s
rs.If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers.
te a list of approved Activex Install sites specified by host URL. If you enable this setting, the administrator can create a list of approved Ac
f you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. If the trusted site uses the HTTPS
d with a certificate chain that can be successfully validated by the local computer).If you disable or do not configure this policy setting, you
fter the user signs off:Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting appliesMandato
p Windows Store apps without installing a developer license. If you disable or do not configure this setting, you'll need to install a d
this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise ac
e is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.If you enable
here is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.If you enable
entication capability on a computer.If you enable this policy setting, you can define additional Content URI Rules that all Windows Store a
n off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit applic
tibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affec
. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message
ning Application Telemetry off by selecting "enable" will stop the collection of usage data.If the customer Experience Improvement progra
ation is used to help diagnose compatibility problems.If you enable this policy setting, the Inventory Collector will be turned off and data w
A will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and
Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user
o old applications and new behavior to new applications. Switchback is on by default.If you enable this policy setting, Switchback will be tu
t configure this policy setting, AutoPlay is enabled for non-volume devices.
o do when a device is connected. If you disable or do not configure this policy setting, AutoPlay remembers user's choice of what to d
Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without use
media start immediately. Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive
you enable this policy setting, domain users can log on to a Windows-based domain-joined computer using biometrics. Depending on the
run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the
domain users to log on using biometrics" policy setting will need to be enabled for domain users to log on to the domain.If you enable or d
g inactive.If you enable this policy setting, you can configure the fast user switch event timeout to specify the number of seconds the even
word. This policy setting is applied when you turn on BitLocker.If you enable this policy setting, you can specify the path that will be used a
no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Micr
no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Micr
rver 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.Two recovery options can be used to unlock BitLock
pt data. This policy setting applies only when BitLocker protection is enabled.If you enable this policy setting, memory will not be overwritt
he identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automaticall
crypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windo
ed in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificat
ervice Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.If this policy setting is enabled or not configured, fixed dat
data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. B
ware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you ena
mplexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be e
n be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart card
ng, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mou
ve is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker
s, numbers, and spaces. This policy setting is applied when you turn on BitLocker.If you enable this policy setting, all new BitLocker startup
enabled computers to automatically unlock the operating system drive when the computer is started.If you enable this policy, clients confi
only loads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre
itLocker.The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with B
ength of 4 digits and can have a maximum length of 20 digits.If you enable this policy setting, you can require a minimum number of digits
not have a compatible TPM or if BitLocker has already been turned on with TPM protection.If you enable this policy setting before turning
not have a compatible TPM or if BitLocker has already been turned on with TPM protection.Important: This group policy only applies to com
not have a compatible TPM or if BitLocker has already been turned on with TPM protection.Important: This group policy only applies to com
g hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If
ord, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requireme
n you turn on BitLocker.If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.If you dis
h as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Pass
(TPM). This policy setting is applied when you turn on BitLocker.Note: Only one of the additional authentication options can be required at
cy setting is applied when you turn on BitLocker.Note: This policy is only applicable to computers running Windows Server 2008 or Windo
be refreshed when Windows is started following BitLocker recovery.If you disable this policy setting, platform validation data will not be r
e default settings, or both.If you disable this policy setting, the computer will revert to a BCD profile similar to the default BCD profile used
with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems.If this policy setting is enabled or not configured, rem
Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable d
hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If yo
plexity requirements, and configure a minimum length. For the complexity requirement setting to be effective the Group Policy setting "Pa
an be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart ca
rol how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to
BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.If th
a user types a password in the password entry text box.If you disable or do not configure this policy setting, the password reveal button wi
o elevate a running application.If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can
ote: This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.If you enable this polic
ave not been digitally signed will not be extracted.If you disable or do not configure this setting, both signed and unsigned gadgets will be e
le or do not configure this setting, desktop gadgets will be turned on.The default is for desktop gadgets to be turned on.
etting, Windows will run user-installed gadgets.The default is for Windows to run user installed gadgets.
able this policy setting, Flip 3D is inaccessible. If you disable or do not configure this policy setting, Flip 3D is accessible, if desktop composi
. If you disable or do not configure this policy setting, window animations are turned on. Changing this policy setting requires a logoff for it
use the default visuals.Note: If this policy setting is enabled, users can continue to select a color in Start Personalization. However, setting
e this policy setting, you allow users to change the default window frame color. Note: This policy setting can be used in conjunction with th
he user does not specify a color. If you disable or do not configure this policy setting, the default internal color is used, if the user does not
acquired and stored in the user's Windows Marketplace Digital Locker.If you enable this setting, Digital Locker will not run.If you disable or
help tips to the user.
n old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.If yo
riptor can access the log.If you disable or do not configure this policy setting, all authenticated users and system services can write, read, o
lost.If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.Note: Ol
t Log uses the path specified in this policy setting.If you disable or do not configure this policy setting, the Event Log uses the system32 or
s (2147483647 kilobytes) in kilobyte increments.If you disable or do not configure this policy setting, the maximum size of the log file will b
setting, only those users whose security descriptor matches the configured specified value can access the log.If you disable or do not confi
riptor can access the log.If you disable or do not configure this policy setting, all authenticated users and system services can write, read, o
ys be read from the log, regardless of this policy setting.
es the configured value can access the log.If you disable or do not configure this policy setting, only system software and administrators ca
s policy setting, the Family Safety control panel is not visible on a domain joined computer.
or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed.Note: Allowing the us
ernet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.If you enable this policy setting
y System. This behavior is consistent with Windows Vista's behavior in this scenario.This disables access to user-defined properties, and p
e shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed
definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy setti
ample:Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt For more information, refer to the DISM documentation on Tech
If you disable this policy setting, the hibernate option will never be shown in the Power Options menu.If you do not configure this policy se
r Tile menu.If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Opti
able this policy setting, the sleep option will never be shown in the Power Options menu.If you do not configure this policy setting, users w
rst time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting, users can ch
a file name (for example, 111 < 22 < 3).If you disable or do not configure this policy setting, File Explorer will sort file names by increasing
ected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able
f you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations
ng, users cannot list or restore previous versions of files on local disks.If you disable this policy setting, users cannot list and restore previou
nnot list or restore previous versions of files on file shares.If you disable this policy setting, users can list and restore previous versions of fi
up media.If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previo
disabled when the user selects a previous version corresponding to a local file.If you disable this policy setting, the Restore button remain
f you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup.If you d
n is disabled when the user selects a previous version corresponding to a file on a file share.If you disable this policy setting, the Restore bu
le History can be activated to create regular, automatic backups.
configure this setting, game information will be downloaded from Windows Metadata Services.
ame update information will be downloaded from Windows Metadata Services.
o not configure this setting, the last played time will be displayed to the user.
computers to a homegroup. This policy setting does not affect other network sharing features.If you disable or do not configure this polic
install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might
formation from the location feature. If you disable or do not configure this policy setting, all programs on this computer will not be pre
scripts will run.
u disable or do not configure this policy setting, all programs on this computer can use the sensor feature.
mputer will not be able to use the Windows Location Provider feature. If you disable or do not configure this policy setting, all program
u enable this policy setting, this will override the default daily scheduled time as specified in Action Center/Automatic Maintenance Contro
rom its Activation Boundary. If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary
scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. If you enable thi
XP version of the 802.1x Wireless Enforcement Client to participate. If you disable or do not configure this policy setting, the Windows XP
a TCP port that is already in use by a system, the Network Projector fails to initialize. If you enter zero (0), the operating system selects an a
r Wizard to connect to a projector. If you disable or do not configure this policy setting, users can run the Connect to a Network Projector
nks and Guided Help links.If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clic
cy setting, the specified retry interval in the policy setting is used by all affected computers that are running Password Synchronization.If y
cy setting, the number of retries specified in the policy setting applies to all affected computers in the domain that are running Password S
rmediate steps for password synchronization attempts.If you disable or do not configure this policy setting, individual computers that are r
omain Services.If you enable this policy setting, all affected computers that are running Password Synchronization automatically update a
ernate the PC.If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can't hibernate the
tandby states to make the PC sleep.If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace
To Go Startup Options Control Panel item.If you enable this setting, booting to Windows To Go when a USB device is connected will be ena
n be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configur
g to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an
rvers running other Windows-based operating systems.A license server attempts to provide the most appropriate RDS or TS CAL for a con
his policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an R
ority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy settin
tting, you must specify one of the following settings:Always connect, even if authentication fails: The client connects to the RD Session Host
s will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any pa
e prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Sess
ny certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a
ol.If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users
on Host server is not used if a virtual IP is not available. The session will not have network connectivity.If you disable or do not configure t
ain Routing notation; for example, 192.0.2.96/24. If you enable this policy setting, the specified IP address and network mask are used to s
By default, Windows Installer RDS Compatibility is turned on. If you enable this policy setting, Windows Installer RDS Compatibility is turne
s turned on. You can select the mode in which this setting is applied. If you are using Per Program mode, you must enter a list of programs
on Host server is not used if a virtual IP is not available. The session will not have network connectivity.If you disable or do not configure t
arget computer can connect remotely to the target computer by using Remote Desktop Services.If you disable this policy setting, users can
connection attempts are made at five second intervals.If the status is set to Enabled, automatic reconnection is attempted for all clients ru
ection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected
currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, a
on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy a
ngle session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically re
Detect, or both Connect Time Detect and Continuous Network Detect. If you disable Connect Time Detect, Remote Desktop Protocol will n
.You can select one of the following options: "Use both UDP and TCP (default)", "Use only TCP" or "Use either UDP or TCP" If you select "U
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.2. Full Control with user's p
d apps are registered in the background. However, some apps may not work until app registration is complete.If you enable this policy setti
sor time within each session. If you enable this policy setting, Fair Share CPU Scheduling is turned off. If you disable or do not configure th
audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choos
nfiguring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an a
tion send their time zone information to the server. The server base time is then used to calculate the current session time (current session
use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Re
ecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By defau
n connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername
edirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection.I
og on to a Remote Desktop Services session.If you disable or do not configure this policy setting, smart card device redirection is allowed. B
e Desktop Services allows redirection of supported Plug and Play devices. Users can use the More option on the Local Resources tab of Re
If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent
isplayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD S
e of two licensing modes: Per User or Per Device.Per User licensing mode requires that each user account connecting to this RD Session Ho
s to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automati
he remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer m
designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to ove
irected in Remote Desktop Services sessions.If you disable or do not configure this policy setting, all client printers are redirected in Remo
ot have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session.If you enable
rver first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy P
installed.Note: If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configura
t server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the
e location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network sh
ktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder f
Host server farm. Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm n
server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use th
ng session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role
ng applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server.If you
, RD Connection Broker redirects users who do not have an existing session to the RD Session Host server in the farm with the fewest sess
interface elements of Windows Aero, such as translucent windows, for remote desktop sessions. Because Windows Aero requires addition
a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connecti
guration.If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optim
width usage with the visual quality that is delivered. If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graph
experience based on available nework bandwidth.If you enable this policy setting, the RemoteFX experience could be set to one of the foll
laying computer fonts so that they appear clear and smooth, especially when you are using an LCD monitor. Because font smoothing requ
designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you enable thi
ion. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the clie
tion that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load.
ession can improve connection performance, particularly over slow links, and reduce server load.If you enable this policy setting, you mus
an improve connection performance, particularly over slow links, and reduce server load.If you enable this policy setting, you can specify t
amiliar method to disconnect their client from an RD Session Host server.If you enable this policy setting, "Disconnect" does not appear as
vices inadvertently.If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must
default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the
RemoteApp programs and does not apply to remote desktop sessions.If you enable or do not configure this policy setting, RemoteApp pro
setting, all Remote Desktop Services sessions on the RD Session Host server use the hardware graphics renderer instead of the Microsoft
When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using
l experience.By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or W
bandwidth usage with the type of graphics experience that is delivered.Depending on the requirements of your users, you can reduce netw
Desktop Services, even if they already provided the password in the Remote Desktop Connection client.By default, Remote Desktop Servi
making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make
munication with clients by allowing only authenticated and encrypted requests.If the status is set to Enabled, Remote Desktop Services ac
you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the se
ty by requiring that user authentication occur earlier in the remote connection process.If you enable this policy setting, only client comput
henticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server d
onnections.If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections m
s, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Rem
policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect ac
lect the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the sp
mains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session witho
t server.By default, if a user closes a RemoteApp program, the session is disconnected from the RD Session Host server, but it is not logged
e computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the use
mote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a us
ed list in the Favorites Center.If you disable or do not configure this policy setting, the user can access the feed list in the Favorites Center.
eive a notification on the toolbar that a feed or Web Slice is available.If you disable or do not configure this policy setting, the user receive
wnload an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.If you disabl
re disabled, and access to Web Slices is turned off. A developer cannot add a feed or Web Slice or delete a feed or Web Slice by using the F
ff.If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background.
thenticates feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.If you disable or
must provide the following:1) A name for the scope, such as 'Intranet'.2) The URL to the search service. Use $w in place of the query term f
me1,url1;name2,url2;...nameN,urlNFor example:MySearch,http://mysearch.aspx?q=$w;MySearch2,http://mysearch2?q=$w.For each sea
tting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores
this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by
etection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this
bmp;.emf;.gif;.jpg;.jpeg;.png;.wmf;.wrn;.txt;.err;.xml;.cpp;.c;.h;.cxx;.hxx;.idl;.cs;.vb;.idl;.xsd;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.vsd;.xlsb;.xltx;.d
n system activity is high. Default is disabled.

, locations on removable drives cannot be indexed.If you disable or do not configure this policy setting, locations on removable drives can
default browser search engine.
he web and web results won't be displayed when a user performs a query in Search.If you disable this policy setting, queries will be perform
s won't be performed on the web over metered connections and web results won't be displayed when a user performs a query in Search.I
che portions of delegate mailboxes locally (for example, contacts or a calendar). This policy will not affect portions of a delegate mailbox t
ders. Disabling this policy will block any indexing of uncached Exchange folders. Delegate mailboxes are managed separately from online m
ill be on the corresponding Microsoft Exchange server. The default value for this policy is 120 items per minute. To lower the burden on M
l not be removed.When this policy is disabled or not configured, users will be able to add UNC locations to the index.This policy has no eff
e default behavior is to allow users to add and remove new locations to the locations menu. When the policy is enabled, the Add and Rem
. Windows Search does not automatically add shares created on the computer to the scope of the index.If you disable or do not configure
, client search requests will use this computer's index. Default is disabled.
tting, users can index any path not restricted by other policies, but their original list of paths to index is not restored.
ments. Consider enabling this policy if you are concerned about the security or indexing performance of non-Microsoft document filters (iF
nd the user will not see them in search results.

up Policy Object Editor require this list to be split across multiple values. Desktop Search combines all these into a single exclusion list.Whe
are only indexed when using Outlook 2003 or later. The user must be running in cached mode and the Download Public Folder Favorites o
ons in the Control Panel cannot be opened.If you disable or do not configure this policy setting, users can acess the Advanced Options dia
m being installed, nor will it prevent them from being used by other applications or services. You can also specify an allow list of add-ins by
enabling this policy to turn off the preview pane if your environment does not support Office XP or later. The full preview pane functional
ause your organization does not support Office XP or above, you should enforce the large icon view so that users can see snippets related
able to change: -Strict: Filter out adult text, images, and videos from search results; -Moderate: Filter adult images and videos but not t
d location: Share a user's search history, some Microsoft account info, and specific location to personalize their search and other Microsoft
policy if computers in your environment have extremely limited hard drive space.When this policy is disabled or not configured, Windows
d notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, wh
update interval specified in this policy setting is applied to all affected domain controllers that are running Server for NIS.If you disable or
map updates or propagations, and whether map updates are successful, are logged for all affected computers that are running Server for
ogon sessions for the number of minutes specified.If you disable or do not configure this policy setting, the default timeout value is 3 minu
ws Server 2003 system.If you enable this policy setting, the system does not create the named pipe remote shutdown interface.If you disab
Users will still be able to change the value of this setting to save to SkyDrive by default. They will also be able to open and save files on Sky
e an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restrictio
can be used to log on to a domain.If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to
feature. Please check with your hardware manufacturer to see if your smart card supports this feature.If you enable this policy setting, the
y key will be listed on the logon screen.If you disable or do not configure this policy setting, any available smart card signature key-based c
nd not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displa
tificate with that user.If you enable this policy setting then an optional field that allows a user to enter their user name or user name and d
not configure this setting then root certificate clean up will occur on log off.
d. Note: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon.If you disable
plate. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renew
s retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a sign
ll be displayed when a smart card device driver is installed.If you disable this policy setting, a confirmation message will not be displayed w
s policy setting, plaintext PINs can be returned by Credential Manager.Note: Enabling this policy setting could prevent certain smart cards
on name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=exam
ou insert your smart card.If you disable this policy setting, certificate propagation will not occur and the certificates will not be made availa
ur when you insert your smart card. Note: For this policy setting to work the following policy setting must also be enabled: Turn on certific
o install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.If you disable this policy setting, Smart
ed as an audio file.If you enable this policy setting, Sound Recorder will not run.If you disable or do not configure this policy setting, Sound
atic download and installation of app updates is turned on.If you don't configure this setting, the automatic download and installation of a
download of app updates is turned on.If you don't configure this setting, the automatic download of app updates is determined by a regis
figure this setting the Store application will offer updates to the latest version of Windows.
setting, access to the Store application is allowed.
d off, and none of the "sync your setting" groups will be synced on this PC.Use the option "Allow users to turn syncing on" so that syncing i
settings" group will not be synced.Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but n
roup will not be synced.Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.If you
ike history and favorites.If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced.U
policy setting, the "desktop personalization" group will not be synced.Use the option "Allow users to turn desktop personalization syncing
u enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered
policy setting, the "Other Windows settings" group will not be synced.Use the option "Allow users to turn other Windows settings syncing
rds" group will not be synced.Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not dis
nalize" group will not be synced.Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not
art layout" group will not be synced. Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but n
to it will fail.If you disable this policy, you will be able to use this feature to print to a Journal Note.If you do not configure this policy, users
nipping Tool will run.
Windows Journal accessory will run.
re shown instead of the pen cursors.If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless th
disable this policy, Back->ESC mapping will occur.If you do not configure this policy, Back->ESC mapping will occur.
rom the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab).If you disable this policy, applications
play the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator."If you
and OEM defined button actions will occur when the buttons are pressed.If you do not configure this policy, user and OEM defined button
oard and the handwriting tab when the feature is available for the current input area and input language.Touch Keyboard and Handwriting
Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or key
el is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard sho
nal), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input lang
s, numbers, or keyboard shortcuts.If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will
writing or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.If you enable this policy, application auto compl
eventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when
estures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. Tablet PC Input Panel is a
ed to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks no
rs in Internet Explorer, the pen flicks notification and the pen flicks tray icon.If you disable or do not configure this policy, pen flicks and rel
y will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.If y
ging up or down directly on the scrolling content.If you enable this setting, the user will not be able to pan windows by touch. If you disab
ng users.The checkbox, when checked, instructs Task Scheduler to automatically open the newly created task's property sheet upon comp
right-click a task. As a result, users cannot change any properties of a task. They can only see the properties that appear in Detail view and
manually or force tasks to end before they are finished.Note: This setting appears in the Computer Configuration and User Configuration f
d and from the Task tab of the properties dialog box for a task. Also, users cannot edit the "Run" box or the "Start in" box that determine t
it menu in Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.As a result, users cannot add new sc
or documents into the Scheduled Tasks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If
t-click a task. Also, the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.Note: This setting ap
ws Calendar will be turned off.If you disable or do not configure this setting, Windows Calendar will be turned on.The default is for Window
e or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previou
erations Manager server.If you do not configure this setting uploads are not redirected to a Microsoft Operations Manager server.
o not configure this setting or disable it, then CEIP data will not be tagged with the Study Identifier.
.If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware definitions are disab
ng, the antimalware service will load as a normal priority task.If you disable this setting, the antimalware service will load as a low priority
e or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator wi
his setting, the proxy server will be bypassed for the specified addresses.If you disable or do not configure this setting, the proxy server wi
ere is no proxy specified, the following settings will be used (in order):1. Internet Explorer proxy settings2. Autodetect3. NoneIf you enable
ng. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a d
policy-defined action, user-defined action, and the signature-defined action.If you enable this policy setting, Windows Defender does not a
able or do not configure this policy setting, by default Windows Defender runs and computers are scanned for malware and other potentia
e phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be
ownload Standalone System SweeperIf you enable or do not configure this setting, notifications will be displayed to clients when they need
be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The valu
g. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource
usion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name shou
er Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
alicious software infections.You can choose to send basic or additional information about detected software. Additional information helps
ned interval. The interval value is defined in minutes. The default interval is 60 minutes.If you enable this setting, detection events will not
air, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test defin
ates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then th
d.If you disable this setting, protocol recognition will be disabled.
entry must be listed as a name value pair, where the name should be a string representation of an IP address range. As an example, a ran
me value pair, where the name should be a string representation of a TCP port number. As an example, a range might be defined as: 8080.
air, where the name should be a string representation of a process path and name. As an example, a process might be defined as: "C:\Win
e pair, where the name should be a string representation of a Threat ID. As an example, a Threat ID might be defined as: 2925110632. The
u enable this setting, the local preference setting will take priority over Group Policy.If you disable or do not configure this setting, Group P
r of days specified.If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be aut
preference setting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the
ce setting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local pre
ce setting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local pr
l preference setting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over th
ority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configura
will be scanned.If you disable or do not configure this setting, a default size will be applied.
g, monitoring for file and program activity will be disabled.
you disable this setting, scanning for all downloaded files and attachments will be disabled.
r computer.If you enable this policy setting, Windows Defender will not prompt users to take actions on malware detections.If you disable
etting, the network protection will be disabled.

t configure this setting, a process scan will be initiated when real-time protection is turned on.If you disable this setting, a process scan wi
g, raw write notifications be disabled.
cal preference setting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over
This setting can be configured with the following ordinal number values:(0x0) Every Day(0x1) Sunday (0x2) Monday(0x3) Tuesday(0x4) We
00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
e user to pause a scan.If you disable this setting, users will not be able to pause scans.
n -SigUpdate", but it has no effect on scans initiated manually from the user interface.If you enable this setting, a check for new definitions
nce setting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local p
r Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
ity over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
tting will take priority over Group Policy.If you disable or do not configure this setting, Group Policy will take priority over the local prefere
re this setting, a system restore point will not be created.
ives will not be scanned.
d.If you disable this setting, archive files will not be scanned.
gure this setting, network files will not be scanned.
be scanned.If you disable this setting, packed executables will not be scanned.
ble this setting, removable drives will be scanned during any type of scan.If you disable or do not configure this setting, removable drives
e following ordinal number values:(0x0) Every Day(0x1) Sunday (0x2) Monday(0x3) Tuesday(0x4) Wednesday(0x5) Thursday(0x6) Friday(0x
nce per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.If you enable this setting, a quick scan will r
setting, archive files will be scanned to the directory depth level specified.If you disable or do not configure this setting, archive files will b
cates that there should be no throttling of CPU utilization. The default value is 50.If you enable this setting, CPU utilization will not exceed
it to archive size for scanning.If you enable this setting, archive files less than or equal to the size specified will be scanned.If you disable or
ed value.If you disable or do not configure this setting, the default scan type will used.
lent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where th
lent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the
is on but not in use.If you disable this setting, scheduled scans will run at the scheduled time.
missed because the computer was turned off at the scheduled time. If you enable this setting, catch-up scans for scheduled full scans will b
missed because the computer was turned off at the scheduled time. If you enable this setting, catch-up scans for scheduled quick scans w
es and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhe
recommended that you do not turn off heuristics.If you enable or do not configure this setting, heuristics will be enabled.If you disable th
zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.If you enable this setting, item
ximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for th
e.If you enable this setting, definition updates will be downloaded from Microsoft Update.If you disable or do not configure this setting, de
ower state.If you disable this setting, definition updates will be turned off while the computer is running on battery power.
ations to disable definitions that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for th
n update has definitions for a threat involving that file, the service will receive all of the latest definitions for that threat immediately. You
service startup.If you disable this setting or do not configure this setting, a check for new definitions will not occur after service startup.
rated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.If you enable this se
update will occur after the specified number of days.If you disable or do not configure this setting, a catch-up definition update will be requ
dditional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this va
tional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value
tion update sources in order. Possible values are: ΓÇ£InternalDefinitionUpdateServerΓÇ¥, ΓÇ£MicrosoftUpdateServerΓÇ¥, ΓÇ£MMPCΓÇ¥, a
p when there is no antimalware engine present.If you disable this setting, definition updates will not be initiated on startup when there is
h the following ordinal number values:(0x0) Every Day (default)(0x1) Sunday (0x2) Monday(0x3) Tuesday(0x4) Wednesday(0x5) Thursday(0
r) to 24 (once per day).If you enable this setting, checks for definition updates will occur at the interval specified.If you disable or do not co
valent to 02:00 AM. By default this setting is configured to check for definition updates 15 minutes before the scheduled scan time. The sc
ou disable this setting, a scan will not start following a definition update.
e listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should
sted as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that shoul
s, or additional data other than memory dumps.If you enable or do not configure this policy setting, any memory dumps generated for err
ng. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Admin
ed in the system event log.If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to th
s.If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution info
lay more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.If you dis
o a Windows Error Reporting report are automatically declined, without notification to the user.If you disable or do not configure this polic
he server.If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data abou
al errors.If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
tions, but does not upload additional report data until the computer is connected to a more permanent power source.If you enable this p
es not check for network cost policy restrictions, and transmits data even if network cost is restricted.If you disable or do not configure thi
e or IP address of an error report destination server on your organizationΓÇÖs network. You can also select Connect using SSL to transmit e
re all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only
hen the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be pla
n the Default pull-down menu to report either all application errors (the default setting), or no application errors.If the Report all errors in
r the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the S
at are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, a
that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show
If you disable this policy setting, operating system errors are not included in error reports.If you do not configure this policy setting, users
you disable this policy setting, unplanned shutdown events are not included in error reporting.If you do not configure this policy setting, u
he Consent level settings that are available in the pull-down menu in this policy setting:- Always ask before sending data: Windows promp
vent types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no respo
g always override any other consent policy setting.If you disable or do not configure this policy setting, custom consent policy settings for
ypassed. It permits installations to complete that otherwise would be halted due to a security violation.If you disable or do not configure t
can search for installation files even when the installation program is running with elevated system privileges.Because the installation is ru
es. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for m
as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges.This policy setting does not a
e usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automati
erence updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media whe
some upgrades to fail. Upgrades can fail if they attempt to do one of the following:(1) Remove a component from a feature.This can also o
UI is allowed to run.
et browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.If you enab
grades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some insta
s policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is prim
plication to create digitally signed updates that can be applied by non-privileged users.If you enable this policy setting, only administrators
le is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.If you
from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer fr
on or update.If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use det
if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per us
ature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use featu
etting, the transform file is saved in a secure location on the user's computer.If you do not configure this policy setting on Windows Serve
tting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter
ers to a previous state without losing personal data files.If you enable this policy setting, the Windows Installer does not generate System
e package.If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic log
utesShared attribute in the Component Table.If you disable or do not configure this policy setting, by default, the shared component func
y a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.-- The "Never" o
mode software cannot simulate the SAS.If you set this policy setting to "Services," services can simulate the SAS.If you set this policy setti
ows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the
notification popup will be displayed to the user when the user logs on with cached credentials.If disabled or not configured, no popup will
y saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows U
pplication is allowed.
d record live television.If you enable this policy setting, Windows Media Center will not run.If you disable or do not configure this policy se
quisition and security upgrades.When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Window
in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is n
t time a user starts Windows Media Player.This policy setting prevents the dialog boxes which allow users to select privacy, file types, and
disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops.
Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or fr
bar.If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Laun
. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available.
essenger can be used.Note: If you enable this policy setting, Remote Assistance also cannot use Windows Messenger.Note: This policy setti
not configure this policy setting, Windows Messenger will be loaded automatically at logon.Note: This policy setting simply prevents Wind
nts and the .exe file does not launch it.If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe fil
t value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter
Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails
low only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.The "Allow local scripts and re
r control panel, and to respond to WMI requests.If you enable or do not configure this policy setting, the listed providers will respond to W
WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.If you disable or do not co
on.If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication.
lient sends and receives unencrypted messages over the network.If you disable or do not configure this policy setting, the WinRM client se
cation.If you disable or do not configure this policy setting, the WinRM client uses Digest authentication.
(WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authen
uthentication.If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication.
ble this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. T
e accepts Basic authentication from a remote client. If you disable or do not configure this policy setting, the WinRM service does not
rvice accepts CredSSP authentication from a remote client. If you disable or do not configure this policy setting, the WinRM service doe
u enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default H
client sends and receives unencrypted messages over the network.If you disable or do not configure this policy setting, the WinRM client
oes not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts
ervice does not accept Negotiate authentication from a remote client. If you disable or do not configure this policy setting, the WinRM
service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the Ru
ses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding t
ner always appears. If you disable or do not configure this policy setting, the HTTP listener never appears. When certain port 80 lis
tener always appears. If you disable or do not configure this policy setting, the HTTPS listener never appears. When certain port 44
tting, new remote shell connections are allowed.
he new shell connections are rejected if they exceed the specified limit.If you disable or do not configure this policy setting, the default nu
60000 milliseconds (1 minute) is used for smaller values.If you enable this policy setting, the server will wait for the specified amount of tim
0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual mem
mber of process per shell. Zero (0) means unlimited number of processes.If you disable or do not configure this policy setting, the limit is fi
hells.If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit.If you disable or do n
ely install these updates once they are downloaded and ready to install.If the status is set to Disabled, such updates will not be installed im
ows Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive upda
enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, if they are
r can be configured to start with any value from 15 to 180 minutes. When the timer runs out, the restart will proceed even if the PC has si
nt of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is
s you specify whether automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options i
nstallation is finished.If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.Note: This policy applies only wh
t shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install
Windows Update, and other services like Microsoft Update or the Windows Store.Enabling this policy will disable that functionality, and m
will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the
ntranet Microsoft update service which uses it to determine which updates should be deployed to this computer.If the intranet Microsoft
ate will only automatically wake up the system if Windows Update is configured to install updates automatically. If the system is in hibern
tatus is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to
after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured, the default interval is 10 minute
tallation that did not take place earlier will occur the specified number of minutes after the computer is next started.If the status is set to
work to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computer
mended updates as well as important updates from Windows Update update service.When disabled or not configured Automatic Updates
ue and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in w
s of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manu
y become workplace-joined upon domain user logon.Note: Additional requirements may apply on certain Windows versions and SKUs. Re
ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by
hose colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
etting, type the fully qualified path and name of the file that stores the default lock screen image. You can type a local path, such as C:\win
ers cannot change it. If the specified background is not supported, the default background is used.
to change them.If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colo
ngs, and the camera cannot be invoked on the lock screen.
will ever start.
ser on that system. If you disable or do not configure this policy setting, language packs that are installed as part of the system image
target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator.If yo
rator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages
includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser hist
ount Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default
scover domain controllers. This value is specified in minutes.If you disable or do not configure this policy setting, the default value of 15 mi
makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the s
anch Cache. If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. Note: This policy s
puter will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the
puter will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. I
pecify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. If you disable or do not configur
the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of disk space to be used for th
By default BITS uses a maximum download time of 90 days (7,776,000 seconds). If you enable this policy setting, you can set the m
ndwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. If you enable this
work interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a m
maximum number of BITS jobs a user can create to the specified number. If you disable or do not configure this policy setting, BITS w
tting, BITS will limit the maximum number of BITS jobs to the specified number. If you disable or do not configure this policy setting, B
specified number. If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum numbe
t can be added to a file to the specified number. If you disable or do not configure this policy setting, BITS will limit ranges to 500 ran
you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured
define a separate set of network bandwidth limits and set up a schedule for the maintenance period. You can specify a limit to use fo
not defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting
b are deleted from the disk. Note: Any property changes to the job or any successful download action will reset this timeout. Con
ent from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round
using different versions of BranchCache might store cache data in incompatible formats.If you enable this policy setting, all clients use the v
servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configu
which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cac
tionSelect one of the following:- Not Configured. With this selection, BranchCache client computer cache age settings are not applied to cli
nt from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distribut
ent, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cac
t to 5 percent of the total disk space on the client computer.Policy configurationSelect one of the following:- Not Configured. With this sele
BranchCache Distributed Cache mode- Set BranchCache Hosted Cache mode- Configure Hosted Cache ServersPolicy configurationSelect o
server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.For example, if attaching suffixes
t configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully
ed to all network connections used by computers that receive this policy setting.If you disable this policy setting, or if you do not configure
To use this policy setting, you must enter at least one IP address.If you enable this policy setting, the list of DNS servers is applied to all net
ers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the
ork connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a netwo
not converted to the Nameprep form.
LMNR) and NetBIOS over TCP/IP (NetBT).If you enable this policy setting, responses from link local protocols will be preferred over DNS re
t receive it, you must restart Windows.If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix an
me is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a qu
suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used wh
t performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary D
will be determined by the option that you choose under Register PTR records.To use this policy setting, click Enabled, and then select one
n if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be autom
records and does not allow a DNS client to overwrite records that are registered by other computers.During dynamic update of resource
be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.If you disable
figured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
LMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conv
the network binding order is used to determine which response to accept.If you enable this policy setting, the DNS client will not perform
you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. If you dis
ic updates.Only secure - computers send only secure dynamic updates.If you enable this policy setting, computers that attempt to send dy
s the authoritative zone is a top-level domain or root zone.If you enable this policy setting, computers send dynamic updates to any zone t
atically on subsequent attempts. Credentials can also be configured by network operators.If you enable this policy setting, or if you do not
es installed.Policy configurationSelect one of the following:- Not Configured. With this selection, hash publication settings are not applied t
is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content info
his policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" optio
h as bandwidth estimation and network health analysis.If you enable this policy setting, additional options are available to fine-tune your
weaker than what would be allowed for a login password.This setting controls this validation behavior. If set to 1, then this validation will n
ill be turned off.If you disable this setting or do not configure it, the peer-to-peer protocols will be turned on.
ers cannot detect that client and initiate sessions with it.If you enable this policy setting, this computer cannot register PNRP names, and
peer to peer can be used as a seed server. No configuration is needed for the seed server itself.This setting provides the added flexibility
by using multicast on the same subnet. That is, PNRP publishes itself on the local subnet, so that other computers can find it when neede
peer (P2P) connections. The PNRP cloud is a group of connected PNRP nodes, in which connections exist between peers so that a node in
ows for setting the seed server to a specified node in an enterprise.To use this setting, click Enable, and then enter a semicolon-delimited l
f is by using multicast on the same subnet. That is, PNRP publishes itself on the local subnet, so that other computers can find it when nee
ows for setting the seed server to a specified node in an enterprise.To use this setting, click Enable, and then enter a semicolon-delimited l
f is by using multicast on the same subnet. That is, PNRP publishes itself on the local subnet, so that other computers can find it when nee
user is connected to a network with local access only.
work other than the one it was connected to when the setting was refreshed, this setting does not apply.The Network Bridge allows users t
is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is co
resolution and addressing through DHCP, to the local private network.If you enable this setting, ICS cannot be enabled or configured by ad
nnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway.If you en
s unsolicited messages. This policy setting overrides other policy settings that would block those messages.If you disable or do not configur
irewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages se
r subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sh
lls (RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least SP2 and Windows Serv
ing messages are allowed. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is selected and adminis
ug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Fir
omponent in Control Panel allows administrators to define a local port exceptions list.If you disable this policy setting, the Windows Firewa
ws Firewall component in Control Panel allows administrators to define a local program exceptions list.If you disable this policy setting, the
must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successf
inbound port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show b
program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive u
and administrators cannot clear it. You should also enable the "Windows Firewall: Protect all network connections" policy setting; otherwi
the display of these notifications. In the Windows Firewall component of Control Panel, the "Notify me when Windows Firewall blocks a n
not configure this policy setting, and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits a
Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot sta
irewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages se
r subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sh
lls (RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least SP2 and Windows Serv
ing messages are allowed. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is selected and adminis
ug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Fir
omponent in Control Panel allows administrators to define a local port exceptions list.If you disable this policy setting, the Windows Firewa
ws Firewall component in Control Panel allows administrators to define a local program exceptions list.If you disable this policy setting, the
must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successf
inbound port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show b
program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive u
and administrators cannot clear it. You should also enable the "Windows Firewall: Protect all network connections" policy setting; otherwi
the display of these notifications. In the Windows Firewall component of Control Panel, the "Notify me when Windows Firewall blocks a n
not configure this policy setting, and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits a
Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot sta
ise it is outside the network.
on proxied networks can access the Internet without relying on the Private Network capability. However, in most situations Windows Netw
tor to configure a set of proxies that provide access to intranet resources.If you disable or do not configure this policy setting, Windows Ne
pps if and only if the app has declared the Home/Work Networking capability.Windows Network Isolation attempts to automatically discov
h Group Policy are authoritative. This applies to both Internet and intranet proxies.If you disable or do not configure this policy setting, Win
ronment. Only network hosts within the address ranges configured via Group Policy will be classified as private.If you disable or do not co
this setting, you can use the "Action" box to specify how computers in the group respond.-- "Work offline" indicates that the computer ca
Offline Files is disabled and users cannot enable it.If you do not configure this policy setting, Offline Files is enabled on Windows client com
gure it, automatically and manually cached copies are retained on the user's computer for later offline use.Caution: Files are not synchron
ol when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to
onnect to a server when the presence of a server is detected.If you enable this setting, you can configure the threshold value that will be
link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.If you enable this polic
c caching can be set on any network share. When a user opens a file on the share, the system automatically stores a copy of the file on the
do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline.
t in extra charges on cell phone or broadband plans.If this setting is disabled or not configured, synchronization will not run in the backgro
nse times and decreases bandwidth consumption over WAN links.The cached files are temporary and are not available to the user when offl
Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected, but th
ents you want Offline Files to record.To use this setting, in the "Enter" box, select the number corresponding to the events you want the s
e a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager prog
y 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.This setting appears in
sables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents use
ue Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are d
ype, or location.This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does n
sers cannot view or change the options on the Offline Files tab or Offline Files dialog box.This is a comprehensive setting that locks down th
dically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed fo
played for 15 seconds. You can use this setting to change the duration of the update reminder.This setting appears in the Computer Config
you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline.Not
Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field bla
he "Work offline" command is displayed in File Explorer.
k Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value
le offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offl
zed. Full synchronization ensures that offline files are complete and current.If you disable this setting, the system only performs a quick sy
zed at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon syn
" ensures that all cached files and folders are up-to-date with the most current version.If you disable or do not configuring this setting, file
you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.If you disable the setting, the sys
synchronized later.If you disable this policy setting, all administratively assigned folders are synchronized at logon.
ubmitted to a network adapter for transmission, but which have not yet been sent.If you enable this setting, you can limit the number of o
the default.If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve.If y
d for the system, usually units of 10 microseconds.If you disable this setting or do not configure it, the setting has no effect on the system.I
ou enable this setting, you can change the default DSCP value associated with the Best Effort service type.If you disable this setting, the sys
cation.If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type.If you disable thi
f you enable this setting, you can change the default DSCP value associated with the Guaranteed service type.If you disable this setting, th
fication.If you enable this setting, you can change the default DSCP value associated with the Network Control service type.If you disable t
you enable this setting, you can change the default DSCP value associated with the Qualitative service type.If you disable this setting, the s
on.If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.If you disable this setting,
specification.If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type.If you disa
cation.If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type.If you disable this setti
w specification.If you enable this setting, you can change the default DSCP value associated with the Network Control service type.If you d
tion.If you enable this setting, you can change the default DSCP value associated with the Qualitative service type.If you disable this settin
Effort service type.If you disable this setting, the system uses the default priority value of 0.Important: If the Layer-2 priority value for this s
h the Controlled Load service type.If you disable this setting, the system uses the default priority value of 0.Important: If the Layer-2 priorit
uaranteed service type.If you disable this setting, the system uses the default priority value of 0.Important: If the Layer-2 priority value for
th the Network Control service type.If you disable this setting, the system uses the default priority value of 0.Important: If the Layer-2 prio
ets.If you disable this setting, the system uses the default priority value of 0.Important: If the Layer-2 priority value for nonconforming pac
litative service type.If you disable this setting, the system uses the default priority value of 0.Important: If the Layer-2 priority value for thi
a community recognized by the SNMP service, while a community is a group of hosts (servers, workstations, hubs, and routers) that are ad
ng terminal values and monitoring network events.The manager is located on the host computer on the network. The manager's role is to
cy setting allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap m
es:TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TL
a 6to4 host.If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6
ally.If you disable or do not configure this policy setting, the local host setting is used.
xadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site.If you disable or do not configure this policy setting, the loc
ll be able to configure IP-HTTPS with one of the following settings:Policy Default State: The IP-HTTPS interface is used when there are no o
.If you disable or do not configure this policy setting, the local host setting is used.
do not configure this policy setting, the local host setting is used.If you enable this policy setting, you can configure ISATAP with one of the
customize a UDP port for the Teredo client.If you disable or do not configure this policy setting, the local host setting is used.
licy setting contains only one state:Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and
nd UDP port mapping in the translation table of the Teredo client's NAT device.If you enable this policy setting, you can specify the refresh
tting, the local settings on the computer are used to determine the Teredo server name.
with one of the following settings:Default: The default state is "Client."Disabled: No Teredo interfaces are present on the host.Client: The
ation Limits will be disabled and system will not limit the number of autoconfigured addresses and routes.
host settings are used.If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectiv
re available to allow discovery and configuration over a specific medium. If you enable this policy setting, additional choices are available t
If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point"
etting is not configured or is disabled, power management is enabled when the machine enters connected standby mode.
ernet, a new automatic connection attempt to the Internet is blocked. When the computer has at least one active connection to a Window
connection attempts - When the computer is already connected to a domain based network, all automatic connection attempts to non-
er network. If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadban
ricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is n
nection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restricted by usage
onnection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restricted by usa
Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing sup
e network scan page will not be displayed. If this policy setting is not configured, the Add Printer wizard will display the default numb
displayed.If this setting is not configured, the Add Printer wizard will display the default number of printers of each type:TCP/IP printers:
tinue to be shared.The spooler must be restarted for changes to this policy to take effect.
er's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. Note: This settings tak
the computer that published the printers restarts, it republishes any deleted printer objects. If you enable this setting or do not confi
have a relatively powerful CPU as compared to the machineΓÇÖs GPU.
print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the s
blish printers. However, you can publish shared printers manually. The default behavior is to automatically publish shared printers in Ac
ng, the default MXDW output format is OpenXPS (*.oxps).
mputer is operating. To enable this additional verification, enable this setting, and then select a verification interval. To disable
ocation Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here o
eb page customized for your enterprise. If you disable this setting or do not configure it, or if you do not enter an alternate Internet a
uning service "prunes" (deletes from Active Directory) printer objects the computer has published. By default, the pruning service co
ority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority th
espond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the
ers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional.If you do not configure this se
this policy setting, then all printer extensions will not be allowed to run. If you disable this policy setting or do not configure it, then al
print spooler will execute print drivers in an isolated process by default.If you disable this policy setting, the print spooler will execute print
erver driver cache.If you disable this policy setting, the client computer will only search the local driver store and server driver cache for co
007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drive
es not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning re
rvers.If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.
do not explicitly opt out of Driver Isolation.If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation
ackage point and print connections.Windows Vista and later clients will attempt to make a non-package point and print connection anytim
s will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a
rd method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers.If you enable this setti
ou disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available.If you do
ws 2000 printers published outside their forest. The Windows pruning service prunes printer objects from Active Directory when th
isable or do not configure this policy setting, backups can include both system or data volumes.
icy setting, there is no restriction on locally attached storage or disk being backup target.
estriction on network share being backup target.
estriction on optical media being backup target.
triction on running run-once backups.
rst manually configure a device's Start screen layout to the desired look and feel. Once you are done, run the Export-StartLayout PowerSh
ates that the shutdown or restart is unplanned.If you disable this policy setting, the System State Data feature is never activated.If you do n
another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless t
the system.If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these pr
enu list, the Shutdown Event Tracker is displayed when the computer shuts down.If you enable this policy setting and choose "Server Only
at are moved to an encrypted folder.This setting applies only to files moved within a volume. When files are moved to other volumes, or if
ed each time an administrator logs on to the server. However, if the administrator has selected the "Donâ€™t display this page at logon" o
ly on Windows shutdown behavior.This setting is only applicable when Windows shutdown is initiated by software programs invoking the
ndows has internally registered the required components.If you enable this policy setting and a component registration is missing, the syst
sk. You can specify the Timestamp Interval in seconds.If you disable this policy setting, the Persistent System Timestamp is turned off and
wait while their system starts or shuts down, or while users log on or off.
d to this policy setting. If you enable this policy setting, the commands function only for .chm files in the specified folders and their sub
If you disable or do not configure this policy setting, users can run all applications from online Help. Note: You can also restri
orruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new
ows Setup was run on the system.
cation used during the last time Windows Service Pack Setup was run on the system.
ke sure that they use system memory safely. If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allo
s.If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is ap
y event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which
ult credentials can be delegated (default credentials are those that you use when first logging on to Windows).The policy becomes effectiv
ult credentials are those that you use when first logging on to Windows).If you disable or do not configure (by default) this policy setting,
entials can be delegated (fresh credentials are those that you are prompted for when executing the application).If you do not configure (b
credentials are those that you are prompted for when executing the application).If you do not configure (by default) this policy setting, afte
dentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).If you do
credentials are those that you elect to save/remember using the Windows credential manager).If you do not configure (by default) this p
you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.Note: The "Deny delegating d
ation).If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.Note: The "Deny dele
s credential manager).If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.Note:
ote Desktop ClientIf you enable this policy setting, restricted mode is enforced and participating apps will not delegate credentials to remo
0 seconds for a device installation task to complete before terminating the installation.
ror report is sent when a generic driver is installed.
nt enables you to more easily restore your system to its state before the activity. If you enable this policy setting, Windows does not creat
Panel > System and Security > System > Advanced System Settings > Hardware tab).If you disable or do not configure this policy setting, th
ce driver.If you disable or do not configure this policy setting, Windows sends an error report when a device driver that requests additiona
ot signed at all.If you enable or do not configure this policy setting, drivers that are signed by a Microsoft Windows Publisher certificate an
s will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting
first search the Managed Server, such as a Windows Server Update Services (WSUS) server. Only if no update is found will Windows then a
vice is being installed, unless the driver for the device suppresses the balloons.
l and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection o
installation take precedence over this one.If you enable this policy setting, Windows is allowed to install or update any device whose Plug
vent device installation take precedence over this one.If you enable this policy setting, Windows is allowed to install or update device driv
device installation.If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setti
sable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
h any of these device IDs" or the "Allow installation of devices for these device classes" policy setting.If you disable or do not configure thi
nstalling a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop
ented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setti
B hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a
tting, the system does not force a reboot.Note: If no reboot is forced, the device installation restriction right will not take effect until the s
The system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cac
e, the system tries to save power by aggressively spinning down the disk.If you do not configure this policy setting, the default behavior is
he while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks sp
ache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. Note that t
pply the disk quota to both fixed and removable media.
ff, and users cannot turn it on.If this policy setting is not configured, disk quota management is turned off by default, but administrators ca
e "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in e
policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user ex
he system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators
ota Entries window changes to indicate that the user is approaching the disk quota limit.This setting overrides new usersΓÇÖ settings for t
DCOM will look for an entry in the locally configured list.If you disable this policy setting, DCOM will not look in the locally configured DCO
d list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.DCOM server a
signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.If you disable or do no
nication settings" is disabled or not configured.If you enable this setting, administrators will not be prompted to search Windows Update.If
nd has not been tampered with.- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad dr
t hub connected Enhanced Storage devices are allowed.If you disable or do not configure this policy setting, USB Enhanced Storage device
e or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
your computer.If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your com
devices are allowed on your computer.
torage device state is not changed when the computer is locked.
with properties defined on individual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manag
vidual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manager role service.If you enable th
ol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. Note: To make changes to this setting
se refer to the Windows Help sectionNOTE: If this policy is Disabled or Not Configured, local administrators may select the types of symbo
ou disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis
ter in a remote office.To designate a user's primary computers, an administrator must use management software or a script to add prima
ws Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start
cy settings synchronously.If you enable this policy setting, Windows applies user Group Policy settings asynchronously, when logging on th
ot configure this policy setting:- No user-based policy settings are applied from the user's forest.- Users do not receive their roaming profi
DM files that were used to create the GPO while editing this GPO.This leads to the following behavior:- If you originally created the GPO w
when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner.Client computers will no
d to process across a slow network connection, to be applied during background processing, and to process even if the Group Policy object
owed to process across a slow network connection, to be applied during background processing, and to process even if the Group Policy ob
cross a slow network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are u
dwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct
plementing the disk quota policy set when it was installed.If you enable this policy setting, you can use the check boxes provided to change
to process across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects
olicy set when it was installed.If you enable this policy setting, you can use the check boxes provided to change the options. If you disable o
nce items are allowed to process across a slow network connection, to be applied during background processing, and to process even if th
w network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged
ptions, Open With, and File Type preference items are allowed to process across a slow network connection, to be applied during backgro
ry, not for Group Policy objects on the local computer.This policy setting overrides customized settings that the program implementing the
oss a slow network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are un
in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response t
across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are
at the program implementing the Internet Explorer Maintenance policy set when it was installed.If you enable this policy setting, you can u
o process across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects
ettings that the program implementing the IP security policy set when it was installed.If you enable this policy setting, you can use the che
d Local Group preference items are allowed to process across a slow network connection, to be applied during background processing, and
preventing disk contention. If you enable this policy setting, Group Policy will wait for the specified amount of time before runnin
nection and DUN Connection preference items are allowed to process across a slow network connection, to be applied during background
s are allowed to process across a slow network connection, to be applied during background processing, and to process even if the Group
and Power Scheme preference items are allowed to process across a slow network connection, to be applied during background processi
rinter, TCP/IP Printer, and Local Printer preference items are allowed to process across a slow network connection, to be applied during b
tems are allowed to process across a slow network connection, to be applied during background processing, and to process even if the Gro
this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has
s across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) ar
Task and Immediate Task preference items are allowed to process across a slow network connection, to be applied during background pro
d.If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setti
was installed.If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configu
across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are
ess across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects (GPOs
ts stored in Active Directory, not for Group Policy Objects on the local computer.This policy setting overrides customized settings that the
to process across a slow network connection, to be applied during background processing, and to process even if the Group Policy objects
mputer that is being used.By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, w
ed network set when it was installed.If you enable this policy, you can use the check boxes provided to change the options.If you disable t
the wireless network set when it was installed.If you enable this policy, you can use the check boxes provided to change the options.If you
ng, interactive users can generate RSoP.Note: This policy setting does not affect administrators. If you enable or disable this policy setting,
y runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attemp
tting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh
ated when the system starts.By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0
u enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller trie
s, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides a
hronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting over
gs.If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determ
al GPOs to ensure that only domain-based GPOs are applied.If you enable this policy setting, the system does not process and apply any Lo
ide extension settings that were included.If you enable this setting, RSoP logging is turned off.If you disable or do not configure this setting
ing and turn on tracing for the Applications extension for client computers.If you disable or do not configure this policy setting, by default
ging and turn on tracing for the Data Sources extension for client computers.If you disable or do not configure this policy setting, by defau
urn on tracing for the Devices extension for client computers.If you disable or do not configure this policy setting, by default event logging
g and turn on tracing for the Drive Maps extension for client computers.If you disable or do not configure this policy setting, by default eve
ging and turn on tracing for the Environment extension for client computers.If you disable or do not configure this policy setting, by defau
tracing for the Files extension for client computers.If you disable or do not configure this policy setting, by default event logging for this ex
logging and turn on tracing for the Folder Options extension for client computers.If you disable or do not configure this policy setting, by
rn on tracing for the Folders extension for client computers.If you disable or do not configure this policy setting, by default event logging f
rn on tracing for the Ini Files extension for client computers.If you disable or do not configure this policy setting, by default event logging f
turn on tracing for the Internet extension for client computers.If you disable or do not configure this policy setting, by default event loggin
you can configure event logging and turn on tracing for the Local User and Local Group extension for client computers.If you disable or do
vent logging and turn on tracing for the Network Options extension for client computers.If you disable or do not configure this policy setti
nt logging and turn on tracing for the Network Shares extension for client computers.If you disable or do not configure this policy setting,
logging and turn on tracing for the Power Options extension for client computers.If you disable or do not configure this policy setting, by
urn on tracing for the Printers extension for client computers.If you disable or do not configure this policy setting, by default event logging
vent logging and turn on tracing for the Regional Options extension for client computers.If you disable or do not configure this policy setti
urn on tracing for the Registry extension for client computers.If you disable or do not configure this policy setting, by default event logging
ent logging and turn on tracing for the Scheduled Tasks extension for client computers.If you disable or do not configure this policy setting
urn on tracing for the Services extension for client computers.If you disable or do not configure this policy setting, by default event loggin
nd turn on tracing for the Shortcuts extension for client computers.If you disable or do not configure this policy setting, by default event lo
g and turn on tracing for the Start Menu extension for client computers.If you disable or do not configure this policy setting, by default eve
his policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective feat
the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive
e the Store service to find an application.If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is
s must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and o
downloading drivers that are not already installed locally.If you enable this policy setting, print drivers cannot be downloaded over HTTP.I
e event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft
prove handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure co
andwriting recognition in future versions of Windows.If you enable this policy, users cannot start the handwriting recognition error reporti
etting, the Help and Support Center no longer retrieves nor displays "Did you know?" content.If you disable or do not configure this policy
efault search options.If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set sear
om retrieving the list of ISPs, which resides on Microsoft servers.If you disable or do not configure this policy setting, users can connect to
ed from a Windows website in addition to providers specified in the registry.If you enable this policy setting, Windows does not download
the Web service to find an application.If you enable this policy setting, the link and the dialog for using the Web service to open an unhand
ver and making its shared printers available via HTTP.If you enable this policy setting, it prevents this client from printing to Internet printe
his policy setting, users can connect to Microsoft.com to complete the online Windows Registration.Note that registration is optional and i
used to format and display results.If you enable this policy setting, Search Companion does not download content updates during searche
sks in File Explorer folders.If you disable or do not configure this policy setting, the task is displayed.
to the web.If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders.If you disable or do
n is used to improve the product in future releases.If you enable this policy setting, Windows Messenger does not collect usage informatio
name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can co
errors.If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file sh
ge from a dedicated Web server or making a DNS request for a dedicated address.If you enable this policy setting, NCSI does not run eithe
when no local drivers are present.If you do not configure this policy setting, searching Windows Update is optional when installing a device
etting overrides this one.
ontrol and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domai
vious logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be e
tting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only wh
h is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the a
too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will
equest compound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and th
the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the
5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, n
ections. Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. If you disable or do
its users will fail from computers with this policy setting enabled.If you enable this policy setting, the client computers in the domain enfor
quired to create compounded authentication and armor Kerberos messages in domains which support claims and compound authenticati
ns, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. I
mpt to use Kerberos by generating an SPN. If you enable this policy setting, only services running as LocalSystem or NetworkService
processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy se
proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the dom
st configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.If you
requests a referral ticket to the appropriate domain.If you disable or do not configure this policy setting, the Kerberos client does not sea
per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this po
If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page. If the policy is Dis
of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.The policy setting "Restrict user locales
rs can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize
ricted to the specified list.The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (Un
cales in this list.To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.The loca
's screen turns off before a password is required when waking the device. The allowable time is limited by any EAS settings or group polici
an the simple logon screen.If you disable or do not configure this policy setting, computers in a workgroup will present the simple logon sc
or do not configure this policy setting, Windows uses the default Windows logon background or custom background.
etwork to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon time
e computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. If you enable this policy setting, the default log
C from the network or can connect the PC to other available networks without signing into Windows.
tart menu or by typing ""Welcome"" in the Run dialog box.If you disable or do not configure this policy, the welcome screen is displayed e
-joined computers.
nd services that the system starts.If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professio
this policy setting, the system ignores the run-once list.If you disable or do not configure this policy setting, the system runs the programs
Smart Card. An administrator can install additionalcredential providers for different sets of credentials(for example, to support biometric a
er interface appear are in the Logon UI, the Start menu and the Task Manager.If you disable or do not configure this policy setting, the Sw
g, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. T
offered the opt-in prompt for services during their first sign-in.If you enable this policy setting, Microsoft account users will see the opt-in
er's domain password will be cached in the system vault when using this feature.
ally prevents users from customizing the default behavior of the Windows Startup sound.If you enable this policy setting, the Windows Sta
he system vault when using this feature.
y default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptograp
sers may want to disable this feature if the PDC emulator is located over a slow WAN connection.If you enable this policy setting, the DCs t
sive read access to files on the share even when the caller has only read permission.If you disable or do not configure this policy setting, th
DomainName>[1B] NetBIOS name if it hasnΓÇÖt already been successfully added.None of these operations are critical. 15 minutes is optim
ead access to files on the share even when the caller has only read permission.When this setting is disabled or not configured, the SYSVOL
hgure this policy setting, it is not applied to any computers, and computers use their local configuration.
will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.If yo
g file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.If you disab
alue for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.War
me that have not specified the DS_BACKGROUND_ONLY flag.The default value for this setting is 30 minutes (1800). The maximum value fo
hen the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.If you do no
setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry
4233600). The minimum value for this setting is 0.This setting is relevant only to those callers of DsGetDcName that have specified the DS_
s setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.T
ue for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value
d DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to l
nds a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot me
back mechanism.NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not
the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will co
address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to supp
specified in the SRV recordΓÇÖs Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host w
r a value in seconds (for example, the value "900" is 15 minutes).If you do not configure this policy setting, it is not applied to any DCs, and
he Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set
computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to comp
elect the mnemonics from the following list:Mnemonic Type DNS RecordLdapIpAddress A <DnsDomainName>Ldap SRV _
ed dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.If you disable this p
date.DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS
he site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a D
tor DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net L
or DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dy
ents to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If no
are used to locate the DC.If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-spe
not used if the AllowSingleLabelDnsDomain policy setting is enabled.By default, when no setting is specified for this policy, the behavior is
ocate a domain controller hosting an Active Directory domain specified with a single-label name.If you enable this policy setting, computer
trol this setting.
format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to
this setting.
this setting.
change this setting.

change this setting.
ery Notification Action" policy setting.If you disable this policy setting or do not configure it, users control this setting.
fication Action" policy setting.If you disable this policy setting or do not configure it, users control this setting.
an see and change this setting.
ee the "Low Battery Notification Level" policy setting.The notification will only be shown if the "Low Battery Notification Action" policy setti
s, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should au
s, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should au
y enter is hibernate.
y enter is hibernate.
rd when the system resumes from sleep.
rd when the system resumes from sleep.
y setting, users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked, this can pr
y setting, users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked, this can pr
users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the
users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the
to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.If you disable or do not config
to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.If you disable or do not config
l this setting.
l this setting.
dows will only reduce the brightness of the primary display integrated into the computer.If you disable or do not configure this policy setti
dows will only reduce the brightness of the primary display integrated into the computer.If you disable or do not configure this policy setti
or do not configure this policy setting, users control this setting.
or do not configure this policy setting, users control this setting.
g, Windows uses the same setting regardless of usersΓÇÖ keyboard or mouse behavior.If you do not configure this policy setting, users con
g, Windows uses the same setting regardless of usersΓÇÖ keyboard or mouse behavior.If you do not configure this policy setting, users con
trol this setting.If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display f
trol this setting.If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display f
ntrol this setting.
ntrol this setting.
d earlier to recover your computer" and "Reinstall Windows" (or "Return your computer to factory condition") appears on the "Advanced r
r the unsolicited Offer Remote Assistance.If you enable this policy setting, only computers running this version (or later versions) of the op
uter cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.If you do not configure this p
configure additional Remote Assistance settings.If you disable this policy setting, users on this computer cannot use email or file transfer
ustom message to display before a user allows a connection to his or her computer.If you enable this policy setting, the warning message
window drag-Turn off background"Full optimization" will include the following optimizations:-Use 16-bit color (8-bit color in Windows Vis
er. If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate
couraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delega
RPC runtime defaults to "Auto2" level.If you do not configure this policy setting, the RPC defaults to "Auto2" level. If you enable this policy
etrieve the extended error information by using standard Windows application programming interfaces (APIs).If you disable this policy setti
ng itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should n
cause connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Prox
or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
o removable storage devices in remote sessions.
rage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Adm
nfigure this setting, the operating system does not force a reboot.Note: If no reboot is forced, the access right does not take effect until th
able storage class.
ovable storage class.
uring cross-forest logons without the DNS suffixes being configured.If you disable or do not configure this policy setting, user account cros
ach instruction in the shutdown script as it runs. The instructions appear in a command window.If you disable or do not configure this poli
rtup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not
complete before the user starts working, but it can delay the appearance of the desktop.If you disable or do not configure this policy settin
ning of startup scripts. As a result, startup scripts can run simultaneously.If you disable or do not configure this policy setting, a startup can
t (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. For example
werShell scripts are run before non-PowerShell scripts during user logon and logoff. For example, assume the following scenario: There are
stops script processing and records an error event.If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32
d on managed servers.If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of th
his policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server.If you do not configure th
ou do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me th
plications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during
The behavior of this policy setting depends on the "Turn off System Restore" policy setting.If you enable this policy setting, the option to co
y setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or cre
auses. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, trou
d.If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size.No reboots or s
ues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a M
his is the default recovery behavior for corrupted files.Silent: Detection, troubleshooting, and recovery of corrupted files will automatically
this policy setting, Windows displays the default alert text in the disk diagnostic message. No reboots or service restarts are required for th
rvice (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. If you enable this policy setting, the DPS also warns users o
ot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS.If you do not con
o resolve a problem.If you disable this policy setting, MSDT cannot gather diagnostic data.If you do not configure this policy setting, MSDT
ed to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem.If y
e a problem.By default, the support provider is set to Microsoft Corporation.If you disable this policy setting, MSDT cannot run in support
This is the default recovery behavior on Windows client.Silent: Detection, troubleshooting, and notification of MSI application to reinstall w
problem for interactive resolution. If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems
or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages.
ols from the Troubleshooting Control Panel.If you disable this policy setting, users cannot access or run the troubleshooting tools from the
t states, "Do you want the most up-to-date troubleshooting content?"If you enable or do not configure this policy setting, users who are c
d attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will b
y setting takes effect only under the following conditions: -- If the diagnostics-wide scenario execution policy is not configured. -- When the
ed.If you do not configure this policy setting, the DPS will enable Windows Performance PerfTrack by default.
ustion problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corr
roblems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective a
erformance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but n
oblems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective ac
PM owner authorization without requiring the user to enter the TPM owner password.You can choose to have the operating system store
ample, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command nu
cal list. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navi
t list.The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the W
ending commands to the Trusted Platform Module (TPM) that require authorization.This setting helps administrators prevent the TPM har
d from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering
vented from sending commands to the Trusted Platform Module (TPM) that require authorization.This setting helps administrators preven
he TPM to run these commands. If you enable this policy setting, TPM owner information will be automatically and silently backed up to A
Windows 2000 Professional operating systems, the default file permissions for the newly generated profile are full control, or read and wr
ta transfer, the network's latency and connection speed are determined.This policy setting and related policy settings in this folder togeth
e of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local cop
elete on the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disab
w to respond.If you enable this policy setting, the system does not detect slow connections or recognize any connections as being slow. As
nal pre-SP4 and Windows XP pre-SP1 operating systems, the default file permissions for the newly generated profile are full control acces
not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.If y
or, preventing Windows from loggin on the user with a temporary profile.If you enable this policy setting, Windows will not log on a user w
eting room computer or on a computer in a remote office.To designate a user's primary computers, an administrator must use manageme
ween the user's computer and the server that stores users' roaming user profiles.-- The system cannot access users' server-based profiles w
the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on
atch.When a user logs off of the computer, the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file
file. Similarly, when the user logs off this computer, the local copy of their profile, including any changes they have made, is merged with t
roaming profile is merged with the local profile. Similarly, when the user logs off the computer, the local copy of their profile, including an
eir roaming profile server is detected.In operating systems earlier than Microsoft Windows Vista, a dialog box will be shown to the user du
network.Note: Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is
name\Sharename\%USERNAME% to give each user an individual profile folder. If not specified, all users logging onto this computer will us
ng does not stop the roaming user profile's registry file from being uploaded at user logoff.If "Run at set interval" is chosen, then an interv
cation list, choose the location for the home folder. If you choose ΓÇ£On the network,ΓÇ¥ enter the path to a file share in the Path box (for
he advertising ID for experiences across apps.
o change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop a
folder together define the system's response when roaming user profiles are slow to load.If you enable this policy setting, the system wai
ndow appears.
s XP files to the cache until the cache size reaches the quota.If you enable this policy setting, enter the maximum amount of disk space to b
File Protection to scan files more often.-- "Do not scan during startup," the default, scans files only during setup.-- "Scan during startup" a
%\System32\Dllcache directory.Note: Do not put the cache on a network shared directory.
this policy setting, Windows Time service uses the defaults of each of the following parameters.Several of the following values are scalar,
ters.NtpServerThe Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags""
the local computer clock to synchronize time with NTP servers.If you disable or do not configure this policy setting, the local computer clo
er computers.
an create a list of approved ActiveX Install sites specified by host URL. If you disable or do not configure this policy setting, ActiveX cont
he trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By d
nfigure this policy setting, you cannot install LOB Windows Store apps.
Policy setting appliesMandatory user profiles and super-mandatory profiles, which are created by an administratorTemporary user profiles
etting, you'll need to install a developer license before you can develop Windows Store apps.
o sign in with an enterprise account instead.If you disable or do not configure this policy setting, users will need to sign in with a Microsoft
pp for a file type.If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can
ng a desktop app.If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; the
Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.If you disable or don't set this po
ations. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed to run. The MS-DOS subsystem
he most common issues affecting legacy applications. Enabling this policy setting removes the property page from the context-menus, bu
ys an Application Help message if the application has a know problem.Turning off the application compatibility engine will boost system pe
perience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.Disabling teleme
or will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is als
System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned
input and mouse input, user interface data, and screen shots. Steps Recorder includes an option to turn on and off data collection.If you
y setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful fo
bers user's choice of what to do when a device is connected.

cute the program without user intervention. This creates a major security concern as code may be executed without user's knowledg
, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. Starting with Windows XP SP2, Autoplay is enabled
biometrics. Depending on the biometrics you use, enabling this policy setting can reduce the security of users who use biometrics to log o
, you must also configure the "Allow users to log on using biometrics" policy setting.If you disable this policy setting, the Windows Biometr
the domain.If you enable or do not configure this policy setting, all users can log on to a local Windows-based computer and can elevate p
e number of seconds the event remains active. This value cannot exceed 60 seconds.If you disable or do not configure this policy setting, a
ify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. Yo
on Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to
on Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to
can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit
, memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will in
. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using
e to computers running Windows Server 2008 or Windows Vista.If you enable this policy setting, BitLocker recovery information is automati
authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier
d or not configured, fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008, W
-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Gro
of data to the drive.If you enable this policy setting, you can specify additional options that control whether BitLocker software-based enc
ity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Confi
he "Require use of smart cards on fixed data drives" check box.Note: These settings are enforced when turning on BitLocker, not when un
ed by BitLocker, it will be mounted with read and write access.If you disable or do not configure this policy setting, all fixed data drives on
be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store d
tting, all new BitLocker startup PINs set will be enhanced PINs.Note: Not all computers may support enhanced PINs in the pre-boot enviro
enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors.To
re flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.If you enable or do not configure this policy setting
very agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from
e a minimum number of digits to be used when setting the startup PIN.If you disable or do not configure this policy setting, users can confi
policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to t
roup policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (
roup policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibi
writing of data to the drive.If you enable this policy setting, you can specify additional options that control whether BitLocker software-ba
For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in
er PINs or passwords.If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and p
ormation such as a PIN or Password.If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an
tion options can be required at startup, otherwise a policy error occurs.If you want to use BitLocker on a computer without a TPM, select th
indows Server 2008 or Windows Vista.On a computer with a compatible Trusted Platform Module (TPM), two authentication methods can
m validation data will not be refreshed when Windows is started following BitLocker recovery.If you do not configure this policy setting, pl
o the default BCD profile used by Windows 7.If you do not configure this policy setting, the computer will verify the default Windows BCD
enabled or not configured, removable data drives formatted with the FAT file system can be unlocked on computers running Windows Ser
Locker-protected removable data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in ei
writing of data to the drive.If you enable this policy setting, you can specify additional options that control whether BitLocker software-base
ve the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Securit
g the "Require use of smart cards on removable data drives" check box.Note: These settings are enforced when turning on BitLocker, not w
drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLo
ith read and write access.If the "Deny write access to devices configured in another organization" option is selected, only drives with identi
he password reveal button will be displayed after a user types a password in the password entry text box.By default, the password reveal
l be displayed so the user can choose one and enter the correct password.If you disable this policy setting, users will always be required to
nabled.If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the truste
and unsigned gadgets will be extracted.The default is for Windows to extract both signed and unsigned gadgets.
e turned on.
accessible, if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab keys, a visual version of the des
setting requires a logoff for it to be applied.
sonalization. However, setting the accent will have no effect.
be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames th
or is used, if the user does not specify a color. Note: This policy setting can be used in conjunction with the "Prevent color changes of windo
er will not run.If you disable or do not configure this setting, Digital Locker can be run.
A new file is then started.If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded a
tem services can write, read, or clear this log.
overwrite old events.Note: Old events may or may not be retained according to the "Backup log automatically when full" ┬¥ policy setting
ent Log uses the system32 or system64 subdirectory.
ximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Prop
g.If you disable or do not configure this policy setting, only system software and administrators can read or clear this log.
tem services can write, read, or clear this log.
oftware and administrators can write or clear this log, and any authenticated user can read events from it.
isplayed.Note: Allowing the use of remote paths in file shortcut icons can expose usersΓÇÖ computers to security risks.
f you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the following options:ΓÇó Require app
user-defined properties, and properties stored in NTFS secondary streams.
application has been installed that can handle the file type or protocol association that was invoked.
On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined.If you disab
DISM documentation on TechNet.If this group policy is enabled and the client machine is domain-joined, the file will be processed and de
do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Contro
o show through the Power Options Control Panel.
ure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel.
his policy setting, users can choose how the ribbon appears when they open new windows.
l sort file names by increasing number value (for example, 3 < 22 < 111).
ders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in
fy that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is u
cannot list and restore previous versions of files on local disks.If you do not configure this policy setting, it defaults to disabled.
restore previous versions of files on file shares.If you do not configure this policy setting, it is disabled by default.
opies, and can see only previous versions corresponding to on-disk restore points.If you disable this policy setting, users can see previous v
ng, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows att
sponding to a backup.If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup
s policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restor
e or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not sha
cations that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting w
n this computer will not be prevented from using location information from the location feature.
this policy setting, all programs on this computer can use the Windows Location Provider feature.
utomatic Maintenance Control Panel. If you disable or do not configure this policy setting, the daily scheduled time as specified in Acti
g from its Activation Boundary, by upto this time. If you do not configure this policy setting, 4 hour random delay will be applied to Au
o effect. If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the
policy setting, the Windows XP version of the 802.1x Wireless Enforcement Client cannot participate in NAP.
e operating system selects an available port. If you disable or do not configure this policy setting, the operating system selects an available
nnect to a Network Projector Wizard to connect to a projector.
isplayed, but there are no clickable links for these elements.If you disable or do not configure this policy setting, the default behavior appl
Password Synchronization.If you disable or do not configure this policy setting, individual computers that are running Password Synchroni
n that are running Password Synchronization.If you disable or do not configure this policy setting, individual computers that are running P
ndividual computers that are running Password Synchronization log steps of password synchronization attempts based upon how the "Ena
ation automatically update a user's UNIX-based account password when the password is changed in the Windows environment, if the use
orkspace, can't hibernate the PC.
m a Windows To Go workspace, can use standby states to make the PC sleep.
device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel it
uick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speak
fault, a license server issues an RDS CAL to any RD Session Host server that requests one.If you enable this policy setting and this policy setti
priate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL f
uter. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.If yo
tificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when
nnects to the RD Session Host server even if the client cannot authenticate the RD Session Host server.Warn me if authentication fails: Th
n and saves his settings, any password that previously existed in the RDP file will be deleted.If you disable this setting or leave it not configu
mote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be pr
an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the t
oth TCP and UDP protocols.
B devices over RDP to all users or only to users who are in the Administrators group on the computer.If you disable or do not configure thi
u disable or do not configure this policy setting, the IP address of the RD Session Host server is used if a virtual IP is not available.
nd network mask are used to select the network adapter used for the virtual IP addresses.If you disable or do not configure this policy setti
ller RDS Compatibility is turned off, and only one instance of the msiexec process can run at a time. If you disable or do not configure this p
must enter a list of programs to use virtual IP addresses. List each program on a separate line (do not enter any blank lines between prog
u disable or do not configure this policy setting, the IP address of the RD Session Host server is used if a virtual IP is not available.
e this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will m
n is attempted for all clients running Remote Desktop Connection whenever their network connection is lost.If the status is set to Disabled
f changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the
d administrator is logged off, any data not previously saved is lost.If you enable this policy setting, logging off the connected administrator
them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are d
ate, the user automatically reconnects to that session at the next logon.If you disable this policy setting, users are allowed to make unlimi
emote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server origina
er UDP or TCP" If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP.If the UDP
on.2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.3. Full Control with
te.If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setti
disable or do not configure this policy setting, Fair Share CPU Scheduling is turned on.
ection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not p
can record audio by using an audio input device on the local computer, such as a built-in microphone.By default, audio recording redirecti
nt session time (current session time = server base time + client time zone).If you disable or do not configure this policy setting, the client c
ocal computer. By default, Remote Desktop Services allows Clipboard redirection.If you enable this policy setting, users cannot redirect Cl
top Services session. By default, Remote Desktop Services allows this COM port redirection.If you enable this policy setting, users cannot r
iveletter> on <computername>. You can use this policy setting to override this behavior.If you enable this policy setting, client drive redire
es allows LPT port redirection.If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to th
device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection.Note: The clie
the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote compute
ect High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you sele
D Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the
onnecting to this RD Session Host server have an RDS Per User CAL.Per Device licensing mode requires that each device connecting to this
st server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a
ces allows this client printer mapping.If you enable this policy setting, users cannot redirect print jobs from the remote computer to a loca
n use this policy setting to override this behavior.If you enable this policy setting, the default printer is the printer specified on the remote
inters are redirected in Remote Desktop Services sessions.
Services session.If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host
on the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client prin
tting located in User Configuration\Policies\Administrative Templates\System\User Profiles.If you enable this policy setting, you must spe
d, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for us
the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and then select the drive letter
licy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same use
oad-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services.If you specify a new farm n
d-balanced farm should use the same RD Connection Broker server.If you enable this policy setting, you must specify the RD Connection Br
ote Desktop Session Host role service must be installed on the server.If the policy setting is enabled, the RD Session Host server joins the fa
nnection Broker server.If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is r
the farm with the fewest sessions. Redirection behavior for users with existing sessions is not affected. If the server is configured to use RD
indows Aero requires additional system and bandwidth resources, allowing desktop composition for remote desktop sessions can reduce
file, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy.If you enable this policy setting, the desktop is
ect the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you sele
um, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode consumes the lowest am
could be set to one of the following options:1. Let the system choose the experience for the network condition2. Optimize for server scala
Because font smoothing requires additional bandwidth resources, not allowing font smoothing for remote connections can improve conn
oteFX Codec.If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec
esktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). S
s, and reduce server load. If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a u
le this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be
olicy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a num
sconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.If you disable or do not configure this
menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the
ecified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the
policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics.If you disable this policy
derer instead of the Microsoft Basic Render Driver as the default adapter.If you disable or do not configure this policy setting, all Remote D
ontent on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to d
ations that use Silverlight or Windows Presentation Foundation.If you enable this policy setting, you must select the visual experience for w
our users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage b
efault, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.If y
dministrators are able to make such changes.If you enable this policy setting the default security descriptors for existing groups on the RD
d, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication
te connections must use the security method specified in this setting. The following security methods are available:* Negotiate: The Negoti
icy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.To determine whe
d an RD Session Host server during RDP connections.If you enable this policy setting, you need to specify a certificate template name. Onl
s during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The fo
s are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits.Time limits are set locally by the serve
ll automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the
ect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services sessi
Desktop Services session without logging off and ending the session.When a session is in a disconnected state, running programs are kept
Host server, but it is not logged off.If you enable this policy setting, when a user closes the last running RemoteApp program associated wit
mporary folders when the user logs off.If you enable this policy setting, a user's per-session temporary folders are retained when the user
r each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Tem
ed list in the Favorites Center.
policy setting, the user receives a notification when a feed or Web Slice is available and can click the feed discovery button.
ugh the Feed APIs.If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure thr
eed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders.If you disable or do not configure this policy setti
background.
P connection.If you disable or do not configure this policy setting, the Windows RSS Platform does not authenticate feeds to servers by usi
w in place of the query term for the search service URL.If your intranet search service is SharePoint Portal Server, your query should resem
mysearch2?q=$w.For each search scope, provide:1) A name for the scope, such as 'IT Web'.2) The URL to the search service. Use $w in plac
ted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting, the local setting, c
icy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will b
We recommend enabling this policy setting only on PCs where documents are stored in many languages. If you disable or do not configure
sx;.ppt;.pptx;.vsd;.xlsb;.xltx;.dot;.rtf
tions on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search.If you don't config
r performs a query in Search.If you disable this policy setting, queries will be performed on the web over metered connections and web re
ortions of a delegate mailbox that are cached locally. To have this policy affect all parts of a delegate mailbox, ensure that for Microsoft Ou
aged separately from online mailboxes. The "Enable Indexing of Uncached Exchange Folders" has no effect on delegate mailboxes. To stop
ute. To lower the burden on Microsoft Exchange servers, lower the rate of items indexed per minute. If you disable this policy, then online
he index.This policy has no effect if the Files on Microsoft Networks add-in is not installed.Disabled by default.
y is enabled, the Add and Remove locations options and any previously defined user locations will not be visible. When the policy is disab
ou disable or do not configure this policy setting, Windows Search monitors which folders are shared or not shared on this computer, and
Microsoft document filters (iFilters). This policy is disabled by default.
nto a single exclusion list.When this policy is disabled or not configured, the user can edit the default list of excluded file types. If you enab
load Public Folder Favorites option must be turned on.
ess the Advanced Options dialog for Search and Indexing Options in the Control Panel. This is the default for this policy setting.
cify an allow list of add-ins by providing the classID or ProgId string. For example, if you plan to deploy a particular iFilter, make sure that t
e full preview pane functionality is only available for Office documents in Office XP or later.When this policy is disabled or not configured,
users can see snippets related to their desktop search query.When this policy is disabled or not configured, the default is small icon view.
ult images and videos but not text from search results; -Off: Don't filter adult content from search results.If you disable or don't configure
heir search and other Microsoft experiences. -User info only: Share a user's search history and some Microsoft account info to persona
d or not configured, Windows Desktop Search automatically manages your index size.
o contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is no
erver for NIS.If you disable or do not configure this policy setting, individual computers that are running Server for NIS use the map update
rs that are running Server for NIS.If you disable or do not configure this policy setting, individual computers that are running the Server fo
default timeout value is 3 minutes for workstations and 15 minutes for servers.
hutdown interface.If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface.
e to open and save files on SkyDrive using the SkyDrive app and file picker, and Windows Store apps will still be able to access SkyDrive usin
used to modify that restriction.If you enable this policy setting, certificates with the following attributes can also be used to log on with a
smart card cannot be used to log on to a domain. Note: This policy setting only affects a user's ability to log on to a domain. ECC certificat
u enable this policy setting, the integrated unblock feature will be available.If you disable or do not configure this policy setting then the in
art card signature key-based certificates will not be listed on the logon screen.
etting only controls the displaying of the certificate on the client machine. If you enable this policy setting certificates will be listed on the
user name or user name and domain will be displayed.If you disable or do not configure this policy setting, an optional field that allows us
he time of logon.If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart car
or is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued f
ard. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if yo
message will not be displayed when a smart card device driver is installed.Note: This policy setting is applied only for smart cards that have
d prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be aff
N=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@ex
ficates will not be made available to applications such as Outlook.
o be enabled: Turn on certificate propagation from smart card.If you disable this policy setting then root certificates will not be propagate
sable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Sma
gure this policy setting, Sound Recorder can be run.
download and installation of app updates is determined by a registry setting that the user can change using Settings in the Windows Store
dates is determined by a registry setting that the user can change using Settings in the Windows Store.
n syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting, "sync your settings" is on by d
ng it turned off by default but not disabled.If you do not set or disable this setting, syncing of the "app settings" group is on by default and
default but not disabled.If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the us
favorites, will not be synced.Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disab
sktop personalization syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting, syncing o
e when this PC is on a metered connection.If you do not set or disable this setting, syncing on metered connections is configurable by the u
her Windows settings syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting, syncing o
rned off by default but not disabled.If you do not set or disable this setting, syncing of the "passwords" group is on by default and configu
t turned off by default but not disabled.If you do not set or disable this setting, syncing of the "personalize" group is on by default and con
g is turned off by default but not disabled. If you do not set or disable this setting, syncing of the "Start layout" group is on by default a
not configure this policy, users will be able to use this feature to print to a Journal Note.
ursors will be shown unless the user disables them in Control Panel.
isable this policy, applications can be launched from a hardware button.If you do not configure this policy, applications can be launched fr
ur system administrator."If you disable this policy, press and hold actions for buttons will be available.If you do not configure this policy, pr
, user and OEM defined button actions will occur when the buttons are pressed.
ch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboa
ext, symbols, numbers, or keyboard shortcuts.If you enable this policy, Input Panel will never appear next to text entry areas when using a
ols, numbers, or keyboard shortcuts.If you enable this policy, Input Panel will never appear next to any text entry area when a user is using
ly) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Wi
e Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy, Input Pan
policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Pan
ng what keys are tapped when entering a password.Touch Keyboard and Handwriting panel enables you to use handwriting or an on-scree
Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, nu
bled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that ca
e this policy, pen flicks and related features are available.
her touch-specific features.If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and othe
windows by touch. If you disable this setting, the user can pan windows by touch.If you do not configure this setting, Touch Panning is on b
sk's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task characteri
that appear in Detail view and in the task preview.This setting prevents users from viewing and changing characteristics such as the progr
ation and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setti
Start in" box that determine the program and path for a task.As a result, when users create a task, they must select a program from the lis
esult, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into the Scheduled tasks folder.This s
d User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in Us
sks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setti
d on.The default is for Windows Calendar to be turned on.
olor profiles that they previously installed. Administrators will be able to uninstall all color profiles.
tions Manager server.
tispyware definitions are disabled.If you disable or do not configure this setting, the antimalware service will be stopped when both antivir
vice will load as a low priority task.
d by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override pre
is setting, the proxy server will not be bypassed for the specified addresses.
utodetect3. NoneIf you enable this setting, the proxy will be set to the specified URL.If you disable or do not configure this setting, the prox
machines from undertaking a disk-intensive operation at the same time.If you enable or do not configure this setting, scheduled tasks will b
Windows Defender does not automatically take action on the detected threats, but prompts users to choose from the actions available fo
or malware and other potentially unwanted software.
racters. Longer strings will be truncated before display.If you enable this setting, the additional text specified will be displayed.If you disab
ayed to clients when they need to perform the specified actions.If you disable this setting, notifications will not be displayed to clients whe
uch as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
th or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully
ue pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded.
eference setting.
Additional information helps Microsoft create new definitions and help it to protect your computer. This information can include things li
tting, detection events will not be logged if there is more than one similar report (by definition GUID) in the specified number of minutes.If
n set GUID to enable test definitions is defined as: ΓÇ£{b54b6ac9-a737-498e-9120-6616ad3bf590}ΓÇ¥. The value is not used and it is recom
tected by a definition, then that definition is "retired". If all definitions for a given protocal are retired then that protocol is no longer pars
ss range. As an example, a range might be defined as: 157.1.45.123-60.1.1.1. The value is not used and it is recommended that this be set
ge might be defined as: 8080. The value is not used and it is recommended that this be set to 0.
s might be defined as: "C:\Windows\System32\App.exe" . The value is not used and it is recommended that this be set to 0.
defined as: 2925110632. The value is not used and it is recommended that this be set to 0.
configure this setting, Group Policy will take priority over the local preference setting.
ndefinitely and will not be automatically removed.
olicy will take priority over the local preference setting.
take priority over the local preference setting.
take priority over the local preference setting.
eference setting.
Policy will take priority over the local preference setting.
local preference setting.
tion. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS vol
ware detections.If you disable or do not configure this policy setting, Windows Defender will prompt users to take actions on malware det
this setting, a process scan will not be initiated when real-time protection is turned on.
p Policy will take priority over the local preference setting.

Monday(0x3) Tuesday(0x4) Wednesday(0x5) Thursday(0x6) Friday(0x7) Saturday(0x8) Never (default)If you enable this setting, a scheduled
r where the scan is executing.If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified
ng, a check for new definitions will occur before running a scan.If you disable this setting or do not configure this setting, the scan will star
ill take priority over the local preference setting.
ference setting.
cal preference setting.
eference setting.
priority over the local preference setting.
this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom s
y(0x5) Thursday(0x6) Friday(0x7) Saturday(0x8) Never (default)If you enable this setting, a scheduled scan will run at the frequency specifie
this setting, a quick scan will run at the interval specified.If you disable or do not configure this setting, a quick scan will run at a default tim
this setting, archive files will be scanned to the default directory depth level.
PU utilization will not exceed the percentage specified.If you disable or do not configure this setting, CPU utilization will not exceed the de
ill be scanned.If you disable or do not configure this setting, archive files will be scanned according to the default value.
me on the computer where the scan is executing.If you enable this setting, a daily quick scan will run at the time of day specified.If you disa
me on the computer where the scan is executing.If you enable this setting, a scheduled scan will run at the time of day specified.If you disa
for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next
ns for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the
mime (Outlook Express), binhex (Mac).If you enable this setting, e-mail scanning will be enabled.If you disable or do not configure this setti
ill be enabled.If you disable this setting, heuristics will be disabled.
.If you enable this setting, items will be removed from the scan history folder after the number of days specified.If you disable or do not c
the recommended state for this functionality. If you enable this setting, reparse point scanning will be enabled.If you disable or do not con
o not configure this setting, definition updates will be downloaded from the configured download source.
battery power.
to join Microsoft MAPS for this functionality to work.If you enable this setting or do not configure, the antimalware service will receive no
that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.If you enable or d
t occur after service startup.
by default.If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been succ
p definition update will be required after the default number of days.
er interface. By default, this value is set to 14 days.If you enable this setting, spyware definitions will be considered out of date after the n
nterface. By default, this value is set to 14 days.If you enable this setting, virus definitions will be considered out of date after the number
teServerΓÇ¥, ΓÇ£MMPCΓÇ¥, and ΓÇ£FileSharesΓÇ¥For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }If you
ated on startup when there is no antimalware engine present.
) Wednesday(0x5) Thursday(0x6) Friday(0x7) Saturday(0x8) NeverIf you enable this setting, the check for definition updates will occur at t
fied.If you disable or do not configure this setting, checks for definition updates will occur at the default interval.
e scheduled scan time. The schedule is based on local time on the computer where the check is occurring.If you enable this setting, the ch
emediation action that should be taken.Valid threat alert levels are:1 = Low2 = Medium4 = High5 = SevereValid remediation action values
remediation action that should be taken.Valid remediation action values are:2 = Quarantine3 = Remove6 = Ignore
mory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.If you disable
omputer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.Import
nts and errors are logged to the system event log, as with other Windows-based programs.
soft. Additionally, solution information is not available in the Action Center in Control Panel.If you disable or do not configure this policy se
also report the error.If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting pol
e or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Comp
les that can contain data about the same event types as an earlier uploaded report.If you disable or do not configure this policy setting, W
rface for critical errors.
wer source.If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for so
disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile i
onnect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination serv
o Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of repo
ether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavio
rors.If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the s
application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are no
er reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box
never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the
gure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are se
configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by
ending data: Windows prompts users for consent to send reports.- Send parameters: Only the minimum data that is required to check for
n-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.- 0 (D
om consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determ
u disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation option
s.Because the installation is running with elevated system privileges, users can browse through directories that their own permissions wou
hes can easily be vehicles for malicious programs, some installations prohibit their use.If you disable or do not configure this policy setting,
.This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media w
e computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install p
prompts for source media when new updates are applied. If you enable this policy setting you can modify the maximum size of the Wi
from a feature.This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be r
se the installation.If you enable this policy setting, the warning is suppressed and allows the installation to proceed.This policy setting is de
alicious programs, some installations prohibit their use.Note: This policy setting applies only to installations that run in the user's security
yweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch
cy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications.If you dis
users or administrators.If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The
prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to it
r box to control file in use detection behavior.-- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to d
ducts that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this
le source from the "Use features from" list that the system administrator configures. This policy setting applies even when the installa
licy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform
pe is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as y
ler does not generate System Restore checkpoints when installing applications.If you disable or do not configure this policy setting, by defa
s box to control automatic logging via package settings behavior.-- The "Logging via package settings on" option instructs Windows Installe
t, the shared component functionality is allowed.
ation setting.-- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the defaul
SAS.If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS.If you set this policy setti
plays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that use
not configured, no popup will be displayed to the user.
matic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is auto
do not configure this policy setting, Windows Media Center can be run.
ure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secure content that is already li
e anchor window displays is not available.If you disable or do not configure this policy setting, users can show or hide the anchor window
select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be con
heir desktops.
m Windows Media Player or from programs that depend on the Player's media sharing feature.If you disable or do not configure this policy
or the Player to the Quick Launch bar.
is cleared and is not available.If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check b
essenger.Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present, the Comput
setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows Messenger from that point on,
Mobility Center and the .exe file launches it.If you do not configure this policy setting, Windows Mobility Center is on by default.
ith the SourcePath parameter on the Update-Help cmdlet.If this policy setting is disabled or not configured, this policy setting does not set
e LogPipelineExecutionDetails property of the module to True. If you disable this policy setting, logging of execution events is disabled
The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet mu
ed providers will respond to WMI queries, and Reliability Monitor will display system reliability information.If you disable this policy settin
ext.If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication.
cy setting, the WinRM client sends or receives only encrypted messages over the network.
is using the Negotiate authentication and Kerberos is selected.If you disable or do not configure this policy setting, the WinRM client uses
tion host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the
, the WinRM service does not accept Basic authentication from a remote client.
etting, the WinRM service does not accept CredSSP authentication from a remote client.
P transport over the default HTTP port.To allow WinRM service to receive requests over the network, configure the Windows Firewall poli
licy setting, the WinRM client sends or receives only encrypted messages over the network.
ng, the WinRM service accepts Kerberos authentication from a remote client.
this policy setting, the WinRM service accepts Negotiate authentication from a remote client.
plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased fro
n a supplied channel binding token. If you disable or do not configure this policy setting, you can configure the hardening level locally o
s. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. A listener might be autom
ears. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. A listener might be au
s policy setting, the default number is five users.

or the specified amount of time since the last received message from the client before terminating the open shell.If you do not configure
d by the available virtual memory.If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the
his policy setting, the limit is five processes per shell.
fied limit.If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user.
updates will not be installed immediately.Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
d-on user should receive update notifications. Non-administrative users will be able to install all optional, recommended, and important c
e service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.If you disable
l proceed even if the PC has signed-in users.If you disable or do not configure this policy, Windows Update will not alter its restart behavio
clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.If the status is set to Enabled, Windows w
elect one of the four options in the Group Policy Setting: 2 = Notify before downloading and installing any updates. When Window
ote: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Autom
ardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.If you disabl
sable that functionality, and may cause connection to public services such as the Windows Store to stop working.Note: This policy applies o
tion when the user selects the Shut Down option in the Start menu.If you disable or do not configure this policy setting, the 'Install Updates
puter.If the intranet Microsoft update service supports multiple target groups this policy can specify multiple group names separated by se
cally. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied, then Windows Update wi
allation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.Be aware that the co
e default interval is 10 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installation
t started.If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation.If the status is set to
tes that apply to the computers on your network.To use this setting, you must set two servername values: the server from which the Auto
configured Automatic Updates will continue to deliver important updates if it is already configured to do so.
y managed environments in which you allow the end user access to the Microsoft Update service.If you enable this policy setting, a notific
lso prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified
indows versions and SKUs. Refer to the Windows Server 2012 R2 documentation on TechNet.http://go.microsoft.com/fwlink/?LinkId=307
ing touch, the keyboard, or by dragging it with the mouse.
ype a local path, such as C:\windows\web\screen\lockscreen.jpg or a UNC path, such as \\Server\Share\Corp.jpg.This can be used in conju
n of Windows, then those colors take precedence over this policy.If the "Force a specific Start background" policy is also set on a supporte
d as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task.
by the local administrator.If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Wi
any of the system UI languages.If you disable or do not configure this policy setting, the user can specify which UI language is used.
nternet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handw
ctures\guest.jpg. If the default pictures do not exist, an empty frame is displayed.If you enable this policy setting, the default user account
tting, the default value of 15 minutes applies.Note: The minimum value you can select is 15 minutes. If you try to set this setting to a value l
the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the o
Cache. Note: This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting d
he origin server. However, the computer will still make files available to its peers. If you disable or do not configure this policy setting
wnload files from peers. If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to i
you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cac
of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. If you disable or do not co
licy setting, you can set the maximum job download time to a specified number of seconds. If you disable or do not configure this po
s hours. If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits
oth are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS, and specify a fixed ma
figure this policy setting, BITS will use the default user BITS job limit of 300 jobs. Note: This limit must be lower than the setting specifi
configure this policy setting, BITS will use the default BITS job limit of 300 jobs. Note: BITS jobs created by services and the local admi
f 200 for the maximum number of files a job can contain. Note: BITS Jobs created by services and the local administrator account do
TS will limit ranges to 500 ranges per file. Note: BITS Jobs created by services and the local administrator account do not count towar
ad policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a prio
ou can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited
n set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set t
ill reset this timeout. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have p
which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency r
licy setting, all clients use the version of BranchCache that you specify in "Select from the following versions."If you do not configure this s
nt computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.If you
these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group polici
settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do n
o other BranchCache distributed cache mode clients in the branch office.Policy configurationSelect one of the following:- Not Configured.
addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache serve
Not Configured. With this selection, BranchCache client computer cache settings are not applied to client computers by this policy. In the
rsPolicy configurationSelect one of the following:- Not Configured. With this selection, BranchCache settings are not applied to client com
example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If t
d not for multi-label and fully qualified domain names.
tting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configure
NS servers is applied to all network connections used by computers that receive this policy setting. If you disable this policy setting, or if yo
example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DN
tion to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy se
s will be preferred over DNS responses if the local responses are from a network with a higher binding order.If you disable this policy settin
configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.You can use this policy setting to prev
ser or application submits a query for a single-label domain name.The DNS client appends DNS suffixes to the single-label, unqualified dom
s. Devolution can be used when a user or application submits a query for a single-label domain name.The DNS client appends DNS suffixes
puter name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be
Enabled, and then select one of the following options from the drop-down list:Do not register: Computers will not attempt to register PTR
rent and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.Warning: If record sca
dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associate
his policy setting.If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified
ers configured.
tion in scenarios in which conventional DNS name resolution is not possible.If you enable this policy setting, LLMNR will be disabled on all
he DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the D
BT for all networks. If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local respo
puters that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.If you disable this policy s
dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.If you
policy setting, or if you do not configure this policy setting, Wi-Fi hotspots are automatically probed for WISPR protocol support.If you disa
ation settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable Br
s the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, Branch
eration while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other
re available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate
to 1, then this validation will not be performed and any password will be allowed. If set to 0, the validation will be performed.
not register PNRP names, and cannot help other computers perform PNRP lookups.If you disable or do not configure this policy setting, thi
provides the added flexibility of allowing your users to use their peer-to-peer applications at home as well. Here are the four ways in whic
puters can find it when needed.If you enable this setting, PNRP will not use multicast for bootstrapping. Specifying this registry key will bre
ween peers so that a node in the PNRP cloud can resolve names published by other nodes.PNRP creates a global cloud if the computer ha
enter a semicolon-delimited list of IPV6 addresses in the available field. If you enable this setting and you donΓÇÖt enter any address, no
omputers can find it when needed.If you enable this setting, PNRP will not use multicast for bootstrapping. Specifying this registry key will
enter a semicolon-delimited list of DNS names or IPV6 addresses in the available field. If you enable this setting and you donΓÇÖt enter an
omputers can find it when needed.If you enable this setting, PNRP will not use multicast for bootstrapping. Specifying this registry key will
Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This co
computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed,
be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog bo
ocal default gateway.If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is
you disable or do not configure this policy setting, Windows Firewall makes no exception for messages sent by computers that authentica
und echo request messages sent by Ping running on this computer.If you enable this policy setting, you must specify which ICMP message
Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.If you disable this policy setting, Windows Fir
at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited i
ck box is selected and administrators cannot clear it.If you disable this policy setting, Windows Firewall blocks this port, which prevents thi
e allowed. In the Windows Firewall component of Control Panel, the "UPnP framework" check box is selected and administrators cannot c
y setting, the Windows Firewall component in Control Panel does not allow administrators to define a local port exceptions list. However
u disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a local program exc
nd information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incom
tting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button. In the Show Contents
d, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked
ctions" policy setting; otherwise, administrators who log on locally can work around the "Windows Firewall: Do not allow exceptions" polic
n Windows Firewall blocks a new program" check box is selected and administrators cannot clear it.If you do not configure this policy setti
ers, Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses.N
who log on locally cannot start it.If you do not configure this policy setting, administrators can use the Windows Firewall component in Co
und echo request messages sent by Ping running on this computer.If you enable this policy setting, you must specify which ICMP message
Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.If you disable this policy setting, Windows Fir
at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited i
ck box is selected and administrators cannot clear it.If you disable this policy setting, Windows Firewall blocks this port, which prevents thi
e allowed. In the Windows Firewall component of Control Panel, the "UPnP framework" check box is selected and administrators cannot c
y setting, the Windows Firewall component in Control Panel does not allow administrators to define a local port exceptions list. However
u disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define a local program exc
nd information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incom
tting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button. In the Show Contents
d, that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open, even if that port is blocked
ctions" policy setting; otherwise, administrators who log on locally can work around the "Windows Firewall: Do not allow exceptions" polic
n Windows Firewall blocks a new program" check box is selected and administrators cannot clear it.If you do not configure this policy setti
ers, Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses.N
who log on locally cannot start it.If you do not configure this policy setting, administrators can use the Windows Firewall component in Co
most situations Windows Network Isolation will be able to correctly discover proxies. By default, any proxies configured with this setting a
his policy setting, Windows Network Isolation attempts to discover proxies and configures them as Internet nodes. This setting should NO
empts to automatically discover private network hosts. By default, the addresses configured with this policy setting are merged with the h
nfigure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses. For more informa
ate.If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private netw
ndicates that the computer can use local copies of network files while the server is inaccessible.-- "Never go offline" indicates that networ
nabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user.Note: Changes to
aution: Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost.
' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to
e threshold value that will be used to determine a slow network connection.If this setting is disabled or not configured, the default thresh
offline.If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server
stores a copy of the file on the user's computer.This setting does not limit the disk space available for files that user's make available offlin
vailable offline.
on will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network
t available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from
al computer is affected, but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface.If you d
g to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels."0" reco
Synchronization Manager progress dialog box: "Files of this type cannot be made available offline."This setting is designed to protect files
minder.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in C
Files cache. This prevents users from trying to change the option while a policy setting controls it.If you enable this policy setting, you can
n work offline when they are disconnected from this server, or type "1" if they cannot.This setting appears in the Computer Configuration a
vailable offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files.This setting
sive setting that locks down the configuration you establish by using other settings in this folder.This setting appears in the Computer Con
0 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.This setting appears in the Computer Co
ppears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuratio
t to make available offline.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy se
ave the Value column field blank.If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lo
file or folder. Leave the Value column field blank.If you disable this policy setting, the list of files or folders made always available offline (i
in a folder that is available offline are made available offline when the parent folder is synchronized.If you disable this setting or do not co
stem only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are curr
tomatically enables logon synchronization in Synchronization Manager.If this setting is disabled and Synchronization Manager is configure
not configuring this setting, files are not synchronized when the computer is suspended.Note: If the computer is suspended by closing the d
you disable the setting, the system displays the reminder balloons and prevents users from hiding them.If this setting is not configured, rem
you can limit the number of outstanding packets.If you disable this setting or do not configure it, then the setting has no effect on the sys
dth the system can reserve.If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connecti
g has no effect on the system.Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting i
ou disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the reg
service type.If you disable this setting, the system uses the default DSCP value of 24 (0x18).Important: If the DSCP value for this service ty
e.If you disable this setting, the system uses the default DSCP value of 40 (0x28).Important: If the DSCP value for this service type is specifi
rol service type.If you disable this setting, the system uses the default DSCP value of 48 (0x30).Important: If the DSCP value for this service
f you disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the re
ype.If you disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in
ed Load service type.If you disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service typ
vice type.If you disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specifie
rk Control service type.If you disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service t
e type.If you disable this setting, the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified i
Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuri
mportant: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored
the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when con
.Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is igno
y value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that
e Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configu
hubs, and routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets fr
work. The manager's role is to poll the agents for certain requested information.If you enable this policy setting, the SNMP agent only acce
by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchron
H_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDH
ot specify a relay name for a 6to4 host.
ure this policy setting, the local host setting is used.If you enable this policy setting, you can configure 6to4 with one of the following settin
ce is used when there are no other connectivity options.Policy Enabled State: The IP-HTTPS interface is always present, even if the host ha
figure ISATAP with one of the following settings:Policy Default State: If the ISATAP router name is resolved successfully, the host will have
t setting is used.
qualification immediately and remain qualified if the qualification process succeeds.
g, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo m
resent on the host.Client: The Teredo interface is present only when the host is not on a network that includes a domain controller.Enterp
m will try to identify connectivity and throughput problems and take appropriate measures.If you disable this policy setting, Window Scalin
ditional choices are available to turn off the operations over a specific medium. If you disable this policy setting, operations are disabled ov
ireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
tandby mode.
ctive connection to a Windows domain, a new automatic connection to the same Windows domain is also blocked. Additional manual con
c connection attempts to non-domain networks are blocked. - When the computer is already connected to a non-domain based networ
ing provider Mobile Broadband networks.
ed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection
tion is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is costed on a per byt
nection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is costed on a per b
t be installed, and printing support and this setting must be enabled. Note: This setting affects the server side of Internet printing only
will display the default number of printers of each type: Directory printers: 20 TCP/IP printers: 0 Web Services printers: 0
of each type:TCP/IP printers: 50Web Services printers: 50Bluetooth printers: 10Shared printers: 50If you would like to not display printers
. Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
able this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond.
of increasing the load on the server.If you disable this policy setting on a client machine, the client itself will process print jobs into printer
y publish shared printers in Active Directory. Note: This setting is ignored if the "Allow printers to be published" setting is disabled.
ation interval. To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval.
ers. The value you type here overrides the actual location of the computer conducting the search. Type the location of the user's com
t enter an alternate Internet address, the default link will appear in the Printers folder. Note: Web pages links only appear in the Print
default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from
reempted by higher priority threads. By default, the pruning thread runs at normal priority. However, you can adjust the priority to
still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. B
If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocke
or do not configure it, then all printer extensions that have been installed will be allowed to run.
print spooler will execute print drivers in the print spooler process.Notes:-Other system or driver policy settings may alter the process in w
and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connectio
apable of isolating print drivers, depending on whether they are configured for it.If you enable or do not configure this policy setting, then
rval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Dire
ooler uses the Driver Isolation compatibility flag value reported by the print driver.Notes:-Other system or driver policy settings may alter t
nt and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrat
ver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection wi
mputers.If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming schem
ectory is not available.If you do not configure this setting, shared printers are announced to browse master servers only when Active Direc
rom Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 P
e Export-StartLayout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured
e is never activated.If you do not configure this policy setting, the default behavior for the System State Data feature occurs.Note: By defa
olicy should not be set unless the DLT server is running on all domain controllers in the domain.
yed to the user during these processes.Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff status messages"
etting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer
moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically.
™t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed.
ftware programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown().If you enable this policy se
registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make som
m Timestamp is turned off and the timing of unexpected shutdowns is not recorded.If you do not configure this policy setting, the Persisten
specified folders and their subfolders. To restrict the commands to one or more folders, enable the policy setting and enter the desired
Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Co
fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is
able is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. If you
which this policy setting is applied. If you disable this policy setting, users see a standard Access Denied message that doesn't provide any
kstations and servers on which this policy setting is applied.If you disable or do not configure this policy setting, the process's command lin
s).The policy becomes effective the next time the user signs on to a computer running Windows.If you disable or do not configure (by defa
by default) this policy setting, delegation of default credentials is not permitted to any machine.Note: The "Allow delegating default creden
on).If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted
default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Hos
credential manager).If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved creden
ot configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Des
.Note: The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represe
y server.Note: The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN re
s not specify any server.Note: The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (S
t delegate credentials to remote computers.If you disable or do not configure this policy setting, restricted mode is not enforced and parti
tting, Windows does not create a system restore point when one would normally be created.If you disable or do not configure this policy s
configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata
driver that requests additional software is installed.
ndows Publisher certificate and drivers that are signed by other Authenticode certificates are prioritized equally during the driver selection
earch for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily avai
e is found will Windows then also search Windows Update.If you disable or do not configure this policy setting, members of the Administra
cy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not co
pdate any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifical
o install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically pr
notification when a policy setting prevents device installation.
ents device installation.
disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described
y setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the rem
e. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote
at allows Windows to install a device.If you enable this policy setting, Windows is prevented from installing removable devices and existing
will not take effect until the system is restarted.
ed data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shu
etting, the default behavior is to allow the hybrid hard disks to be in power save mode.Note: This policy setting is applicable only if the NV
system by keeping the disks spun down while satisfying reads and writes from the cache.If you enable this policy setting, the system will no
ods to save power. Note that this can cause increased wear of the NV cache.If you do not configure this policy setting, the default behavior
default, but administrators can turn it on.To prevent users from changing the setting while a setting is in effect, the system disables the "E
hanges while the setting is in effect.If you do not configure this policy setting, the disk quota limit is not enforced by default, but administr
the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a settin
ota tab so that administrators cannot change logging while a policy setting is in effect.If you do not configure this policy setting, no event is
es new usersΓÇÖ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Sele
in the locally configured DCOM activation security check exemption list.If you do not configure this policy setting, DCOM will only look in
licy is enabled.DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a
er store.If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device d
to search Windows Update.If you disable or do not configure this setting, and "Turn off Windows Update device driver searching" is disab
ou do not allow known bad drivers to be initialized.- Bad, but required for boot: The driver has been identified as malware, but the compu
USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
devices are usable on your computer.

he File Server Resource Manager role service.If you enable this policy setting, the Classification tab is displayed.If you disable or do not con
er role service.If you enable this policy setting, you can select which list of properties is available for classification on the affected compute
make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service .
may select the types of symbolic links to be evaluated.
figurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disab
ftware or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting
ers when redirecting the Start Menu or legacy My Documents folder.If you disable or not configure this policy setting, Windows Vista, Win
hronously, when logging on through Remote Desktop Services.If you disable or do not configure this policy setting, Windows Server applie
ot receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the use
u originally created the GPO with, for example, an English system, the GPO contains English ADM files.- If you later edit the GPO from a diff
anner.Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cache
even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing
ess even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow proces
oup Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow
es for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will
heck boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.The "Allow p
ven if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing a
ge the options. If you disable or do not configure this policy setting, it has no effect on the system.The "Allow processing across a slow net
ssing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. T
objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network c
, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, backgrou
the program implementing the folder redirection policy setting set when it was installed.If you enable this policy setting, you can use the c
up Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow n
ead, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode
licy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified resp
roup Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow
le this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it h
en if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing ac
y setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effec
ng background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background processing prior
amount of time before running logon scripts. If you disable this policy setting, Group Policy will run scripts immediately after logon
be applied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background p
d to process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow
d during background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background processin
ection, to be applied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, bac
and to process even if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "A
figure this policy setting, it has no effect on the system.The "Do not apply during periodic background processing" option prevents the syst
Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a sl
pplied during background processing, and to process even if the Group Policy objects (GPOs) are unchanged. By default, background proce
e or do not configure this setting, it has no effect on the system.The "Allow processing across a slow network connection" option updates
f you disable or do not configure this policy setting, it has no effect on the system.The "Do not apply during periodic background processin
roup Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow
he Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a
s customized settings that the program implementing the software installation policy set when it was installed.If you enable this policy setti
ven if the Group Policy objects (GPOs) are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing a
this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Po
nge the options.If you disable this setting or do not configure it, it has no effect on the system.The "Allow processing across a slow network
d to change the options.If you disable this setting or do not configure it, it has no effect on the system.The "Allow processing across a slow
e or disable this policy setting, by default administrators can view RSoP data.Note: To view RSoP data on a client computer, use the RSoP sn
e is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background
applies at a specified refresh interval or when manually invoked by the user.Note: This policy setting applies only to non-administrators. A
tes, with a random offset of 0 to 30 minutes.If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days).
utes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and
g this policy setting overrides any system-computed wait times.If you enable this policy setting, Group Policy will use this administratively c
figuring this policy setting overrides any system-computed wait times.If you enable this policy setting, Group Policy uses this administrative
requency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for user
s not process and apply any Local GPOs.If you disable or do not configure this policy setting, Local GPOs continue to be applied.Note: For c
or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on.Note: To view the RSoP information logged
this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off
re this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned
tting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.Notes:1. Use
is policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.N
re this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned
efault event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.Notes:1. User Configu
nfigure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is tu
tting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.Notes:1. User
etting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.Notes:1. Us
computers.If you disable or do not configure this policy setting, by default event logging for this extension includes only warnings and erro
not configure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extensi
t configure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension i
onfigure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is tu
not configure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extensi
ot configure this policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension
cy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.Notes:
s policy setting, by default event logging for this extension includes only warnings and errors, and tracing for this extension is turned off.N
such that their respective features can access the Internet.If you do not configure this policy setting, all of the the policy settings in the "In
ed about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically
tem in the Open With dialog is removed.If you disable or do not configure this policy setting, the user is allowed to use the Store service an
r products of companies and organizations that it considers trusted authorities.If you enable this policy setting, when you are presented w
ot be downloaded over HTTP.If you disable or do not configure this policy setting, users can download print drivers over HTTP.
n about the event to Microsoft, and allows users to learn more about why that event occurred.If you enable this policy setting, event desc
m to Microsoft over a secure connection.If you enable this policy, Tablet PC users cannot choose to share writing samples from the handwr
riting recognition error reporting tool or send error reports to Microsoft.If you disable this policy, Tablet PC users can report handwriting r
or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content.You might want to ena
and Support Center "Set search options" page, and only Help content on the local computer is searched. If you disable or do not configure
setting, users can connect to Microsoft to download a list of ISPs for their area.
Windows does not download providers, and only the service providers that are cached in the local registry are displayed.If you disable or d
Web service to open an unhandled file association are removed.If you disable or do not configure this policy setting, the user is allowed to u
om printing to Internet printers over HTTP.If you disable or do not configure this policy setting, users can choose to print to Internet print
t registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is requir
ontent updates during searches.If you disable or do not configure this policy setting, Search Companion downloads content updates unles
ws folders.If you disable or do not configure this policy setting, the tasks are shown.
es not collect usage information, and the user settings to enable the collection of usage information are not shown.If you disable this polic
erson will call, and you can continue working without interruption. It is simple and user-friendly.If you enable this policy setting, all users a
nternet or to a corporate file share.This policy setting overrides any user setting made from the Control Panel for error reporting.Also see t
tting, NCSI does not run either of the two active tests. This may reduce the ability of NCSI, and of other components that use NCSI, to dete
tional when installing a device.Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," w
should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure
omponents also needs to be enabled.If you disable or do not configure this policy setting, the domain controller does not provide informa
mpound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure con
al ticket to the client for the appropriate domain.If you disable or do not configure this policy setting, the KDC will not search the listed for
If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value a
nable this policy setting and the resource domain requests compound authentication, devices that support compound authentication alwa
ax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list
m, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the in
eed valid. If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. Th
omputers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) messag
ms and compound authentication for Dynamic Access Control and Kerberos armoring.If you disable or do not configure this policy setting, t
he DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be si
ocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or Netwo
en. If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whiche
to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name colu
rs to support this policy.If you enable this policy setting, the device's Active Directory account will be configured for compound authentica
e Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the nam
If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.To set this policy setting
in page. If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on t
cy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.If y
y will be unable to customize those choices. The user cannot customize their user locale with user overrides.If this policy setting is disable
example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English
mputer policy setting.The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United Sta
ny EAS settings or group policies that affect the maximum idle time before a device locks. In addition, if a password is required when a scre
ill present the simple logon screen to the user at logon.
h results in shorter logon times. Group Policy is applied in the background after the network becomes available. Note that because this is
s policy setting, the default logon domain is set to the specified domain, which might be different than the domain to which the computer
welcome screen is displayed each time a user logs on to the computer.This setting applies only to Windows 2000 Professional. It does not a
s Vista, Windows XP Professional, and Windows 2000 Professional.If you disable or do not configure this policy setting, Windows Vista add
he system runs the programs in the run-once list.This policy setting appears in the Computer Configuration and User Configuration folders
xample, to support biometric authentication).If you enable this policy, an administrator can specify the CLSIDsof the credential providers to
gure this policy setting, the Switch User interface is accessible to the user in the three locations.
m (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% di
count users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation.If you disable this policy se
policy setting, the Windows Startup sound is turned off for all users.If you disable this policy setting, the Windows Startup sound is turned o
the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to t
le this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to
configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and
are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., IS
or not configured, the SYSVOL share will grant shared read access to files on the share when exclusive access is requested and the caller ha
used as an optimal setting.If you specify zero for this policy setting, the default behavior occurs as described above.If you disable this polic
hould be specified.If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
value for this setting is 0.Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unav
1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=42
m Active Directory.If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration
maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used.The defa
me that have specified the DS_BACKGROUND_ONLY flag.If the value of this setting is less than the value specified in the NegativeCachePeri
very Retry Setting is reached.The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x49*2
60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
re aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in
C responds to the mailslot message.This policy setting is recommended to reduce the attack surface on a DC, and can be used in an enviro
nformation. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC e
d is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Forc
o this policy is provided to support such scenarios.By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are
ntact the first reachable host with the lowest priority number listed.To specify the Priority in the DC Locator DNS SRV resource records, clic
is not applied to any DCs, and DCs use their local configuration.
ords Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be conta
hich may then be used to compute a matching site for the client. The allowable values for this setting result in the following behaviors:0 - D
mainName>Ldap SRV _ldap._tcp.<DnsDomainName>LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName>Pdc
nnections.If you disable this policy setting, DCs will not register DC Locator DNS resource records.If you do not configure this policy setting
register their records with DNS servers, even if their recordsΓÇÖ data has not changed. If authoritative DNS servers are configured to perfo
rds for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV
mically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TC
te-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is
nd a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned
ly register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the sam
or this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.If
e this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domai
3), indicating the power plan to be active.If you disable or do not configure this policy setting, users can see and change this setting.
Notification Action" policy setting is configured to "No Action".If you disable or do not configure this policy setting, users can control this se
termine if Windows should automatically sleep.
termine if Windows should automatically sleep.
machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can b
machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can b
is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to
is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to
.If you disable or do not configure this policy setting, users control this setting.If the user has configured a slide show to run on the lock scr
.If you disable or do not configure this policy setting, users control this setting.If the user has configured a slide show to run on the lock scr
o not configure this policy setting, users control this setting.

o not configure this policy setting, users control this setting.
e this policy setting, users control this setting.

e this policy setting, users control this setting.
this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide
this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide
") appears on the "Advanced recovery methods" page of Recovery (in Control Panel) and will allow the user to restore the computer to th
on (or later versions) of the operating system can connect to this computer.If you disable this policy setting, computers running this versio
e.If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer
nnot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this com
setting, the warning message you specify overrides the default message that is seen by the novice.If you disable this policy setting, the use
or (8-bit color in Windows Vista)-Turn off font smoothing (not supported in Windows Vista)-No full window drag-Turn off backgroundIf yo
ey will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.If you enable this policy setting, RPC clients will
itten for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR
level. If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information.-- "No
s).If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition.If you do not configure this
e. This policy setting should never be applied to a domain controller.If you disable this policy setting, the RPC server runtime uses the valu
ntime and the RPC/HTTP Proxy to use a lower connection timeout.This policy setting is only applicable when the RPC Client, the RPC Serve
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."

ht does not take effect until the operating system is restarted.
licy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are
e or do not configure this policy setting, the instructions are suppressed.
users.If you disable or do not configure this policy setting, the instructions are suppressed.Note: Starting with Windows Vista operating sy
not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.This policy setting ap
his policy setting, a startup cannot run until the previous script is complete.Note: Starting with Windows Vista operating system, scripts tha
up and shutdown. For example, assume the following scenario: There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is ena
e following scenario: There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include th
an type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the sys
the policy setting instead of the â€œConfigure Refresh Intervalâ€ setting (in Windows Server 2008 and Windows Server 2008 R2), or the
erver.If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the se
ver, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or â€œDo not start Server Manag
tomatically terminated during shutdown.If you disable or do not configure this setting, these applications will be automatically terminated
policy setting, the option to configure System Restore through System Protection is disabled.If you disable or do not configure this policy s
nfigure System Restore or create a restore point through System Protection is also disabled.If you disable or do not configure this policy se
n. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the u
gabytes in size.No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.This policy
or get help online through a Microsoft website.If you disable this policy setting, the PCA does not detect compatibility issues for applicatio
rupted files will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is
ice restarts are required for this policy setting to take effect: changes take effect immediately. This policy setting only takes effect if the Di
tting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. If you disa
d by the DPS.If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default.This policy setting tak
gure this policy setting, MSDT is turned on by default.This policy setting takes effect only if the diagnostics-wide scenario execution policy
root cause of the problem.If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional to
, MSDT cannot run in support mode, and no data can be collected or sent to the support provider.If you do not configure this policy settin
of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the applicati
esolve some of these problems silently without requiring user input.If you disable this policy setting, Windows will not be able to detect, tr
roubleshooting tools from the Control Panel.Note that this setting also controls a user's ability to launch standalone troubleshooting packs
policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content
but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performa
is not configured. -- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenar
og when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Wind
detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shu
vent log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect
detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Syst
ave the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user d
ade. To find the command number associated with each TPM command, run "tpm.msc" and navigate to the "Command Management" se
st by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The
through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the rela
istrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requirin
e TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to t
ng helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send com
lly and silently backed up to AD DS when you use Windows to set or change a TPM owner password. By enabling this policy setting, a TPM
are full control, or read and write access for the user, and no file access for the administrators group.By configuring this policy setting, you
y settings in this folder together define the system's response when roaming user profiles are slow to load.If you enable this policy setting,
ser logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load.If you enable this policy setti
ed number of days. If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on th
connections as being slow. As a result, the system does not respond to slow connections to user profiles, and it ignores the policy settings
d profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permission
f their roaming user profile.If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload
ndows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded.If you disable this policy
inistrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain
s users' server-based profiles when users log on or off.-- Users' local profiles are newer than their server-based profiles.If you enable this p
deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this polic
Y_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However, if another program or service is reading or editing the registry, the s
y have made, is merged with the server copy of their profile.Using the setting, you can prevent users configured to use roaming profiles fro
py of their profile, including any changes, is merged with the server copy of the profile.Using this policy setting, you can prevent changes m
x will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote
the computer (if the media is disconnected or the network adapter is not available).If you enable this policy setting, Windows waits for the
ging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appro
erval" is chosen, then an interval must be set, with a value of 1-720 hours. Once set, Windows uploads the profile's registry file at the spec
a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you
n addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI,
policy setting, the system waits for the remote copy of the roaming user profile to load, even when loading is slow.If you disable this polic
mum amount of disk space to be used (in MB). To indicate that the cache size is unlimited, select "4294967295" as the maximum amount o
tup.-- "Scan during startup" also scans files each time you start Windows XP. This setting delays each startup.If you disable or do not confi
he following values are scalar, which means that they only have meaning in relation to one another and are not defined by specific unit me
he form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client
setting, the local computer clock does not synchronize time with NTP servers.
his policy setting, ActiveX controls prompt the user for administrative credentials before installation. Note: Wild card characters cannot be
onds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aw
stratorTemporary user profiles, which are created when an error prevents the correct profile from loadingUser profiles for the Guest accou
eed to sign in with a Microsoft account.
op app for a file type; they can open files only in other Windows Store apps.If you disable or do not configure this policy setting, Windows S
top app for a URI scheme; they can open URIs only in other Windows Store apps.If you disable or do not configure this policy setting, Wind
you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subseque
e from the context-menus, but does not affect previous compatibility settings applied to application using this interface.
ty engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not b
s policy is set.Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for
m Compatibility Assistant is also disabled.If you disable or do not configure this policy setting, the Inventory Collector will be turned on.No
etting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. T
and off data collection.If you enable this policy setting, Steps Recorder will be disabled.If you disable or do not configure this policy settin
cations. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are
uted without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to b
ws XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. If you enable th
rs who use biometrics to log on.If you disable or do not configure this policy setting, domain users are not able to log on to a Windows-bas
setting, the Windows Biometric Service is unavailable, and users cannot use any biometric feature in Windows.Note: Users who log on us
d computer and can elevate permissions with UAC using biometrics.If you disable this policy setting, biometrics cannot be used by any use
configure this policy setting, a default value of 10 seconds is used for fast-user switch event timeouts.
covery password in a folder. You can specify either a fully qualified path or include the target computer's environment variables in the path
This policy is only applicable to computers running Windows 8 and later. If you enable this policy setting you will be able to choose an
This policy is only applicable to computers running Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7.If you e
user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key.If you enable this
restart performance but will increase the risk of exposing BitLocker secrets.If you disable or do not configure this policy setting, BitLocker s
Locker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based
covery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is appl
cate with the object identifier that is defined by this policy setting.Default object identifier is 1.3.6.1.4.1.311.67.1.1Note: BitLocker does no
ning Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These opera
y Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Dep
BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based en
nts" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.Note
ning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you
etting, all fixed data drives on the computer will be mounted with read and write access.
on of the drive used to store data is encrypted when BitLocker is turned on.If you enable this policy setting the encryption type that BitLoc
ed PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.If you disable
se Network Key Protectors.To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption
not configure this policy setting, BitLocker will use Secure Boot for platform integrity if the platform is capable of Secure Boot-based integri
be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Edito
s policy setting, users can configure a startup PIN of any length between 4 and 20 digits.
te before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protecti
ompatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform
EFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Us
whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-b
exity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be als
o change BitLocker PINs and passwords.
of pre-boot input (such as an attached USB keyboard).If this policy is not enabled, the Windows Recovery Environment must be enabled o
puter without a TPM, select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is r
wo authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can requir
configure this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery.
rify the default Windows BCD settings. Note: When BitLocker is using Secure Boot for platform and Boot Configuration Data (BCD) integrit
mputers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed.
e Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive En
hether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-ba
tion\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.Note: These settings are enforced when t
hen turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the driv
s to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or s
elected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable d
default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, cl
sers will always be required to type a user name and password to elevate.
esktop by means of the trusted path mechanism.If you disable or do not configure this policy setting, users will enter Windows credentials
eys, a visual version of the desktop is presented and items can be flipped through to select. Changing this policy setting requires a logoff fo
ific color for window frames that cannot be changed by users.

Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
d, new events are discarded and old events are retained.If you do not configure this policy setting and the "Retain old events" policy settin
ly when full" ┬¥ policy setting.
ministrator using the Log Properties dialog and it defaults to 20 megabytes.

lear this log.

urity risks.
wing options:ΓÇó Require approval from an administrator before running downloaded unknown softwareΓÇó Give user a warning before
o the path defined.If you disable or do not configure this policy setting, no changes are made to the location of the default Library definitio
e file will be processed and default associations will be applied at logon time. If the group policy is not configured, disabled, or the client m
ugh the Power Options Control Panel.
tions Control Panel.
ended to leave this protocol in the protected mode to increase the security of Windows.If you enable this policy setting the protocol is full
me share, the target path is updated and files are not copied or deleted. The temporary file is deleted. If you disable or do not configure t
efaults to disabled.
tting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points
e Restore button, Windows attempts to restore the file from the local disk.If you do not configure this policy setting, it is disabled by defau
ion corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media.If you do not
re. If the user clicks the Restore button, Windows attempts to restore the file from the file share.If you do not configure this policy setting,
ain-joined computer is not shared with the homegroup.This policy setting is not configured by default.You must restart the computer for th
setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. If you disable or do not configure this
eduled time as specified in Action Center/Automatic Maintenance Control Panel will apply.
om delay will be applied to Automatic Maintenance. If you disable this policy setting, no random delay will be applied to Automatic M
d make a wake request for the daily scheduled time, if required. If you disable or do not configure this policy setting, the wake setting
ng system selects an available port. Note: Network port usage is dependent on how the "Turn off Connect to a Network Projector" policy s
tting, the default behavior applies (Help viewer renders trusted assistance content with active elements).
e running Password Synchronization use the synchronization retry interval specified on the Configuration tab of the Password Synchroniza
computers that are running Password Synchronization retry synchronization the number of times specified on the Configuration tab of the
mpts based upon how the "Enable extensive logging" setting on the Configuration tab of the Password Synchronization Properties dialog bo
ndows environment, if the user account has been migrated to Active Directory Domain Services.If you disable or do not configure this polic
artup Options Control Panel item.If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled
screen blanking, adjust speaker volume, and apply a custom background image.Note: Users will be able to customize their system setting
olicy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests
Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Ser
her they want to connect.If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on
p settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).If you ena
n me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authentica
s setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
mputer, the user will not be prompted to provide credentials.Note: If you enable this policy setting in releases of Windows Server 2008 R2
y start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.If you disable or do not configure
disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any us
al IP is not available.
o not configure this policy setting, Remote Desktop IP Virtualization is turned off. A network adapter must be configured for Remote Deskto
sable or do not configure this policy setting, Windows Installer RDS Compatibility is turned on, and multiple per user application installatio
any blank lines between programs). For example:explorer.exemstsc.exeIf you disable or do not configure this policy setting, Remote Desk
al IP is not available.
es. The target computer will maintain any current connections, but will not accept any new incoming connections.If you do not configure t
.If the status is set to Disabled, automatic reconnection of clients is prohibited.If the status is set to Not Configured, automatic reconnectio
ver. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is con
ff the connected administrator is not allowed.If you disable or do not configure this policy setting, logging off the connected administrator
e because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desk
rs are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services.If you do not configure this policy s
all traffic to this server originates from a low-speed connection.If you disable Continuous Network Detect, Remote Desktop Protocol will n
raffic will use UDP.If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP.If you disable o
's consent.3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.4. Vie
n. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. If you disable or do not con
Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Pr
ault, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirec
this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server tim
tting, users cannot redirect Clipboard data.If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
s policy setting, users cannot redirect server data to the local COM port.If you disable this policy setting, Remote Desktop Services always
olicy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed
nnot redirect server data to the local LPT port.If you disable this policy setting, LPT port redirection is always allowed.If you do not configu
s on connection.Note: The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Pro
edirect to the remote computer.If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote
ount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the
s the number of days until the licensing grace period for the RD Session Host server will expire.If you enable this policy setting, these notifi
ach device connecting to this RD Session Host server have an RDS Per Device CAL.If you enable this policy setting, the Remote Desktop lice
an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Desk
he remote computer to a local client printer in Remote Desktop Services sessions.If you disable this policy setting, users can redirect print
inter specified on the remote computer.If you disable this policy setting, the RD Session Host server automatically maps the client default
ior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose
er that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the c
s policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile c
o use the network share for user profiles.If you enable this policy setting, Remote Desktop Services uses the specified path as the root dire
nd then select the drive letter to which you want the network share to be mapped.If you choose to keep the home directory on the local c
n Host server use the same user profile.If you disable or do not configure this policy setting, mandatory user profiles are not used by users
ces.If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins t
specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012 R2, for a high availabil
Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Conne
nnection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session
e server is configured to use RD Connection Broker, users who have an existing session are redirected to the RD Session Host server where
desktop sessions can reduce connection performance, particularly over slow links, and increase the load on the remote computer. If you
policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial progr
network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth,
mode consumes the lowest amount of network bandwidth of the quality modes. If you enable this policy setting and set quality to High, Re
tion2. Optimize for server scalability3. Optimize for minimum bandwidth usageIf you disable or do not configure this policy setting, the Rem
onnections can improve connection performance, particularly over slow links. By default, font smoothing is allowed for remote connecti
2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008
ptions for more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessio
um color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support availabl
ximum resolution that can be used by each monitor used to display a Remote Desktop Services session.If you disable or do not configure t
session. You can specify a number from 1 to 16.If you disable or do not configure this policy setting, the number of monitors that can be u
disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box.Note: This p
ows Security dialog box on the client computer.If the status is set to Disabled or Not Configured, Windows Security remains in the Settings
bling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are
phics.If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graph
his policy setting, all Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default
Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1.When deployed on an RD Session Host serv
lect the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text
e network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed).If you have a h
Desktop Connection client.If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying th
for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.If you disable or do not co
ow unsecured communication with untrusted clients.If the status is set to Disabled, Remote Desktop Services always requests security for
ailable:* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TL
Host server.To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the cli
ertificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to auth
ption level is set to High. The following encryption methods are available:* High: The High setting encrypts data sent from the client to the
mits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Ser
arning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If
Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, a
e, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are mai
teApp program associated with a session, the RemoteApp session will remain in a disconnected state until the time limit that you specify i
rs are retained when the user logs off from a session.If you disable this policy setting, temporary folders are deleted when a user logs off, e
he remote computer in a Temp folder under the user's profile folder and are named with the sessionid.If you enable this policy setting, pe
covery button.
to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
not configure this policy setting, the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and dele
nticate feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.A developer cannot
erver, your query should resemble the following:http://sitename/Search.aspx?k=$wIf your intranet search service is Windows SharePoint S
search service. Use $w in place of the query term for the search service URL.If your intranet search service is SharePoint Portal Server, yo
licy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encryp
d through Control Panel, will be used. Note: By default, the Control Panel setting is set to treat words that differ only because of diacritics
ou disable or do not configure this policy setting, Windows will use automatic language detection only when it can determine the language
ry in Search.If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the
tered connections and web results will be displayed when a user performs a query in Search.If you don't configure this policy setting, a us
x, ensure that for Microsoft Outlook 2007 no portions of the delegate mailbox are cached locally. The default behavior for Search is to not
n delegate mailboxes. To stop indexing of online and delegate mailboxes you must disable both policies.
disable this policy, then online mail items will be indexed at the speed that the Microsoft Exchange server can support. If you set this policy
ible. When the policy is disabled, both the Add and Remove locations options as well as any previously specified user locations will be visi
shared on this computer, and automatically adds them to or removes them from the index.
excluded file types. If you enable and then disable this policy, the user's original list is restored.If you want to specify an initial default list o
this policy setting.

ticular iFilter, make sure that this iFilter is on the allow list, either as a GUID such as {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} (include the br
is disabled or not configured, the preview pane shows automatically to the right of the Desktop Search results, and your users can choose
he default is small icon view.
you disable or don't configure this policy setting, users can specify the SafeSearch setting.
rosoft account info to personalize their search and other Microsoft experiences. -Anonymous info: Share usage information but don't s
ty. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. Note
er for NIS use the map update interval specified on the General tab of the Server for NIS Properties dialog box.Note: Valid values for interv
that are running the Server for NIS log steps of map propagations based upon how the "NIS map propagation logging" policy setting on the
emote shutdown interface.
be able to access SkyDrive using the WinRT API. If you disable or do not configure this policy setting, users with a connected account will s
also be used to log on with a smart card:- Certificates with no EKU- Certificates with an All Purpose EKU- Certificates with a Client Authen
on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this po
e this policy setting then the integrated unblock feature will not be available.
rtificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired.If you disable
n optional field that allows users to enter their user name or user name and domain will not be displayed.
o the user when the smart card is blocked, if the integrated unblock feature is enabled.
e the same if they are issued from the same template with the same major version and they are for the same user (determined by their U
card vendor to determine if your smart card and associated CSP supports the required behavior.If you enable this setting, then Windows w
only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
nd out whether you will be affected by this policy setting.
splayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls
tificates will not be propagated from the smart card.

hen a card is inserted in a Smart Card Reader.Note: This policy setting is applied only for smart cards that have passed the Windows Hardw
Settings in the Windows Store.
"sync your settings" is on by default and configurable by the user.

s" group is on by default and configurable by the user.
ult and configurable by the user.
ed off by default but not disabled.If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable
r disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user.
ections is configurable by the user.
r disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user.
p is on by default and configurable by the user.
group is on by default and configurable by the user.
ayout" group is on by default and configurable by the user.
pplications can be launched from a hardware button.

do not configure this policy, press and hold actions will be available.
symbols, numbers, or keyboard shortcuts.If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not
o text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dial
entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disa
a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbo
u disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the
re this setting in the Input Panel Options dialog box.If you disable this policy, application auto complete lists will appear next to Input Pane
se handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.If you enable this policy and choose ΓÇ£
oard to enter text, symbols, numbers, or keyboard shortcuts. If you enable this policy and choose ΓÇ£AllΓÇ¥ from the drop-down menu
and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks po
es, the touch pointer, and other-touch specific features.If you do not configure this setting, touch input is on by default.Note: Changes to t
setting, Touch Panning is on by default.Note: Changes to this setting will not take effect until the user logs off.
sers to change task characteristics such as: the program the task runs, details of its schedule, idle time and power management settings, a
aracteristics such as the program the task runs, its schedule details, idle time and power management settings, and its security context.No
akes precedence over the setting in User Configuration.
t select a program from the list in the Scheduled Task Wizard, which displays only the tasks that appear on the Start menu and its submen
e Scheduled tasks folder.This setting does not prevent users from using other methods to create new tasks, and it does not prevent users
cedence over the setting in User Configuration.Important: This setting does not prevent administrators of a computer from using At.exe to
ettings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Important: This setti
be stopped when both antivirus and antispyware definitions are disabled. If the computer is restarted, the service will be started if it is set
olicy Settings will override preference settings.If you disable this setting, only items defined by Group Policy will be used in the resulting eff
configure this setting, the proxy will be set according to the order specified above.
setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.If you disab
e from the actions available for each threat.If you disable or do not configure this policy setting, Windows Defender automatically takes ac
d will be displayed.If you disable or do not configure this setting, there will be no additional text displayed.
ot be displayed to clients when they need to perform the specified actions.
l files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recomm
executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recomme
ormation can include things like location of detected items on your computer if harmful software was removed. The information will be a
pecified number of minutes.If you disable or do not configure this setting, detection events will be logged at the default rate.
alue is not used and it is recommended that this be set to 0.
hat protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest
recommended that this be set to 0.
this be set to 0.
n is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those vo
o take actions on malware detections.
nable this setting, a scheduled full scan to complete remediation will run at the frequency specified.If you disable or do not configure this
un at the time of day specified.If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a de
this setting, the scan will start using the existing definitions.
uring quick scan and custom scan.

ll run at the frequency specified.If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
ck scan will run at a default time.
tilization will not exceed the default value.

fault value.
me of day specified.If you disable or do not configure this setting, a daily quick scan will run at a default time.
me of day specified.If you disable or do not configure this setting, a scheduled scan will run at a default time.
tch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up
a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch
e or do not configure this setting, e-mail scanning will be disabled.
ified.If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.
ed.If you disable or do not configure this setting, reparse point scanning will be disabled.
malware service will receive notifications to disable definitions.If you disable this setting, the antimalware service will not receive notificatio
ality to work.If you enable or do not configure this setting, real-time definition updates will be enabled.If you disable this setting, real-time
nition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.If you
sidered out of date after the number of days specified have passed without an update.If you disable or do not configure this setting, spywa
out of date after the number of days specified have passed without an update.If you disable or do not configure this setting, virus definitio
ftUpdateServer | MMPC }If you enable this setting, definition update sources will be contacted in the order specified. Once definition upda
finition updates will occur at the frequency specified.If you disable or do not configure this setting, the check for definition updates will oc
you enable this setting, the check for definition updates will occur at the time of day specified.If you disable or do not configure this settin
alid remediation action values are:2 = Quarantine3 = Remove6 = Ignore
tion to the user.If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification se
ommunication settings.Important: If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for
do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templ
Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting
tive Templates/Windows Components/Windows Error Reporting/Consent take precedence.
configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains
ttery power, but checks for solutions and uploads report data normally.If you disable or do not configure this policy setting, WER checks fo
y again if the network profile is changed.
umber on the destination server for transmission.If you disable or do not configure this policy setting, Windows Error Reporting sends erro
The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted
ately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, o
e reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in
y applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all applica
he Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an applica
remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must alwa
settings in Control Panel are set to upload operating system errors.See also the Configure Error Reporting policy setting.
planned shutdown events" by default.Also see the "Configure Error Reporting" policy setting.
a that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional da
nt level of 0, 1, 2, 3, or 4.- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.- 1 (Always ask before send
default consent setting determines only the consent level of any other error reports.
m changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed.If W
hat their own permissions would not allow.This policy setting does not affect installations that run in the user's security context. Also, see t
ot configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such
nstall from removable media when the installation runs in their own security context.If you disable or do not configure this policy setting,
ofile setting lets users install programs that require access to directories that the user might not have permission to view or change, includ
y the maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0, the Windows Installer will stop
e original GUID appears to be removed and the component as identified by the new GUID appears as a new component.(2) Add a new feat
roceed.This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, becau
that run in the user's security context.If you disable or do not configure this policy setting, by default, users who are not system administra
nstaller will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal s
r based applications.If you disable or do not configure this policy setting, users without administrative privileges can install non-administra
a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.If you disable or do
not restore the computer to its original state if the installation does not complete.This policy setting is designed to reduce the amount of te
er to use Restart Manager to detect files in use and mitigate a system restart, when possible.-- The "Restart Manager Off" option turns off
er install of an application, this hides a per-computer installation of that same product.If you enable this policy setting and "Hide User Insta
applies even when the installation is running in the user's security context. If you disable or do not configure this policy setting, the Bro
allation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or iden
many or as few event types as you want. To disable logging, delete all of the letters from the box. If you disable or do not configure
gure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is in
tion instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property.-- The "Logging via p
de software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vis
he SAS.If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate
ogon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message mu
ned-in and the session is automatically locked with all the lock screen apps configured for that user.If you disable this policy setting, the de
cure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from
w or hide the anchor window when the Player is in skin mode by using the Player tab in the Player.If you do not configure this policy settin
ome of the options can be configured by using other Windows Media Player group policies.If you disable or do not configure this policy setti
or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off.
Use Video Smoothing check box is selected and is not available.If you do not configure this policy setting, video smoothing occurs if necess
both are present, the Computer Configuration version of this policy setting takes precedence.
Messenger from that point on, Windows Messenger will be loaded.The user can also configure this behavior on the Preferences tab on the
ter is on by default.
this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.Note: This policy setting exists und
of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the L
riginate from the Internet must be signed by a trusted publisher.The "Allow all scripts" policy setting allows all scripts to run.If you disable
If you disable this policy setting, Reliability Monitor will not display system reliability information, and WMI-capable applications will be un
setting, the WinRM client uses the Kerberos authentication directly.
thenticate the identity of the host.If you disable or do not configure this policy setting and the WinRM client needs to use the list of truste
ure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).If you disable or do not configure this policy
uration value will be erased from the credential store on this computer.If you disable or do not configure this policy setting, the WinRM ser
re the hardening level locally on each computer. If HardeningLevel is set to Strict, any request not containing a valid channel binding to
A listener might be automatically created on port 80 to ensure backward compatibility.
986. A listener might be automatically created on port 443 to ensure backward compatibility.
n shell.If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used.
a new allocation exceeds the specified quota.If you disable or do not configure this policy setting, the value 150 is used by default.
per user.
policy has no effect.

commended, and important content for which they received a notification. Users will not see a User Account Control window and do not n
local computer.If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be s
will not alter its restart behavior.If the "No auto-restart with logged on users for scheduled automatic updates installations" policy is enable
s is set to Enabled, Windows will check for available updates at the specified interval.If the status is set to Disabled or Not Configured, Win
y updates. When Windows finds updates that apply to this computer, users will be notified that updates are ready to be downloaded.
ates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
mputer to do?' list.If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default optio
king.Note: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft
cy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available whe
group names separated by semicolons. Otherwise, a single group must be specified.If the status is set to Disabled or Not Configured, no t
ied, then Windows Update will use the Windows Power management features to automatically wake the system up to install the updates
omputer.Be aware that the computer needs to be restarted for the updates to take effect.If the status is set to Disabled or Not Configured
perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect. This policy ha
stallation.If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started.No
he server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload
ble this policy setting, a notification message will appear on the user's computer when featured software is available. The user can click th
will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windo
osoft.com/fwlink/?LinkId=307136
.jpg.This can be used in conjunction with the "Prevent changing lock screen image" setting to always force the specified lock screen image
policy is also set on a supported version of Windows, then that background takes precedence over this policy.
duled clean up task.

cific language used for the Windows menus and dialogs.
h UI language is used.
ot already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browse
tting, the default user account picture will display for all users on the system with no customization allowed.If you disable or do not configu
y to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied.
S downloads them from the origin server. If you enable this policy setting, BITS downloads files from peers, caches the files, and respo
than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings
ot configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the o
wnloaded and cached files to its peers. Note: This setting has no effect if the "Allow BITS peer caching" setting is disabled or not confi
be removed from the peer cache. Note: This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or n
If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size.
ble or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used.
can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobi
of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. If you enable this policy setting, you can enter a v
e lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number
by services and the local administrator account do not count toward this limit.
cal administrator account do not count toward this limit.
or account do not count toward this limit.
eated by specifying only a priority. For example, you can specify that background jobs are by default to transfer only when on uncost
rity jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kb
edule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk sp
ent until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content aft
"If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system.Policy configuratio
vers in the branch office.If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is
guration by other group policies.If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clien
domain members but you do not want to configure a BranchCache client computer cache age setting on all client computers, you can spec
he following:- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumsta
ent to the hosted cache server for access by other hosted cache clients at the branch office.Policy configurationSelect one of the following
omputers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCach
are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want
ried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name
specific DNS suffix, if configured.

able this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if co
fore sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."To use this policy setting, click Enab
registration, and this policy setting must not be disabled.If you disable this policy setting, computers may not use dynamic DNS registratio
If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding orde
n use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.If you disable this policy setti
e single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and A
NS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection spe
suffix of microsoft.com will be registered as: mycomputer.microsoft.com.If you enable this policy setting, a computer will register A and PT
will not attempt to register PTR resource records.Register: Computers will attempt to register PTR resource records even if registration of t
records.Warning: If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the
cord might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, t
l use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
LLMNR will be disabled on all available network adapters on the client computer.If you disable this policy setting, or you do not configure
R queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.If you disable this policy setting, or if you do
ient will prefer link local responses for flat name queries on non-domain networks. Note: This policy setting is applicable only if the turn o
tting.If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients
te, except the root zone.If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic upd
PR protocol support.If you disable this policy setting, Wi-Fi hotspots are not probed for WISPr protocol support, and users can only authen
you do not want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then
support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.Policy configurationSelec
naged network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation w
ow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is
will be performed.
onfigure this policy setting, this computer can publish PNRP names and help other computers perform PNRP lookups.
Here are the four ways in which you can use this setting to control the seed server used in your corporation.1. In order to use the global, w
cifying this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disabl
obal cloud if the computer has a global IPv6 address, but creates a site-local cloud if the computer has a site-local address.If you enable th
onΓÇÖt enter any address, no seed server will be used.If this setting is not configured, the protocol will revert to using a public registry key
pecifying this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you dis
tting and you donΓÇÖt enter any address, no seed server will be used.If this setting is not configured, the protocol will revert to using a pub
pecifying this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you dis
k segements together. This connection appears in the Network Connections folder.If you disable this setting or do not configure it, the use
en the setting was refreshed, this setting does not apply.The Internet Connection Firewall is a stateful packet filter for home and small offi
tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from
irectAccess and the Internet is routed through the internal network.If you disable this policy setting, traffic between remote client comput
by computers that authenticate using IPsec. If you enable this policy setting and add systems to the list, upon disabling this policy, Window
specify which ICMP message types Windows Firewall allows this computer to send or receive.If you disable this policy setting, Windows F
his policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator att
SS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the
s this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by addi
d and administrators cannot clear it.If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer f
port exceptions list. However, local administrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Secu
to define a local program exceptions list. However, local administrators will still be allowed to create firewall rules in the Windows Firewa
option to log successful incoming messages.If you are configuring the log file name, ensure that the Windows Firewall service account has
button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port, click its definition, and the
n, even if that port is blocked by another policy setting, such as the "Windows Firewall: Define inbound port exceptions" policy setting. To
Do not allow exceptions" policy setting by turning off the firewall.If you disable this policy setting, Windows Firewall applies other policy se
o not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that in the Windows Firewall com
hen blocks all later responses.Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration P
dows Firewall component in Control Panel to turn Windows Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on y
specify which ICMP message types Windows Firewall allows this computer to send or receive.If you disable this policy setting, Windows F
his policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator att
SS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the
s this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by addi
d and administrators cannot clear it.If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer f
port exceptions list. However, local administrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Secu
to define a local program exceptions list. However, local administrators will still be allowed to create firewall rules in the Windows Firewa
option to log successful incoming messages.If you are configuring the log file name, ensure that the Windows Firewall service account has
button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port, click its definition, and the
n, even if that port is blocked by another policy setting, such as the "Windows Firewall: Define inbound port exceptions" policy setting. To
Do not allow exceptions" policy setting by turning off the firewall.If you disable this policy setting, Windows Firewall applies other policy se
o not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that in the Windows Firewall com
hen blocks all later responses.Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration P
dows Firewall component in Control Panel to turn Windows Firewall on or off, unless the "Prohibit use of Internet Connection Firewall on y
configured with this setting are merged with proxies that are auto-discovered. To make this policy configuration the sole list of allowed pr
nodes. This setting should NOT be used to configure Internet proxies.Example: [3efe:3022::1000]; 18.0.0.1; 18.0.0.2For more information
setting are merged with the hosts that are declared as private through automatic discovery.To ensure that these addresses are the only a
addresses. For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
lly discover your private network hosts in the domain corporate environment. For more information see: http://go.microsoft.com/fwlink/p
o offline" indicates that network files are not available while the server is inaccessible.If you disable this setting or select the "Work offline"
by the user.Note: Changes to this policy setting do not take effect until the affected computer is restarted.
ization are lost.
me' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' v
configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow.Note: Use the
ween the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (s
at user's make available offline manually.If you enable this setting, you can specify an automatic-cache disk space limit.If you disable this s
plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid netw
the most current version from the server is always available for subsequent reads.This policy setting is triggered by the configured round t
ugh the user interface.If you disable this policy setting, all files in the Offline Files cache are unencrypted. This includes existing files as wel
n all preceding levels."0" records an error when the offline storage cache is corrupted."1" also records an event when the server hosting t
ng is designed to protect files that cannot be separated, such as database components.To use this setting, type the file name extension in
are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
ble this policy setting, you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can
the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Compute
w their offline files.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the
appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configurati
ng appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configur
tting in Computer Configuration takes precedence over the setting in User Configuration.
ration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence.The "Make Available O
ding any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders.If you
made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available
sable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make
not ensure that they are current.If you do not configure this setting, the system performs a quick synchronization by default, but users ca
nization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensure
r is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer a
is setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting.To p
etting has no effect on the system.Important: If the maximum number of outstanding packets is specified in the registry for a particular ne
e of 80 percent of the connection.Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignore
ork adapter, then this setting is ignored when configuring that network adapter.
vice type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
e DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that n
e for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network ada
he DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring tha
rvice type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
his service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that ne
for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adap
he DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that
r this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapte
tting is ignored when configuring that network adapter.
adapter, this setting is ignored when configuring that network adapter.
is setting is ignored when configuring that network adapter.
rk adapter, this setting is ignored when configuring that network adapter.
ignored when configuring that network adapter.
etting is ignored when configuring that network adapter.
that receives SNMP packets from the network.If you enable this policy setting, the SNMP agent only accepts requests from management
tting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting.If you disable or do no
anagement systems asynchronously.If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public
_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE
with one of the following settings:Policy Default State: 6to4 is enabled if the host has only link-local IPv6 connectivity and a public IPv4 add
ys present, even if the host has other connectivity options.Policy Disabled State: No IP-HTTPS interfaces are present on the host.
uccessfully, the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router
client's NAT device, Teredo might stop working or connectivity might be intermittent.If you disable or do not configure this policy setting,
es a domain controller.Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain co
s policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued
ng, operations are disabled over all media. If you do not configure this policy setting, operations are enabled over all media. The default fo
access all WCN wizards.
locked. Additional manual connection attempts by users to the Internet or to a Windows domain are not blocked by this policy setting.
o a non-domain based network, automatic connection attempts to domain based networks are blocked. Manual connection attemp
mit. - Variable: This connection is costed on a per byte basis.If this policy setting is disabled or is not configured, the cost of Wireless LAN co
nnection is costed on a per byte basis.If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
connection is costed on a per byte basis.If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
r side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. Also, see the "C
Web Services printers: 0 Bluetooth printers: 10 Shared printers: 0 In order to view available Web Services printers on y
uld like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
puter does not respond. If you disable this setting, the domain controller does not prune this computer's printers. This setting is desig
process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the
ished" setting is disabled.
the verification interval.

the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to fi
s links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view
ts before deleting printers from Active Directory. If you enable this setting, you can change the interval between contact attempts.
you can adjust the priority to improve the performance of this service. Note: This setting is used only on domain controllers.
mputer has published. By default, the pruning service contacts computers every eight hours and allows two retries before deleting
e printer drivers will be blocked.If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed.Note: By a
ngs may alter the process in which a print driver is executed.-This policy setting applies only to print drivers loaded by the print spooler. Pr
n the Point and Print connection will fail.This policy setting is not configured by default, and the behavior depends on the version of Windo
nfigure this policy setting, then applications that are configured to support driver isolation will be isolated.If you disable this policy setting,
t value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eigh
iver policy settings may alter the process in which a print driver is executed.-This policy setting applies only to print drivers loaded by the p
ked by this policy. Administrators may need to set both policies to block all print connections to a specific print server.If this setting is enab
n the client, no connection will be made. -You can configure Windows Vista clients so that security warnings and elevated command
ation or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing L
ervers only when Active Directory is not available.Note: A client license is used each time a client computer announces a printer to a print
uters running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because n
ting the layout you configured.Once the XML file is generated and moved to the desired file path, type the fully qualified path and name o
a feature occurs.Note: By default, the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all su
ogon/Logoff status messages"" policy setting is enabled.

en you shut down a computer running Windows Server. (See "Supported on" for supported versions.)If you enable this policy setting and c
automatically.
n().If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely r
ulting searches might make some programs start or run slowly.If you disable or do not configure this policy setting, the program continues
his policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows
y setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate f
ttings available in Computer Configuration\Security Settings. Note: This policy setting is available under Computer Configuration an
be specified when each path is separated by a semicolon. The network location can be either a folder, or a WIM file. If it is a WIM file, the l
L Help Executable. If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an
ssage that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration.If you do not
ng, the process's command line information will not be included in Audit Process Creation events.Default: Not configuredNote: When this
e or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depe
llow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Name
fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setting, del
o Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setting, delegation of fresh credentials is no
n, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this p
als is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any doma
ames (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard charact
pal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard ch
ore Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a s
mode is not enforced and participating apps can delegate credentials to remote computers.Note: To disable most credential delegation, it
r do not configure this policy setting, Windows creates a system restore point as it normally would.
ows retrieves device metadata from the Internet.
ally during the driver selection process. Selection is based on other criteria, such as version number or when the driver was created. If you
he network is temporarily available.If the setting for searching only if needed is specified, then Windows will search for a driver only if a dri
ng, members of the Administrators group can determine the server used in the search for device drivers.
rver.If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restric
nother policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device
er policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setti
ny device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices
mote desktop client to the remote desktop server.If you disable or do not configure this policy setting, devices can be installed and update
ecified devices from a remote desktop client to the remote desktop server.If you disable or do not configure this policy setting, Windows c
emovable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop
ease in the time taken for shutdown and hibernate.If you do not configure this policy setting, the default behavior is observed and the NV
ng is applicable only if the NV cache feature is on.
olicy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.If you disable this policy setting, t
y setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache.Note: This policy settin
ect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.Note: This policy setting turns on disk
rced by default, but administrators can change the setting.Enforcement is optional. When users reach an enforced disk quota limit, the sy
ange the setting while a setting is in effect.If you do not configure this policy setting, no events are recorded, but administrators can use th
e this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting.This policy setting
esponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.This policy setting applies
etting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not config
b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without
allowed to install new device drivers on the system.
evice driver searching" is disabled or not configured, the administrator will be prompted for consent before going to Windows Update to s
ed as malware, but the computer cannot successfully boot without loading this driver.- Unknown: This driver has not been attested to by
ed.If you disable or do not configure this policy setting, the Classification tab is hidden.
tion on the affected computers. If you disable or do not configure this policy setting, the Global Resource Property List in AD DS provides t
n a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the
es (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.If you enable this
y setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders whe
etting, Windows Server applies user Group Policy settings synchronously.Note: This policy setting applies only to computers running Remo
ng message appears to the user, and an event log message (1529) is posted.- Loopback Group Policy processing is applied, using the Group
u later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO.You can change this behavio
s will be logged on using cached credentials, which will result in shorter logon times. Group Policy will be applied in the background after th
otes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitted a
e."Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitt
llow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow n
d is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the
ect on the system.The "Allow processing across a slow network connection" option updates the policies even when the update is being tra
otes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitted ac
w processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow netw
ing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the up
essing across a slow network connection" option updates preference items even when the update is transmitted across a slow network co
changed. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option up
olicy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no eff
low processing across a slow network connection" option updates preference items even when the update is transmitted across a slow ne
olicy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, a
e the programs' specified responses to slow links.If you enable this setting, you can, in the "Connection speed" box, type a decimal numbe
Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow
onfigure this policy setting, it has no effect on the system.The "Allow processing across a slow network connection" option updates the po
es:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitted acr
s policy setting, it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies even w
, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference ite
cripts immediately after logon. If you do not configure this policy setting, Group Policy will wait five minutes before running logon
ged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option update
ity is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is t
default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates prefere
are unchanged. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" opti
riority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the update
sing" option prevents the system from updating affected policies in the background while the computer is in use. When background upda
e "Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow
. By default, background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates pre
k connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telepho
periodic background processing" option prevents the system from updating affected policies in the background while the computer is in us
Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow
The "Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a s
d.If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this poli
otes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitted ac
ermine which set of Group Policy Objects applies.If you enable this setting, you can select one of the following modes from the Mode box:
cessing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network
Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow
ent computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by t
oup Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy informati
s only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is c
to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because upda
nterfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.If you disable
will use this administratively configured maximum wait time and override any default or system-computed wait time.If you disable or do n
Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-compute
Policy refresh interval for users" policy settings.Note: If you make changes to this policy setting, you must restart your computer for it to t
tinue to be applied.Note: For computers joined to a domain, it is strongly recommended that you only configure this policy setting in dom
w the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC).
for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under
ng for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed und
sion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configur
r this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under Us
ng for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed unde
ned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration, you
tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed
ion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configura
ion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configura
nsion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configu
cludes only warnings and errors, and tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for ite
rs, and tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extensio
and tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension lis
tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed
nsion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configur
rs, and tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extensio
, and tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension
extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Con
r this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under Use
he the policy settings in the "Internet Communication settings" section are set to not configured.
e Manager from automatically installing driver updates from the Windows Update website.If you disable or do not configure this policy setti
wed to use the Store service and the Store item is available in the Open With dialog.
ng, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update
drivers over HTTP.
this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the descr
ting samples from the handwriting recognition personalization tool with Microsoft.If you disable this policy, Tablet PC user writing samples
users can report handwriting recognition errors to Microsoft.If you do not configure this policy Tablet PC users can report handwriting reco
ontent.You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?
you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not
re displayed.If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishin
etting, the user is allowed to use the Web service.
oose to print to Internet printers over HTTP.Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative T
ws Product Activation is required but does not involve submitting any personal information (except the country/region you live in).
nloads content updates unless the user is using Classic Search.Note: Internet searches still send the search text and information about the
shown.If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown.If you do
e this policy setting, all users are opted out of the Windows Customer Experience Improvement Program.If you disable this policy setting,
l for error reporting.Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy se
ponents that use NCSI, to determine Internet access. If you disable or do not configure this policy setting, NCSI runs one of the two active
trative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a
ou disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring.If y
oller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy s
main controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting, domain c
C will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authe
uld be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize
ompound authentication always send a compound authentication request. If you disable or do not configure this policy setting and the re
he Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the lis
lue Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host
heck for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
granting service (TGS) message exchanges with the domain controllers. Note: The Kerberos Group Policy "Kerberos client support for claim
configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication
C's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerbe
nt from LocalSystem or NetworkService might fail to authenticate.If you disable or do not configure this policy setting, any service is allow
owed maximum value, whichever is smaller.If you disable or do not configure this policy setting, the Kerberos client or server uses the loca
og box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax
ured for compound authentication by the following options:Never: Compound authentication is never provided for this computer account.
olve the SPN because the name is not found, NTLM authentication might be used.
ttings.To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
led for their user account on the sign-in page.
cy setting is not configured.If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still se
s.If this policy setting is disabled or not configured, then the user can customize their user locale overrides.If this policy is set to Enabled at
ish (United States) and English (Canada).If you enable this policy setting, administrators can select a system locale only from the specified
e, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).If you e
ssword is required when a screensaver turns on, the screensaver timeout will limit the allowable options the user may choose. If you disab
ble. Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to ap
omain to which the computer is joined. If you disable or do not configure this policy setting, the default logon domain is always set to the
2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server.Note: This s
icy setting, Windows Vista adds any customized run list configured to its run list.This policy setting appears in the Computer Configuration
and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over t
Dsof the credential providers to exclude from the set of installedcredential providers available for authentication purposes.If you disable or
cated in the %Systemroot% directory, you must specify the fully qualified path to the file.If you disable or do not configure this policy setti
tion.If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for servic
dows Startup sound is turned on for all users.If you do not configure this policy setting, the Windows Startup sound is turned on for all use
to establish a connection to this domain controller. If you enable this policy setting, Net Logon will allow the negotiation and use of older
DC emulator if the DC fails to validate the password.If you disable this policy setting, the DCs will not attempt to verify any passwords with
usive access is requested and the caller has only read permission.By default, the Netlogon share will grant shared read access to files on th
omain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a truste
is requested and the caller has only read permission.By default, the SYSVOL share will grant shared read access to files on the share when
above.If you disable this policy setting or do not configure it, the default behavior occurs as described above.
ted above.
ny DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available
y is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0
rs use their local configuration.
policy setting is used.The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*6
ified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used.Warning: If the value for this setting is too l
this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.If the value for this setting is smaller than the va
bling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are runnin
, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain n
to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetB
ill only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by def
ss. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enf
DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.If you do not configure this policy
cts the target host to be contacted is proportional to the Weight field value in the SRV record.To specify the Weight in the DC Locator DNS
n the following behaviors:0 - DCs will never perform address lookups.1 - DCs will perform an exhaustive address lookup to discover additio
es.<DnsDomainName>Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName>Gc SRV _ldap._tcp.gc._msdcs.<DnsForestNam
ot configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
ervers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to a
ords and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application dire
ne or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specify the sit
GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access a
-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A s
r no Global Catalog for the same forest, exists.If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV re
ain policy setting is enabled.If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to wh
ting an Active Directory domain specified with a single-label name using DNS name resolution.If you disable this policy setting, computers t
and change this setting.
etting, users can control this setting.
ide show" policy setting can be used to disable the slide show feature.
ide show" policy setting can be used to disable the slide show feature.
" policy setting can be used to disable the slide show feature.
" policy setting can be used to disable the slide show feature.
de show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling
de show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling
an be used to disable the slide show feature.

an be used to disable the slide show feature.
to restore the computer to the original state or from a user-created system image. This is the default setting. If you disable this policy se
computers running this version and a previous version of the operating system can connect to this computer.If you do not configure this p
hnical support staff using Offer (Unsolicited) Remote Assistance.If you enable this policy setting, you have two ways to allow helpers to pro
o allow connections to this computer.If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Ass
able this policy setting, the user sees the default warning message.If you do not configure this policy setting, the user sees the default warn
drag-Turn off backgroundIf you enable this policy setting, bandwidth optimization occurs at the level specified.If you disable this policy setti
policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients mak
nter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.If you disable this policy setting, the RPC Runti
n RPC state information.-- "None" indicates that the system does not maintain any RPC state information. Note: Because the basic state in
on.If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition.If you e
C server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support
the RPC Client, the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. I
ovable Data Drives."

bled, and the DNS suffixes are not configured.
th Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy
aneously.This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Con
a operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the ""Run startup scripts v
O C). This policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts:GPO B: B.cmd, B.ps1GPO C:
A. GPO B and GPO C include the following user logon scripts:GPO B: B.cmd, B.ps1GPO C: C.cmd, C.ps1Assume also that there are two users
ipts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0. This interval is particularly
ndows Server 2008 R2), or the â€œRefresh the data shown in Server Manager every [x] [minutes/hours/days]â€ setting (in Windows Ser
administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not
€œDo not start Server Manager automatically at logonâ€ (Windows Server 2012) option is selected, the console is not displayed automa
ll be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly.
r do not configure this policy setting, users can change the System Restore settings through System Protection. Also, see the "Turn off Syst
do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.A
s it detects or indicate to the user that assisted resolution is available.If you disable this policy setting, Windows cannot detect, troublesho
effect immediately.This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is st
mpatibility issues for applications and drivers.If you do not configure this policy setting, the PCA is configured to detect failures during appl
art is required. This behavior is recommended for headless operation.Troubleshooting Only: Detection and troubleshooting of corrupted fi
tting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in
potential data loss. If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. If you do no
y default.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.This policy setting takes effe
ide scenario execution policy is not configured.No reboots or service restarts are required for this policy setting to take effect. Changes tak
ser to download additional tools to diagnose problems on remote computers only. If you enable this policy setting for local and remote tr
not configure this policy setting, MSDT support mode is enabled by default.No reboots or service restarts are required for this policy settin
d and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default reco
ws will not be able to detect, troubleshoot or resolve problems on a scheduled basis.If you do not configure this policy setting, local trouble
dalone troubleshooting packs such as those found in .diagcab files.

s hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface.If you disable this policy setting, users
etect Windows Boot Performance problems and indicate to the user that assisted resolution is available.If you disable this policy setting, W
or disabled, diagnostic scenarios are not executed.Note: The DPS can be configured with the Services snap-in to the Microsoft Manageme
tion, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.If you disabl
DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.If you disable this
esolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is availa
DPS will detect Windows System Responsiveness problems and indicate to the user that assisted resolution is available.If you disable this
tion blob plus the TPM user delegation blob, or none. If you enable this policy setting, Windows will store the TPM owner authorization i
"Command Management" section.If you disable or do not configure this policy setting, only those TPM commands specified through the d
efault Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through s
ured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. If you disable or do not confi
s can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to
ds requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receiv
d standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends
bling this policy setting, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS
figuring this policy setting, you can alter this behavior.If you enable this policy setting, the administrator group is also given full control to th
you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection
d.If you enable this policy setting, any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile stil
tically delete any profiles on the next system restart.
d it ignores the policy settings that tell the system how to respond to a slow connection.If you disable this policy setting or do not configur
ade for the correct permissions if the profile folder already exists. For Windows Server 2003 family, Windows 2000 Professional SP4 and W
istry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.If you disable or do not configure
aded.If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot loa
nt in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory s
sed profiles.If you enable this policy setting, you can override the amount of time Windows waits for user input before using a default user
on time. You can use this policy setting to change this behavior.If you enable this policy setting, Windows will not delete Windows Installer
ng or editing the registry, the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the
red to use roaming profiles from receiving their profile on a specific computer.If you enable this setting, the following occurs on the affect
ng, you can prevent changes made to a roaming profile on a particular computer from being persisted.If you enable this policy setting, cha
oose to download the remote copy of the user profile. In Microsoft Windows Vista, a check box appears on the logon screen and the user
setting, Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value
re that you have set the appropriate security on the folder to allow all users to access the profile.If you enable this policy setting, all users
ofile's registry file at the specified interval after the user logs on. For example, with a value of 6 hours, the registry file of the roaming use
assign to the file share. If you choose ΓÇ£On the local computer,ΓÇ¥ enter a local path (for example, C:\HomeFolder) in the Path box.Do n
rieve the user's UPN, SIP/URI, and DNS."Always off" - users will not be able to change this setting and the user's name and account picture
is slow.If you disable this policy setting or do not configure it, when a remote profile is slow to load, the system loads the local copy of the
95" as the maximum amount of disk space.If you disable this policy setting or do not configure it, the default value is set to 50 MB on Wind
p.If you disable or do not configure this policy setting, by default, files are scanned only during setup.Note: This policy setting affects file sc
not defined by specific unit measurements.FrequencyCorrectRateThis parameter controls the rate at which the W32time corrects the local
formation, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Setti
Wild card characters cannot be used when specifying the host URLs.
lidation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate err
er profiles for the Guest account and members of the Guests groupIf you enable this policy setting, Group Policy allows deployment opera
this policy setting, Windows Store apps can open files in the default desktop app for a file type.
figure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.Note: Enabling this policy setting
stem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.If the status is set
is interface.
cy applications, and will not block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old
try collection has stopped for all applications, please reboot your machine.
Collector will be turned on.Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inve
s when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already
not configure this policy setting, Steps Recorder will be enabled.
ity of the applications they are using. If you disable or do not configure this policy setting, the Switchback will be turned on.Please reboot
ther autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this polic
devices. If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
ble to log on to a Windows-based computer using biometrics.Note: Users who log on using biometrics should create a password recovery d
ws.Note: Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone
rics cannot be used by any users to log on to a local Windows-based computer.Note: Users who log on using biometrics should create a pa
ironment variables in the path. If the path is not valid, the BitLocker setup wizard will display the computer's top-level folder view.If you d
you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. If you disable or do
008 R2, or Windows 7.If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLo
recovery key.If you enable this policy setting, you can configure the options that the setup wizard displays to users for recovering BitLocke
this policy setting, BitLocker secrets are removed from memory when the computer restarts.
nagement of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader
uter. This policy setting is applied when you turn on BitLocker.Note: You might need to set up appropriate schema extensions and access c
67.1.1Note: BitLocker does not require that a certificate have an EKU attribute, but if one is configured for the certificate it must be set to
nt can be viewed. These operating systems have read-only access to BitLocker-protected drives.When this policy setting is enabled, select
BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.In "Configur
ot support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-
cy\ must be also enabled.Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow
rs available on the drive.If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to BitLocker
he encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in
BitLocker setup.If you disable or do not configure this policy setting, enhanced PINs will not be used.
the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certific
e of Secure Boot-based integrity validation.If you disable this policy setting, BitLocker will use legacy platform integrity validation, even on
or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information ab
hange while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead
fferent values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmwa
figuration Registers (PCRs). Use the "Configure TPM platform validation profile for BIOS-based firmware configurations" group policy setti
at do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with har
s\Password Policy\ must be also enabled.Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLo
nvironment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environme
a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on th
e computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-d
tLocker recovery.
nfiguration Data (BCD) integrity validation, as defined by the "Allow Secure Boot for integrity validation" group policy, the "Use enhanced B
their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.When this policy setting is ena
Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.I
t do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hard
e settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the pro
rotectors available on the drive.If you disable this policy setting, users are not allowed to use smart cards to authenticate their access to B
encryption from the drive or suspend the encryption while maintenance is performed. Consult the BitLocker Drive Encryption Deployment
e access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fie
ox. To display the password, click the password reveal button.The policy applies to all Windows components and applications that use the
will enter Windows credentials within the userΓÇÖs desktop session, potentially allowing malicious code access to the userΓÇÖs Windows c
olicy setting requires a logoff for it to be applied.
be changed by users.
Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
ó Give user a warning before running downloaded unknown softwareΓÇó Turn off SmartScreenIf you disable or do not configure this polic
of the default Library definition files.

gured, disabled, or the client machine is not domain-joined, no default associations will be applied at logon time. If the policy is enabled, d
olicy setting the protocol is fully enabled, allowing the opening of folders and files.If you disable this policy setting the protocol is in the pro
u disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old lo
nding to on-disk restore points.If you do not configure this policy setting, it is disabled by default.
setting, it is disabled by default. The Restore button is active when the previous version is of a local file.
e backup media.If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version
ot configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
ust restart the computer for this policy setting to take effect.
isable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run.
will be applied to Automatic Maintenance.

policy setting, the wake setting as specified in Action Center/Automatic Maintenance Control Panel will apply.
o a Network Projector" policy setting is configured.
b of the Password Synchronization Properties dialog box.Note: Valid values for the interval between retries are whole numbers from 1 thro
on the Configuration tab of the Password Synchronization Properties dialog box.Note: Valid values that can be specified for the number of
ronization Properties dialog box is configured.
e or do not configure this policy setting, individual computers that are running Password Synchronization synchronize changes to UNIX-bas
connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration.If you do not co
customize their system settings for presentations in Windows Mobility Center.If you do not configure this policy setting, Windows presenta
respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on
will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003.By default, if the m
from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher
ecifying an .rdp file).If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Use
Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot b
s of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Se
you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.Notes:You can define this policy settin
DP redirection by using any user account.For this change to take effect, you must restart Windows.
configured for Remote Desktop IP Virtualization to work.

per user application installation requests are queued and handled by the msiexec process in the order in which they are received.
is policy setting, Remote Desktop IP Virtualization is turned off.
ctions.If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to det
figured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the
e RD Session Host server is configured to allow multiple sessions), and the original session might still be active.If you enable this policy setti
the connected administrator is allowed.Note: The console session is also known as Session 0. Console access can be obtained by using the
mited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services session
u do not configure this policy setting, this policy setting is not specified at the Group Policy level.
emote Desktop Protocol will not try to adapt the remote user experience to varying network quality. If you disable Connect Time Detect an
ffic will use TCP.If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user expe
thout the user's consent.4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the u
s. If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background.
etting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled.By default, audio and video playback redirection is no
08 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2
e is the same as the server time zone.Note: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server
s allows Clipboard redirection.If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
mote Desktop Services always allows COM port redirection.If you do not configure this policy setting, COM port redirection is not specified
opy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.If you disable this policy setting,
allowed.If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level.
ast Microsoft Windows XP Professional and the target server must be joined to a domain.
nd Play devices to the remote computer.If you disable or do not configure this policy setting, users can redirect their supported Plug and P
latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is det
this policy setting, these notifications will not be displayed on the RD Session Host server.If you disable or do not configure this policy setti
tting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server.If you disable or do not config
owing order: 1. Remote Desktop license servers that are published in Active Directory Domain Services. 2. Remote Desktop license serv
etting, users can redirect print jobs with client printer mapping.If you do not configure this policy setting, client printer mapping is not spec
tically maps the client default printer and sets it as the default printer upon connection.If you do not configure this policy setting, the defa
not available. You can choose to change this default behavior. The available options are:"Do nothing if one is not found" - If there is a prin
matches the client printer, the client printer is not available for the Remote Desktop session.If you disable this policy setting, the RD Session
e entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is che
specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user
e home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment va
profiles are not used by users connecting remotely to the RD Session Host server.Note:For this policy setting to take effect, you must also
g farm name, the server joins that farm in RD Connection Broker.If you enable this policy setting, you must specify the name of a farm in R
er 2012 R2, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQ
e farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting.If you
ost server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD
RD Session Host server where their session exists. If you disable this policy setting, users who do not have an existing session log on to the
the remote computer. If you enable this policy setting, desktop composition will be allowed for remote desktop sessions. On the client co
tting overrides any initial program policy settings.If you disable or do not configure this policy setting, an initial program can be specified th
uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and netw
ng and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes m
ure this policy setting, the RemoteFX experience will change dynamically based on the network condition."
s allowed for remote connections. You can configure font smoothing on the Experience tab in Remote Desktop Connection (RDC) or by usi
ort the Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not configure this policy setting, non-Windows thin clients that
emote Desktop Services sessions.If the status is set to Enabled, wallpaper never appears in a Remote Desktop Services session.If the statu
d by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client wi
u disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Se
mber of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
ndows dialog box.Note: This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other met
ecurity remains in the Settings menu.
nu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off.To use this setting
not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs
c Render Driver as the default adapter.NOTE: The policy setting affects only the default graphics processing unit (GPU) on a computer with
ed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme.If you en
either Rich multimedia or Text.If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for ric
at is performed).If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the high
sktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.If you d
nly.If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descrip
es always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the req
If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, nati
Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then
red when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs wh
ata sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in envir
for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.If you e
to keep the session active. If you have a console session, idle session time limits do not apply.If you disable or do not configure this policy
f you have a console session, active session time limits do not apply.If you disable or do not configure this policy setting, this policy setting
disconnected sessions are maintained for an unlimited time on the server.If you enable this policy setting, disconnected sessions are delet
he time limit that you specify is reached. When the time limit specified is reached, the RemoteApp session will be logged off from the RD S
deleted when a user logs off, even if the server administrator specifies otherwise.If you do not configure this policy setting, Remote Deskto
u enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote c
hrough the Feed APIs.

n in Internet Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice by usi
nnection.A developer cannot change this policy setting through the Feed APIs.
ervice is Windows SharePoint Services (WSS), the query should resemble the following, where XXXX is the locale ID of your WSS Service. Fo
s SharePoint Portal Server, your query should resemble the following:http://sitename/Search.aspx?k=$wIf your intranet search service is W
tting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely. Full volume encryptio
ffer only because of diacritics as the same word.
it can determine the language of a document with high confidence.
queries on the web, and if the web results are displayed in Search.
nfigure this policy setting, a user can choose whether or not Search can perform queries on the web over metered connections, and if the
behavior for Search is to not index online delegate mailboxes. Disabling this policy will block any indexing of online delegate mailboxes. O
n support. If you set this policy to not configured, then online mail items will be indexed at the speed of 120 items per minute. This policy
ified user locations will be visible.
o specify an initial default list of excluded file types that users can change later, see the administration guide for information about how to
-xxxxxxxxxxxx} (include the braces) or a ProgID such as VisFilter.CFilter.1.If you maintain a locked desktop environment, this setting is redu
ts, and your users can choose the location of the preview pane
usage information but don't share search history, Microsoft account info or specific location. If you disable or don't configure this policy
tus section are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a co
ox.Note: Valid values for intervals are whole numbers in the following ranges: days, 0 through 99999; hours, 0 through 23; minutes, 0 thro
n logging" policy setting on the Logging tab of the Server for NIS Properties dialog box is configured.
ith a connected account will save files to SkyDrive by default.

rtificates with a Client Authentication EKUIf you disable or do not configure this policy setting, only certificates that contain the smart card
ing, are not affected by this policy setting. Note: If you use an ECDSA key to log on, you must also have an associated ECDH key to permit l
dity has expired.If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the
e user (determined by their UPN). If there are two or more of the "same" certificate on a smart card and this policy is enabled then t
e this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP.If you disable
splayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.If you enable this polic
ve passed the Windows Hardware Quality Labs (WHQL) testing process.

n by default and configurable by the user.
on suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy, Input Panel w
n the Input Panel Options dialog box.If you disable this policy, Input Panel will appear next to any text entry area in applications where thi
Options dialog box.If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is availabl
keyboard to enter text, symbols, numbers, or keyboard shortcuts.If you enable this policy, rarely used Chinese, Kanji, and Hanja characters
o configure this setting in the Input Panel Options dialog box.If you do not configure this policy, Input Panel tab will appear on the edge of
will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Inp
ble this policy and choose ΓÇ£LowΓÇ¥ from the drop-down box, password security is set to ΓÇ£Low.ΓÇ¥ At this setting, all password securit
ΓÇ¥ from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in th
set of the Disable pen flicks policy.If you disable or do not configure this policy, all the features described above will be available.
by default.Note: Changes to this setting will not take effect until the user logs off.
power management settings, and its security context. Beginning users will often not be interested or confused by having the property shee
gs, and its security context.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are co
he Start menu and its submenus. Once a task is created, users cannot change the program a task runs.Important: This setting does not pre
and it does not prevent users from deleting tasks.Note: This setting appears in the Computer Configuration and User Configuration folders
omputer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers.
figuration.Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks.
ervice will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware
will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.
pecified start time.If you disable this setting, scheduled tasks will begin at the specified start time.
efender automatically takes action on all detected threats after a nonconfigurable delay of approximately ten minutes.
ue is not used and it is recommended that this be set to 0.

is not used and it is recommended that this be set to 0.
ved. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to M
the default rate.
up-to-date with all the latest security updates, network protection will have no impact on network performance.If you enable or do not c
ty will be present on those volumes.The options for this setting are mutually exclusive:0 = Scan incoming and outgoing files (default)1 = Sc
sable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
te remediation will run at a default time.
default frequency.
red, there will be no catch-up scan run. If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turne
figured, there will be no catch-up scan run.If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be t
t number of days.
vice will not receive notifications to disable definitions.

disable this setting, real-time definition updates will disabled.
ist will not be contacted.If you disable or do not configure this setting, the list will remain empty by default and no sources will be contact
ot configure this setting, spyware definitions will be considered out of date after the default number of days have passed without an updat
gure this setting, virus definitions will be considered out of date after the default number of days have passed without an update.
pecified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not b
k for definition updates will occur at a default frequency.
or do not configure this setting, the check for definition updates will occur at the default time.
ult consent and notification settings.

hen Control Panel settings for Windows Error Reporting override this policy setting.If you enable this policy setting, the setting overrides an
uration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If T

n. Disabling this policy setting is useful for servers that do not have interactive users.If you do not configure this policy setting, users can ch
file for a report that contains data about the same event types.
s policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the comput
ows Error Reporting sends error reports to Microsoft.

orts are automatically deleted.If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
ompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing b
check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows ap
configured to report all application errors.If you enable this policy setting, you can create a list of applications that are always included in e
ension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors f
ad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported
licy setting.
sent to send any additional data that is requested by Microsoft.- Send parameters and safe additional data: the minimum data that is requ
pe.- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.- 2 (Send parameters): Windows Error Rep
to which files are installed.If Windows Installer detects that an installation package has permitted the user to change a protected option,
r's security context. Also, see the "Remove browse dialog box for new source" policy setting.If you disable or do not configure this policy s
with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.This policy setting does not
t configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's se
ssion to view or change, including directories on highly restricted computers.If you disable or do not configure this policy setting, the syste
he Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be dele
component.(2) Add a new feature to the top or middle of an existing feature tree.The new feature must be added as a new leaf feature to
eir employees. However, because this policy setting can pose a security risk, it should be applied cautiously.
who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on
ill be applied using a minimal set of processing.
eges can install non-administrator updates.
he product.If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been
ned to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an insta
Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used.-- The "Restart Manager
cy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application t
ure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system adminis
nnected to the original or identical media to reinstall, remove, or repair the installation.This policy setting is designed for enterprises to pre
ou disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
property.-- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy
Professional and Windows Vista when the policy is not configured.-- The "For non-managed applications only" option permits users to ins
ccess applications can simulate the SAS.If you disable or do not configure this setting, only Ease of Access applications running on the secu
by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.For dom
sable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' l
ct music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario
not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available
do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time.
eo smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box.Video smoothing is available only
on the Preferences tab on the Tools menu in the Windows Messenger user interface.Note: If you do not want users to use Windows Messe
e: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configur
e is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured, the Lo
all scripts to run.If you disable this policy setting, no scripts are allowed to run.Note: This policy setting exists under both "Computer Config
capable applications will be unable to access reliability information from the listed providers.
t needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer.
or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or n
policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAs
ning a valid channel binding token is rejected. If HardeningLevel is set to Relaxed (default value), any request containing an invalid cha
150 is used by default.
t Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface
date service location must be signed by Microsoft.Note: Updates from a service other than an intranet Microsoft update service must alwa
s installations" policy is enabled, then this policy has no effect.
sabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.Note: The "Specify intranet Microso
are ready to be downloaded. After going to Windows Update, users can download and install any available updates. 3 = (Default setti
ption will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects t
the "Specify intranet Microsoft update service location" policy.
x if updates are available when the user selects the Shut Down option in the Start menu.
abled or Not Configured, no target group information will be sent to the intranet Microsoft update service.Note: This policy applies only w
stem up to install the updates.Windows update will also wake the system up and install an update if an install deadline occurs.The system
to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to comple
cy has no effect. This policy has no effect on Windows RT
he computer is next started.Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of upd
updated workstations upload statistics. You can set both values to be the same server.If the status is set to Enabled, the Automatic Updat
available. The user can click the notification to open the Windows Update Application and get more information about the software or inst
ministrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user,
he specified lock screen image to be shown.Note: This setting only applies to domain-joined machines, or unconditionally in Enterprise and
g email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and s
f you disable or do not configure this policy setting, users will be able to customize their account pictures.
ers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching se
puter's administrative settings for Windows Branch Cache disable its use entirely.
uters before reverting to the origin server. Note: This policy setting has no effect if the "Allow BITS peer caching" policy setting is disa
setting is disabled or not configured.
policy setting is disabled or not configured.
of the total system disk size. Note: This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configure
e to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this p
olicy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth
300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local ad
transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be
of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. If you disable or do not configure this poli
s: high, normal, and low. You can specify a limit to use for background jobs during a work schedule. For example, you can limit the ne
rphaned jobs occupying disk space. If you enable this policy setting, you can configure the inactive job timeout to specified number of
ents begin caching content after they receive it from the file servers.Policy configurationSelect one of the following:- Not Configured. With
ting system.Policy configurationSelect one of the following:- Not Configured. With this selection, this policy setting is not applied to client c
ervers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, yo
olicy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cac
lient computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable
by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client c
tionSelect one of the following:- Not Configured. With this selection, BranchCache settings are not applied to client computers by this poli
ant to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Grou
members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Polic
e unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's p
pplied list of DNS servers, if configured.

e this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label nam
t use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
works lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding ord
x.If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is us
NS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for th
nd primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS t
omputer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies
ecords even if registration of the corresponding A records was not successful.Register only if A record registration succeeds: Computers w
e longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval
use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the clien
tting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT qu
is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
ettings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure
ters do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the com
ort, and users can only authenticate with Wi-Fi hotspots using a web browser.
Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group
shes.Policy configurationSelect one of the following:- Not Configured. With this selection, BranchCache settings are not applied to client co
choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.If you disable or d
hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "
1. In order to use the global, well known seed server on the Internet only; enable the setting, leave the seed server list empty, leave the ch
orking scenarios).If you disable this setting, PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured,
-local address.If you enable this policy setting, PNRP does not create a cloud, and applications cannot use this cloud to publish or resolve n
t to using a public registry key to determine the seed server to bootstrap from.
tworking scenarios).If you disable this setting, PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configure
tocol will revert to using a public registry key to determine the seed server to bootstrap from.
tworking scenarios).If you disable this setting, PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configure
or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not rem
t filter for home and small office users to protect them from Internet network security threats.If you enable this setting, Internet Connecti
Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.If you disable this setting or do not confi
etween remote client computers running DirectAccess and the Internet is not routed through the internal network.If you do not configure
n disabling this policy, Windows Firewall deletes the list.Note: You define entries in this list by using Security Descriptor Definition Languag
this policy setting, Windows Firewall blocks all the listed incoming and outgoing ICMP message types. As a result, utilities that use the bloc
printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not
assigned ports, typically in the range of 1024 to 1034. On Windows Vista, this policy setting does not control connections to SVCHOST.EXE
mpts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall compo
which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a
ws Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying, use the Group Policy Object Edito
all rules in the Windows Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying, use the Gro
ws Firewall service account has write permissions to the folder containing the log file. Default path for the log file is %systemroot%\system
ort, click its definition, and then press the DELETE key. To edit a definition, remove the current definition from the list and add a new one w
exceptions" policy setting. To view the program list, enable the policy setting and then click the Show button. To add a program, enable th
Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the
at in the Windows Firewall component of Control Panel, the "Notify me when Windows Firewall blocks a new program" check box is select
Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unic
ernet Connection Firewall on your DNS domain network" policy setting overrides.
this policy setting, Windows Firewall blocks all the listed incoming and outgoing ICMP message types. As a result, utilities that use the bloc
printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not
assigned ports, typically in the range of 1024 to 1034. On Windows Vista, this policy setting does not control connections to SVCHOST.EXE
mpts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall compo
which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a
ws Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying, use the Group Policy Object Edito
all rules in the Windows Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying, use the Gro
ws Firewall service account has write permissions to the folder containing the log file. Default path for the log file is %systemroot%\system
ort, click its definition, and then press the DELETE key. To edit a definition, remove the current definition from the list and add a new one w
exceptions" policy setting. To view the program list, enable the policy setting and then click the Show button. To add a program, enable th
Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel, the
at in the Windows Firewall component of Control Panel, the "Notify me when Windows Firewall blocks a new program" check box is select
Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unic
ernet Connection Firewall on your DNS domain network" policy setting overrides.
ation the sole list of allowed proxies, enable the "Proxy definitions are authoritative" setting.If you disable or do not configure this policy se
18.0.0.2For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
these addresses are the only addresses ever classified as private, enable the "Subnet definitions are authoritative" policy setting.If you disa
p://go.microsoft.com/fwlink/p/?LinkId=234043
ng or select the "Work offline" option, users can work offline if disconnected.If you do not configure this setting, users can work offline by
llowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis.
ered to be slow.Note: Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold
ip network latency is above (slower than) the Latency threshold parameter.You can configure the slow-link mode by specifying threshold v
space limit.If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the
nk mode" policy to avoid network usage.
ered by the configured round trip network latency value. We recommend using this policy setting when the network connection to the ser
is includes existing files as well as files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while
ent when the server hosting the offline file is disconnected from the network."2" also records events when the local computer is connecte
pe the file name extension in the "Extensions" box. To type more than one extension, separate the extensions with a semicolon (;).Note: T
w much of that disk space can be used by automatically cached files.If you disable this policy setting, the system limits the space that offlin
server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configura
h settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To view the O
etting in Computer Configuration takes precedence over the setting in User Configuration.Tip: This setting provides a quick method for loc
e setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To set reminder balloon frequency withou
edence.The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows
d for all files and folders.If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folde
or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).If you
ilable offline when they make a parent folder available offline.
zation by default, but users can change this option.This setting appears in the Computer Configuration and User Configuration folders. If b
. Quick synchronization ensures that files are complete but does not ensure that they are current.If you do not configure this setting and S
e logged on to the computer at the time the computer is suspended, a synchronization is not performed.
rs can change the setting.To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders
the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
e registry, this setting is ignored when configuring that network adapter.
that network adapter.

nored when configuring that network adapter.
n configuring that network adapter.
ignored when configuring that network adapter.
g that network adapter.
guring that network adapter.
ored when configuring that network adapter.
configuring that network adapter.
gnored when configuring that network adapter.
nfiguring that network adapter.
s requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community.
setting.If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local compute
to the hosts within the "public" community.If you disable or do not configure this policy setting, the SNMP service takes the trap configura
CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE
nectivity and a public IPv4 address. If no global IPv6 address is present and no global IPv4 address is present, the host will not have a 6to4
present on the host.
eived from the ISATAP router through stateless address auto-configuration. If the ISATAP router name is not resolved successfully, ISATAP
t configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 second
work that includes a domain controller.
d throughput problems casued by Firewalls or other middle boxes.

d over all media. The default for this policy setting allows operations over all media.
ocked by this policy setting. In circumstances where there are multiple simultaneous connections to either the Internet or to a Windo
Manual connection attempts - When the computer is already connected to either a non-domain based network or a domain based n
d, the cost of Wireless LAN connections is Unrestricted by default.

nections is Fixed by default.
onnections is Fixed by default.
Internet. Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web
ble Web Services printers on your network, ensure that network discovery is turned on. To turn on network discovery, click "Start", click "C
's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the netwo
the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server
(and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers t
no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then clic
l between contact attempts. If you do not configure or disable this setting the default values will be used. Note: This setting is
on domain controllers.
ws two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. If you enable
will not be allowed.Note: By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinsta
oaded by the print spooler. Print drivers loaded by applications are not affected.-This policy setting takes effect without restarting the prin
pends on the version of Windows that you are using.By default, Windows Ultimate, Professional and Home SKUs will continue to search fo
you disable this policy setting, then print drivers will be loaded within all associated application processes.Notes:-This policy setting applies
the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the dire
o print drivers loaded by the print spooler. Print drivers loaded by applications are not affected.-This policy setting takes effect without res
nt server.If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrato
nings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
d's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Co
announces a printer to a print browse master on the domain.
network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory
ully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Ser
See "Supported on" for all supported versions.
enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when yo
ready for power to be safely removed.If you disable or do not configure this policy setting, the computer system safely shuts down to a fu
etting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.This se
nds beginning with Windows Server 2003.Note: This feature might interfere with power configuration settings that turn off hard disks afte
Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefo
er Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot la
WIM file. If it is a WIM file, the location should be specified by prefixing the path with ΓÇ£wim:ΓÇ¥ and include the index of the image to use
Executable. This provides an additional security benefit, but HTLM Help stops if DEP detects system memory abnormalities.
er configuration.If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured
ot configuredNote: When this policy setting is enabled, any user with access to read the security events will be able to read the command
y computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.FWlink for KB:h
r more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a
disable this policy setting, delegation of fresh credentials is not permitted to any machine.Note: The "Allow delegating fresh credentials" p
gation of fresh credentials is not permitted to any machine.Note: The "Allow delegating fresh credentials with NTLM-only server authentic
RMSRV/*).If you disable this policy setting, delegation of saved credentials is not permitted to any machine.Note: The "Allow delegating sa
is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any mach
se of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remot
The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com R
ot be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources
most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Adminis
the driver was created. If you disable this policy setting, drivers that are signed by a Microsoft Windows Publisher certificate are selected
search for a driver only if a driver is not locally available on the system.If you disable or do not configure this policy setting, members of th
o all policy settings that restrict device installation.

hat match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Preve
h these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation o
Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
es can be installed and updated as allowed or prevented by other policy settings.
this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
y setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remo
havior is observed and the NV cache is used for boot and resume optimizations.Note: This policy setting is applicable only if the NV cache f
ou disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriat
cache.Note: This policy setting is applicable only if the NV cache feature is on.
is policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota lim
forced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforce
but administrators can use the Quota tab option to change the setting.This policy setting is independent of the enforcement policy setting
ging setting.This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detec
tab.This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or
xemptions" policy is not configured.
M will add it to the list without checking for errors.If you enable this policy setting, you can view and change the list of DCOM activation sec
going to Windows Update to search for device drivers.

r has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start
operty List in AD DS provides the default set of properties.
erated for files created on the system volume.

to function.If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders a
ames for these subfolders when redirecting the Start Menu or legacy My Documents folder.Note: This policy is valid only on Windows Vist
y to computers running Remote Desktop Services.
ing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer.- An event log message (1109) is posted, stating tha
O.You can change this behavior by using this setting.If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM
lied in the background after the network becomes available. Note that because this is a background refresh, extensions requiring synchro
en the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause signi
when the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause s
is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. 2
ator the option to override the default to slow network connection and instead default to using a fast network connection in the case that
n when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can
n the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause signifi
ransmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.The
rence items even when the update is transmitted across a slow network connection, such as a telephone line. Updates across slow conne
itted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do
etwork connection" option updates preference items even when the update is transmitted across a slow network connection, such as a te
this policy setting, it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies eve
s transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. 2
on of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the ΓÇ£Configure Group Policy Slow
d" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than
e is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays
ection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line
the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause signific
on updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates a
option updates preference items even when the update is transmitted across a slow network connection, such as a telephone line. Updat
minutes before running logon scripts.
rk connection" option updates preference items even when the update is transmitted across a slow network connection, such as a teleph
ms even when the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections ca
ction" option updates preference items even when the update is transmitted across a slow network connection, such as a telephone line.
low network connection" option updates preference items even when the update is transmitted across a slow network connection, such a
e items even when the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections
use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.The "Process e
ate is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delay
onnection" option updates preference items even when the update is transmitted across a slow network connection, such as a telephone
connection, such as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic back
nd while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or sy
e is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays
pdate is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant de
e or do not configure this policy setting, it has no effect on the system.The "Allow processing across a slow network connection" option up
n the update is transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause signifi
ng modes from the Mode box:"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user se
mitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.The "Do
ing transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
in from the command line by typing RSOP.mscNote: This policy setting exists as both a User Configuration and Computer Configuration setti
version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the ΓÇ£Configure Group Policy
tter how this policy setting is configured.Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy
onds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not approp
ost installations.If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). T
wait time.If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers runn
ny default or system-computed wait time.If you disable or do not configure this policy setting, Group Policy will use the default wait time o
start your computer for it to take effect.
ure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
ment Console (MMC).
erence extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file ca
eference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file
on listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be created
nce extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can
eference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file
under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be created on the clie
his preference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trac
on listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be created o
on listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be created o
sion listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be created
ing: To perform tracing for items in this preference extension listed under User Configuration, you must provide a path in the "User trace"
ms in this preference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a u
n this preference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user
his preference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trac
ion listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be created
ms in this preference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a u
s in this preference extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a use
xtension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can be cre
nce extension listed under User Configuration, you must provide a path in the "User trace" box to the location where a user trace file can b
do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications a
contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.If you disable or do not configur
played at the end of the description.If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts th
Tablet PC user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.If you do
rs can report handwriting recognition errors to Microsoft.
ontent in the "Did you know?" section will remain static indefinitely without an Internet connection.
on to the Internet and has not disabled the Knowledge Base search from the Search Options page.
e user uses the web publishing or online ordering wizards.See the documentation for the web publishing and online ordering wizards for m
onfiguration/Administrative Templates/Printers.
try/region you live in).
ext and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companio
e setting is not shown.If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program.If you do not configure th
ows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Rep
CSI runs one of the two active tests.
s Update for device drivers if a driver is not found locally.Note: This policy setting is replaced by "Specify Driver Source Search Order" in "A
authentication or armoring.If you configure the "Not supported" option, the domain controller does not support claims, compound authen
ons during user logon" policy setting is enabled.Note: Information about previous logons is provided only if the domain functional level is W
re this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a comp
ame is not found, NTLM authentication might be used.To ensure consistent behavior, this policy setting must be supported and set identic
or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure
e this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication req
emove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the cu
s and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Va
erberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. I
e compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients u
joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.50
cy setting, any service is allowed to accept incoming connections by using this system-generated SPN.
s client or server uses the locally configured value or the default value. Note: This policy setting configures the existing MaxTokenSize regis
using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a
ed for this computer account.Automatic: Compound authentication is provided for this computer account when one or more applications
ser locale, but they can still select a replacement locale if one is installed.If you disable or do not configure this policy setting, the user can
this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the com
ocale only from the specified system locale list.If you disable or do not configure this policy setting, administrators can select any system lo
a) and French (Canada).If you enable this policy setting, only locales in the specified locale list can be selected by users.If you disable or do
user may choose. If you disable or don't configure this policy setting, the user cannot configure the amount of time after the device's scre
irection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, th
on domain is always set to the domain to which the computer is joined.
dows 2000 Server.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured
n the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configu
ration takes precedence over the policy setting in User Configuration.Note: Customized run-once lists are stored in the registry in HKEY_LO
tion purposes.If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authe
not configure this policy setting, the user will have to start the appropriate programs after logon.Note: This setting appears in the Comput
e the opt-in prompt for services.If you do not configure this policy setting, the user who completes the initial Windows setup will see the a
sound is turned on for all users by default and is customizable in the Sound item of Control Panel.This policy setting does not prevent use
negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents
t to verify any passwords with the PDC emulator. If you do not configure this policy setting, it is not applied to any DCs.
hared read access to files on the share when exclusive access is requested.Note: The Netlogon share is a share created by the Net Logon se
tic discovery of DCs in a trusted domain.To enable the setting, click Enabled, and then specify the interval in seconds.
ess to files on the share when exclusive access is requested.Note: The SYSVOL share is a share created by the Net Logon service for use by
even when none are available.

setting is to always refresh (0).
setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.Warning: If the value for this setting is too small, a c
he value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is
s setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used.Warning
setting once all DCs are running the same OS version.The allowable values for this setting result in the following behaviors:1 - Computers w
based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.If you enable this p
nded). For these reasons, NetBIOS-based discovery is not recommended.Note that this policy setting does not affect NetBIOS-based discov
nditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing
e the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the defau
u do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.If you do not con
ress lookup to discover additional client IP addresses.2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP ad
tcp.gc._msdcs.<DnsForestName>GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>DcByGuid SRV _ldap
he DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the
d to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow
d replication.To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delim
figure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory
te-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. If you enable this polic
specific DC Locator DNS SRV records for any other sites but their own.If you do not configure this policy setting, it is not applied to any DCs
not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a
his policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIO
curing. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
curing. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
. If you disable this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows
.If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel.
o ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control th
Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settin
the user sees the default warning message.
d.If you disable this policy setting, application-based settings are used.If you do not configure this policy setting, application-based setting
tion information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.If you
his policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to serv
ote: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of me
ate an error condition.If you enable this policy setting, the RPC runtime will generate extended error information. You must select an erro
s Server versions that support this policy setting. If you do not configure this policy setting, it remains disabled. The RPC server runtime wi
ws XP SP1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows, this pol
n startup, whether this policy setting is enabled or not.
y setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
her the ""Run startup scripts visible"" policy setting is enabled or not.
s:GPO B: B.cmd, B.ps1GPO C: C.cmd, C.ps1Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A
e also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B an
0. This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script mu
s]â€ setting (in Windows Server 2012) that is configured in the Server Manager console.If you disable this policy setting, Server Manager
gon" option, the window is not displayed on subsequent logons.
nsole is not displayed automatically at logon.Note: Regardless of the status of this policy setting, Server Manager is available from the Sta
more smoothly.
on. Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System R
gs through System Protection.Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy se
ows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS.If you do not configure this policy setting, the DPS e
g state. When the service is stopped or disabled, diagnostic scenario data will not be deleted. The DPS can be configured with the Service
to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues.Note:
roubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an adminis
nostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS
e action is taken. If you do not configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes
ed.This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, d
tting to take effect. Changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in th
setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading.If you disable this policy setting, MSD
required for this policy setting to take effect. Changes take effect immediately.
eration and is the default recovery behavior on Windows server.Troubleshooting Only: Detection and verification of file corruption will be
his policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting pr
sable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they
ou disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that a
n to the Microsoft Management Console.No operating system restart or service restart is required for this policy to take effect. Changes ta
ution is available.If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exh
n is available.If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Perform
at assisted resolution is available.If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Window
is available.If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows System Responsive
he TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication settin
mands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configure
unning "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of
s. If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to comma
ard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures
mmand to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this dura
ch time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Author
to the domain and the AD DS backup succeeds.If you disable or do not configure this policy setting, TPM owner information will not be ba
p is also given full control to the user's profile folder.If you disable or do not configure this policy setting, only the user is given full control
re considering the connection to be slow.If you disable or do not configure this policy setting, Windows considers the network connection
gs off. The roaming profile still remains on the network server that stores it.If you disable or do not configure this policy setting, Windows
olicy setting or do not configure it, slow link detection is enabled. The system measures the speed of the connection between the user's co
s 2000 Professional SP4 and Windows XP SP1, the default behavior is to check the folder for the correct permissions if the profile folder al
ou disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handle
file when Windows cannot load their user profile.Also, see the "Delete cached copies of roaming profiles" policy setting.
rsion of the Active Directory schema to function.If you enable this policy setting and the user has a roaming profile, the roaming profile is
put before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting, type the
l not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. T
ond) to unload and update the registry settings. By default, the system repeats its periodic attempts 60 times (over the course of one minu
following occurs on the affected computer: At first logon, the user receives a new local profile, rather than the roaming profile. At logoff,
enable this policy setting, changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs
the logon screen and the user must choose whether to download the remote user profile before Windows detects the network connectio
policy setting. Setting the value to zero causes Windows to proceed without waiting for the network.If you disable or do not configure this
ble this policy setting, all users logging on this computer will use the roaming profile path specified in this policy.If you disable or do not con
egistry file of the roaming user profile is uploaded to the server every six hours while the user is logged on.If "Run at specified time of day"
meFolder) in the Path box.Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name
er's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterpris
em loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user whe
value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.
his policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection p
he W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values cause more frequent corrections. Va
Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". TypeThis value controls the authentication that W32
u can select the certificate errors that you want to ignore. Note: This policy setting applies to all sites in Trusted zones.
olicy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when usin
ote: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto U
is increased.If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications
result in a blue screen if an old anti-virus application is installed.)The Windows Resource Protection and User Account Control features of
rogram is turned off. The Inventory Collector will be off.

r performance and are already aware of application compatibility issues. If you disable or do not configure this policy setting, the PCA will b
ll be turned on.Please reboot the system after changing the setting to ensure that your system accurately reflects those changes.
og. If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: a) C
, or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Aut
d create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
ss in the event that someone forgets their logon credentials.
biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
s top-level folder view.If you disable or do not configure this policy setting, the BitLocker setup wizard will display the computer's top-level
drives. If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as th
d key cipher strength for BitLocker to use to encrypt drives.If you disable or do not configure this policy setting, BitLocker will use the defau
users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 2
to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matc
hema extensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS b
he certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker.If you enable this policy setting, the
olicy setting is enabled, select the "Do not install BitLocker To Go Reader on FAT formatted fixed drives" check box to help prevent users fr
a recovery agents.In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed
er suites used with hardware-based encryption.If you disable this policy setting, BitLocker cannot use hardware-based encryption with op
a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you enable this policy setting, users can
ticate their access to BitLocker-protected fixed data drives.If you do not configure this policy setting, smart cards can be used to authentica
option will not be presented in the BitLocker setup wizard.If you disable or do not configure this policy setting, the BitLocker setup wizard
e. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to un
m integrity validation, even on systems capable of Secure Boot-based integrity validation.When this policy is enabled and the hardware is c
hNet for more information about adding data recovery agents.In "Configure user storage of BitLocker recovery information" select whethe
and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be pr
profile for native UEFI firmware configurations" group policy setting to configure the TPM PCR profile for computers using native UEFI firm
figurations" group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmwar
nd cipher suites used with hardware-based encryption.If you disable this policy setting, BitLocker cannot use hardware-based encryption w
when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you enable this policy se
Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Wind
ncrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and th
users to enter a 4-digit to 20-digit startup personal identification number (PIN).A USB flash drive containing a startup key is needed on com
up policy, the "Use enhanced Boot Configuration Data validation profile" group policy is ignored.The setting that controls boot debugging (
When this policy setting is enabled, select the "Do not install BitLocker To Go Reader on FAT formatted removable drives" check box to hel
adding data recovery agents.In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or
d cipher suites used with hardware-based encryption.If you disable this policy setting, BitLocker cannot use hardware-based encryption w
ing a drive with any of the protectors available on the drive.If you enable this policy setting, users can configure a password that meets the
authenticate their access to BitLocker-protected removable data drives.If you do not configure this policy setting, smart cards are availabl
Drive Encryption Deployment Guide on Microsoft TechNet for more information on suspending BitLocker protection.If you do not configu
identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.If you disable or d
and applications that use the Windows system controls, including Internet Explorer.
ss to the userΓÇÖs Windows credentials.

e or do not configure this policy setting, Windows SmartScreen behavior is managed by administrators on the PC by using Windows SmartS
me. If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.
tting the protocol is in the protected mode, allowing applications to only open a limited set of folders.If you do not configure this policy se
tions as if both new and old locations point to different shares when their network paths are different.Note: If the paths point to different
ve when the previous version is of a local file and stored on the backup.
on is of a file on a file share.
that require IIS to run.
re whole numbers from 1 through 600. The default value, if the policy setting is enabled, is 120.
e specified for the number of retries are whole numbers 0 through 9. The default value, if the policy setting is enabled, is 3.
nchronize changes to UNIX-based user account passwords based upon how the "Windows to NIS (Active Directory) password synchronizati
configuration.If you do not configure this setting, users who are members of the Administrators group can make changes using the Windo
licy setting, Windows presentation settings can be invoked.
RDS Endpoint Servers group on the license server.By default, the RDS Endpoint Servers group is empty.If you disable or do not configure th
erver 2003.By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a
a message that the publisher has been blocked.
ed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user sta
D Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without
nt computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Setti
ou can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting f
ch they are received.
on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System pro
omatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection.
e.If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the serv
s can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
mote Desktop Services sessions.To use this setting, enter the number of connections you want to specify as the maximum for the server. T
isable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at th
r delivering the best user experience.
on of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a
he background.
deo playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Wind
ndows 7, or Windows Server 2008 R2. If you enable this policy setting, audio recording redirection is allowed.If you disable this policy setti
t a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
d at the Group Policy level.
ort redirection is not specified at the Group Policy level.
ou disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clip
ect their supported Plug and Play devices to the remote computer.Note: You can disable redirection of specific types of supported Plug an
evel of compression that is determined by the bandwidth of the remote connection.The audio playback quality that you specify on the rem
o not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrat
.If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level.
. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.If you disable
nt printer mapping is not specified at the Group Policy level.
ure this policy setting, the default printer is not specified at the Group Policy level.
is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer
s policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server do
ming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specifi
he account name of each user.To configure this policy setting, type the path to the network share in the form of \\Computername\Sharen
otes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatical
to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting.
pecify the name of a farm in RD Connection Broker.If you disable or do not configure this policy setting, the farm name is not specified at t
-colon separated list of the FQDNs of all the RD Connection Broker servers.If you disable or do not configure this policy setting, the policy
ver name policy setting.If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking
ect directly by IP address to RD Session Host servers in the farm.If you disable this policy setting, the IP address of the RD Session Host serv
n existing session log on to the first RD Session Host server to which they connect.If you do not configure this policy setting, you can config
ktop sessions. On the client computer, you can configure desktop composition on the Experience tab in Remote Desktop Connection (RDC
al program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is no
ances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth
uality images and consumes moderate network bandwidth. If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive
op Connection (RDC) or by using the "allow font smoothing" setting in a Remote Desktop Protocol (.rdp) file. If you enable this policy setti
on-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. Th
op Services session.If the status is set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client c
pth supported by the client will be used. If you disable or do not configure this policy setting, the color depth for connections is not spe
o display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop
p Policy level.
ent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent discon
y logged off.To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run w
shed as RemoteApp programs do not support these advanced graphics.
unit (GPU) on a computer with more than one GPU installed. All additional GPUs are considered secondary adapters and used as hardware
compression scheme.If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and R
s sessions are optimized for rich multimedia.
andwidth by selecting the highest setting for screen capture rate and the highest setting for image quality.By default, Remote Desktop Con
r a password to log on.If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying the
ns to the user security descriptors by using the Remote Desktop Session WMI Provider.Note: The preferred method of managing user acce
that do not respond to the request.If the status is set to Not Configured, unsecured communication is allowed.Note: The RPC interface is u
er. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host s
onnection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authe
ficate selection only occurs when a specific certificate has not been selected.If no certificate can be found that was created with the specifi
e this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Client
essions policy settings.If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.If you disa
or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows
olicy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain acti
sconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected se
ill be logged off from the RD Session Host server. If the user starts a RemoteApp program before the time limit is reached, the user will rec
policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by
or all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.If you
lete a feed or Web Slice by using the Feed APIs.
cale ID of your WSS Service. For example, the English locale ID is 1033.http://sitename/_layouts/XXXX/searchresults.aspx?SearchString=$w
our intranet search service is Windows SharePoint Services (WSS), the query should resemble the following, where XXXX is the locale ID of
mpletely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index
tered connections, and if the web results are displayed in Search.Note: If you enable the "Don't search the web or display web results in S
f online delegate mailboxes. Online delegate mailboxes are managed separately from online mailboxes. The "Enable Indexing of Uncached
items per minute. This policy has no effect on mail items when using Microsoft Office Outlook in cached mode.
for information about how to set up the initial machine preference.
vironment, this setting is redundant because non-administrative users do not have permission to install new components. If your users ha
e or don't configure this policy setting, users can choose what information is shared in Search.
a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect.If you do not congifure this
0 through 23; minutes, 0 through 59. The default value, if the policy setting is enabled, is one day.
es that contain the smart card logon object identifier can be used to log on with a smart card.
sociated ECDH key to permit logons when you are not connected to the network.
t valid will not be listed on the logon screen.
nd this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown
e set of the CSP.If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards t
ization.If you enable this policy setting or do not configure this setting, then the subject name will be reversed. If you disable , the subject
sable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Opti
area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If
where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configur
e, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to
tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.C
configure this setting in the Input Panel Options dialog box.If you do not configure this policy, application auto complete lists will appear n
is setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box
e to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose ΓÇ£Tolerant," users will be able to
ove will be available.
ed by having the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled o
folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip
tant: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To
nd User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in
e computers.
e if antivirus and antispyware definitions are enabled. If at least one is enabled, the service will remain running. If both are disabled, the se
ed by the local administrator.
n minutes.
t unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.Possible options are
ance.If you enable or do not configure this setting, definition retirement will be enabled.If you disable this setting, definition retirement w
d outgoing files (default)1 = Scan incoming files only2 = Scan outgoing files onlyAny other value, or if the value does not exist, resolves to t
eduled full scans will be turned off.
scheduled quick scans will be turned off.
and no sources will be contacted.
have passed without an update.

d without an update.
ing sources in the list will not be contacted.If you disable or do not configure this setting, definition update sources will be contacted in a d
etting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied f
settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for W
his policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are runni
d report data until the computer is connected to a more permanent power source.
ting information is stored.

e in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to s
opdown list. The Windows applications category is a subset of Microsoft applications.If you disable or do not configure this policy setting,
s that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list
s enabled, the Exclude errors for applications on this list setting takes precedence.If you disable or do not configure this policy setting, erro
ons in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application error
the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probab
ameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prom
o change a protected option, it stops the installation and displays a message. These security features operate only when the installation p
do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such a
s.This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs th
stallation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Re
re this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not dist
remain on disk and will be deleted when the product is removed. If you set the baseline cache to 100, the Windows Installer will use av
dded as a new leaf feature to an existing feature tree.If you disable or do not configure this policy setting, the Windows Installer will use le
eges, such as those offered on the desktop or in Add or Remove Programs.Also, see the "Enable user to patch elevated products" policy se
uter only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether
sers from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, be
used.-- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesse
omputer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile
ntext. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offe
designed for enterprises to prevent unauthorized or malicious editing of transform files.If you disable this policy setting, Windows Installer
d by the letters "iweap."
nstalling the application.
cified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.If you disable o
ly" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them
plications running on the secure desktop can simulate the SAS.
oft Windows desktop.For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level d
ws Update restart. The users' lock screen apps are not restarted after the system restarts.
nerated locally in this scenario.When this policy is either disabled or not configured, Windows Media DRM functions normally and will con
chor window are not available.
eo smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems.
t users to use Windows Messenger, enable the "Do not allow Windows Messenger to run" policy setting.Note: This policy setting is availab
ditor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
etting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a m
under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has prece
ter, regardless of whether or not any WinRM listeners are configured.The service listens on the addresses specified by the IPv4 and IPv6 fi
set for plug-ins and the RunAsPassword value will be stored securely.If you enable and then disable this policy setting,any values that were
uest containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepte
tes that contain User Interface , End User License Agreement , or Windows Update setting changes.There are two situations where the eff
soft update service must always be signed by Microsoft and are not affected by this policy setting.Note: This policy is not supported on Wi
The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect.Note: If the "Configure Auto
updates. 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds u
n at the time the user selects the Shut Down option in the Start menu.Note that this policy setting has no impact if the Computer Configura
Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side ta
ll deadline occurs.The system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Up
restart in 5 minutes to complete the installation.Note: This policy applies only when Automatic Updates is configured to perform schedule
scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search
tion about the software or install it. The user can also click "Close this message" or "Show me later" to defer the notification as appropriate
tting does not apply to a user, Work Folders is not automatically set up. If you disable or do not configure this policy setting, Work Folde
conditionally in Enterprise and Server SKUs.
Input Panel is collected and stored. Note: Automatic learning of both text and ink might not be available for all languages, even when ha
o act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to con
caching" policy setting is disabled or not configured.
ng is disabled or not configured.
able or do not configure this policy setting, BITS uses all available unused bandwidth. Note: You should base the limit on the speed o
maximum network bandwidth used for peer caching. If you disable this policy setting or do not configure it, the default value of 30 p
ed by services and the local administrator account do not count toward this limit.
oaming. The values that can be assigned are: - Always transfer - Transfer unless roaming - Transfer unless surc
le or do not configure this policy setting, the limits defined for work or nonwork schedules will be used. Note: The bandwidth limits t
example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, an
timeout to specified number of days. If you disable or do not configure this policy setting, the default value of 90 (days) will be used fo
llowing:- Not Configured. With this selection, BranchCache latency settings are not applied to client computers by this policy. In the circum
etting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system.- Ena
policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting.This policy setting can only be applied to client
t computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mod
cal computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group
ble BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local com
o client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable Branch
onfigured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache setti
d for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Be
tion of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list.If attaching suffixes is a
appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.mic
vidual network connections.
works higher in the binding order.Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setti
primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.Devolution is not enabled if a global suffix search list is co
suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.Devolution is not ena
rimary DNS suffix. This applies to all network connections used by computers that receive this policy setting.For example, with a computer
ation succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successfu
nger than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.To specify the registra
ource record that has the client's current IP address.If you enable this policy setting or if you do not configure this policy setting, DNS clien
ng DNS, LLMNR and NetBT queries.
used, clients try to use secure update.

resource records that the computer needs to update.
s. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual servers w
ngs are not applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation an
ons instead.If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
while in public network" and "Prohibit operation while in private network" options instead.If you disable or do not configure this policy setti
server list empty, leave the checkbox unchecked.2. In order to use a corporate seed server only, enable the setting; insert the fully qualifie
this setting is not configured, the protocol will revert to using a public registry key to determine whether it will publish the computer or w
is cloud to publish or resolve names regardless of whether the computer has an IPv6 address that matches the cloud scope.If you disable o
t.If this setting is not configured, the protocol will revert to using a public registry key to determine whether it will publish the computer or
t.If this setting is not configured, the protocol will revert to using a public registry key to determine whether it will publish the computer or
bling this setting does not remove an existing Network Bridge from the user's computer.
this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connectio
able this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properti
etwork.If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not ro
Descriptor Definition Language (SDDL) strings. For more information about the SDDL format, see the Windows Firewall deployment inform
esult, utilities that use the blocked ICMP messages will not be able to send those messages to or from this computer. If you enable this pol
st, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check bo
l connections to SVCHOST.EXE and LSASS.EXE.If you enable this policy setting, Windows Firewall allows the computer to receive the unsoli
n the Windows Firewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select it.If you
ese ports by adding them to a local port exceptions list, Windows Firewall does not open the ports. In the Windows Firewall component o
the Group Policy Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Firewall with
les from applying, use the Group Policy Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Settings\W
g file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.If you disable this policy setting, Windows Firewall does not record inform
m the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined
n. To add a program, enable the policy setting, note the syntax, click the Show button. In the Show Contents dialog box type a definition st
mponent of Control Panel, the "Block all incoming connections" check box is cleared and administrators cannot select it.If you do not config
w program" check box is selected by default, and administrators can change it.
ways permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name confl
esult, utilities that use the blocked ICMP messages will not be able to send those messages to or from this computer. If you enable this pol
st, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check bo
l connections to SVCHOST.EXE and LSASS.EXE.If you enable this policy setting, Windows Firewall allows the computer to receive the unsoli
n the Windows Firewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select it.If you
ese ports by adding them to a local port exceptions list, Windows Firewall does not open the ports. In the Windows Firewall component o
the Group Policy Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Firewall with
les from applying, use the Group Policy Object Editor snap-in and configure Computer Configuration\Windows Settings\Security Settings\W
g file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.If you disable this policy setting, Windows Firewall does not record inform
m the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined
n. To add a program, enable the policy setting, note the syntax, click the Show button. In the Show Contents dialog box type a definition st
mponent of Control Panel, the "Block all incoming connections" check box is cleared and administrators cannot select it.If you do not config
w program" check box is selected by default, and administrators can change it.
ways permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name confl
do not configure this policy setting, apps will use the Internet proxies auto-discovered by Windows Network Isolation.Example: [3efe:302
ative" policy setting.If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover yo
tting, users can work offline by default, but they can change this option.This setting appears in the Computer Configuration and User Config
h the server on a regular basis.You can also configure Background Sync for network shares that are in user selected Work Offline mode. Thi
, if you want to set a threshold value of 128,000 bps, enter a value of 1280.
mode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recom
0 percent of the space on the system drive.If you do not configure this setting, disk space for automatically cached files is limited to 10 per
network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above
Locker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy is not. Th
the local computer is connected and disconnected from the network."3" also records an event when the server hosting the offline file is re
ns with a semicolon (;).Note: To make changes to this setting effective, you must log off and log on again.
em limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit
Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions
onfiguration.Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, a
rovides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not ha
nder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offl
ndows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.
available for all files and folders.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both p
d folders for offline use).If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy.Not
User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User
ot configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronizatio
disables the "Enable reminders" option on the Offline Files tabThis setting appears in the Computer Configuration and User Configuration f
is allowed for the community.If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configur
nfigured on the local computer instead.Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\S
ervice takes the trap configuration configured on the local computer instead.Note: This setting has no effect if the SNMP agent is not instal
CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_E
the host will not have a 6to4 interface. If no global IPv6 address is present and a global IPv4 address is present, the host will have a 6to4 i
resolved successfully, ISATAP connectivity is not available on the host using the corresponding IPv4 address.Policy Enabled State: If the IS
fault refresh rate is 30 seconds.
her the Internet or to a Windows domain, Windows disconnects the less preferred connection when the amount of network traffic over th
network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additiona
the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
discovery, click "Start", click "Control Panel", and then click "Network and Internet". On the "Network and Internet" page, click "Network a
disconnected from the network. Note: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust
reasing the load on the server.If you do not enable this policy setting, the behavior is the same as disabling it.Note: This policy does not de
r printer or group of printers that you want them to use. If you disable this setting or do not configure it, and the user does not type a
the General tab, and then click "Enable Web content in folders.") Also, see the "Activate Internet printing" setting in this setting folde
ed. Note: This setting is used only on domain controllers.
of retries. If you enable this setting, you can change the interval between attempts. If you do not configure or disable this setti
tion of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers
ect without restarting the print spooler service.

KUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable t
tes:-This policy setting applies only to applications opted into isolation.-This policy setting applies only to print drivers loaded by applicatio
nters are pruned from the directory. If you enable this policy setting, the contact events are recorded in the event log. If you disa
etting takes effect without restarting the print spooler service.
d by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that ar
n drivers need to be updated. If you do not configure this policy setting: -Windows Vista client computers can point and print to
ou enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default.If you disab
sh printers in Active Directory automatically, by default, the system never prunes their printer objects. You can enable this setting to
ml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file is not available when the user logs on, the layout won't be change
t Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.)
stem safely shuts down to a fully powered-off state.

ctions, or it might stop.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured,
gs that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel.
r%\help folder and D:\somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder". Note: An environment va
er of these locations cannot launched from Help
e the index of the image to use in the WIM file. For example ΓÇ£wim:\\server\share\install.wim:3ΓÇ¥.If you disable or do not configure this
y abnormalities.
ss the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied messag
be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or priva
mation, see KB.FWlink for KB:http://go.microsoft.com/fwlink/?LinkId=301508Note: The "Allow delegating default credentials" policy settin
an be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresource
delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target serve
h NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the targe
Note: The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represent
is not permitted to any machine.If you disable this policy setting, delegation of saved credentials is not permitted to any machine.Note: T
sources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Deskto
manresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote D
RMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERM
CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials
lisher certificate are selected for installation over drivers that are signed by other Authenticode certificates.
policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for de
s" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop ser
or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy s
ote desktop client to the remote desktop server.If you disable or do not configure this policy setting, Windows can install and update devic
pplicable only if the NV cache feature is on.
r the NV cache are appropriately configured.Note: This policy setting will take effect on next boot.If you do not configure this policy setting
mit. To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical sp
When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as lo
the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you ch
logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.Note
ota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).I
he list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1
unch Antimalware boot-start driver.If you enable this policy setting you will be able to choose which boot-start drivers to initialize the nex
Pictures folders, the folders are redirected on the user's primary computer only.If you disable or do not configure this policy setting and th
is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already d
e (1109) is posted, stating that loopback was invoked in Replace mode.If you enable this policy setting, the behavior is exactly the same as
snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs.This leads to the following behavior:- If you had or
h, extensions requiring synchronous processing such as Software Installation, Folder Redirectionand Drive Maps preference extension will
w connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from
s slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system f
can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affe
rk connection in the case that no network bandwidth speed is determined. Note: When Group Policy detects a slow network connection,
across slow connections can cause significant delays.The "Do not apply during periodic background processing" option prevents the syste
w connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from u
n cause significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected po
e. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prev
e significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected prefe
work connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during peri
ption updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Update
can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affec
£Configure Group Policy Slow Link DetectionΓÇ¥ policy setting to configure asynchronous foreground behavior.) The slow link valu
d. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.If you disable this s
ns can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating aff
ction, such as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic backgroun
connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from up
as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic background processin
uch as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic background pro
k connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic
es across slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the
tion, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic backgrou
ow network connection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply durin
dates across slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents t
system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the poli
ons can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating a
nnection, such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic bac
not apply during periodic background processing" option prevents the system from updating affected policies in the background while the
until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies
ns can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating aff
ctions can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updatin
etwork connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a te
connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from u
icy Objects replace the user settings normally applied to the user."Merge" indicates that the user settings defined in the computer's Group
use significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected policie
ns can cause significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affect
nd Computer Configuration setting.Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Adminis
the ΓÇ£Configure Group Policy Slow Link DetectionΓÇ¥ policy setting to configure asynchronous foreground behavior.) The slow link va
y setting to change the policy refresh interval.Note: If you make changes to this policy setting, you must restart your computer for it to tak
pdate intervals are not appropriate for most installations.If you disable this setting, Group Policy is updated every 90 minutes (the default).
very 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Tur
30 seconds on computers running Windows Vista operating system.
will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for wo
d to a workgroup.
ation where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference
ocation where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preferen
user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference items under U
on where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference ite
ocation where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preferenc
e file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference items under User Config
the location where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no pref
user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference items under Us
a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference items under
vide a path in the "User trace" box to the location where a user trace file can be created on the client computer, and you must turn on the
box to the location where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are
x to the location where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no p
the location where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no pref
box to the location where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are
ox to the location where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no
ere a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference items un
on where a user trace file can be created on the client computer, and you must turn on the "Tracing" option. If there are no preference ite
dating to receive notifications and critical updates from Windows Update.

you disable or do not configure this policy setting, your computer will contact the Windows Update website.
he hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. Also, see "Events.asp UR
hared with Microsoft.If you do not configure this policy, Tablet PC users can choose whether or not they want to share their writing sample
d online ordering wizards for more information, including details on specifying service providers in the registry.
turns off the Search Companion feature completely.
ormation to be collected.
ram.If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel t
mponents/Windows Error Reporting.
er Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
port claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2
he domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 na
y time the client sends a compound authentication request regardless of the account configuration.
be supported and set identically on all domain controllers in the domain.
ou disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize
mpounded authentication request first then a compound authentication request when the service requests compound authentication.
dit a mapping, remove the current entry from the list and add a new one with different parameters.If you disable this policy setting, the h
os V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the curren
support Kerberos armoring. If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Ke
to retrieve claims for clients using Kerberos protocol transition.
th validation of the KDC's X.509 certificate.If you disable or do not configure this policy setting, the Kerberos client requires only that the K
he existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which w

he Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a map
when one or more applications are configured for Dynamic Access Control.Always: Compound authentication is always provided for this co
his policy setting, the user can select a custom locale as their user locale.If this policy setting is enabled at the machine level, it cannot be d
cy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer l
rators can select any system locale shipped with the operating system.
d by users.If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by th
of time after the device's screen turns off before a password is required when waking the device. Instead, a password will be required imm
rs be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes t
If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To disp
y setting in Computer Configuration takes precedence over the policy setting in User Configuration.Note: To create a customized run list b
red in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.Also, see the ""Do not process the
oviders are available for authentication purposes.
setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the progra
l Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setti
y setting does not prevent users from setting preferences for other system sounds.
e older algorithms represents a potential security risk.If you disable this policy setting, Net Logon will not allow the negotiation and use of
to any DCs.
re created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no
e Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application w
or this setting is too small, a client will stop trying to find a DC too soon.
the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
Retry Setting is used.Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC.If the value fo
wing behaviors:1 - Computers will ping DCs at the normal frequency.2 - Computers will ping DCs at the higher frequency.To specify this beh
DNS names.If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name
ot affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.If you enable or do not configure this policy s
intain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force
n be used to enable the default behavior.If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the defa
m 0 to 65535.If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
discover additional client IP addresses.To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. T
me>DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>GcIpAddress A gc._msdcs.<DnsForestName>D
nd should be preserved in the database.Warning: If the DNS resource records are registered in zones with scavenging enabled, the value o
ted TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specify the sites covered by the DC Lo
he sites names in a space-delimited format.If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local co
ery domain in Active Directory.To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in
nk cost. If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.If you disable this policy setti
ng, it is not applied to any DCs, and DCs use their local configuration.
ctory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The sing
not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory doma
uter" and "Reinstall Windows" (or "Return your computer to factory condition") in Recovery (in Control Panel) will be unavailable. Howeve
helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are
gure Remote Assistance settings.If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow
tting, application-based settings are used.
ndpoint Mapper Service.If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint M
delegation and connect to servers using constrained delegation. If you do not configure this policy setting, it remains disabled and will gene
and uses only about 4K of memory, this setting is not recommended for most installations.-- "Auto1" directs RPC to maintain basic state
ation. You must select an error response type in the drop-down box.-- "Off" disables all extended error information for all processes. RPC
d. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value
r version of Windows, this policy setting will be ignored.The minimum allowed value for this policy setting is 90 seconds. The maximum is 7
opSales. For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:With
fore, the scripts for GPOs B and C run in the following order for Qin:Within GPO B: B.ps1, B.cmdWithin GPO C: C.ps1, C.cmd For Tamara, G
efault, each startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously"" setting to d
policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh i
nager is available from the Start menu or the Windows taskbar.
abled, the "Turn off System Restore configuration" policy setting is overwritten.
n off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to dete
e this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings.
be configured with the Services snap-in to the Microsoft Management Console.
e to compatibility issues.Note: This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. T
y. Windows will log an administrator event with instructions if manual recovery is possible.If you enable this setting, the recovery behavior
ios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. Note: For Windows Ser
efault. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or service restarts
ervice is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft
tic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS
isable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers.If you do not configure t
ation of file corruption will be performed without UI. Recovery is not attempted.If you enable this policy setting, the recovery behavior fo
If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by d
n their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the W
Performance problems that are handled by the DPS.If you do not configure this policy setting, the DPS will enable Windows Boot Perform
olicy to take effect. Changes take effect immediately.
ve any Windows Resource Exhaustion problems that are handled by the DPS.If you do not configure this policy setting, the DPS will enable
y Windows Shutdown Performance problems that are handled by the DPS.If you do not configure this policy setting, the DPS will enable W
eshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS.If you do not configure this policy se
Windows System Responsiveness problems that are handled by the DPS.If you do not configure this policy setting, the DPS will enable Wi
ed TPM authentication setting you choose.Choose the operating system managed TPM authentication setting of "Full" to store the full TP
M commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Manageme
nfigure the Group Policy list of blocked TPM commands.If you disable or do not configure this policy setting, Windows will block the TPM c
ocal list, in addition to commands in the Group Policy and default lists of blocked TPM commands.
curred. Authorization failures older than the duration are ignored.For each standard user two thresholds apply. Exceeding either thresho
n failures older than this duration are ignored.For each standard user two thresholds apply. Exceeding either threshold will prevent the s
ation failure occurred. Authorization failures older than the duration are ignored.For each standard user two thresholds apply. Exceeding
ner information will not be backed up to AD DS. Note: You must first set up appropriate schema extensions and access control settings on
y the user is given full control of their user profile, and the administrators group has no file system access to this folder.Note: If the policy
iders the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond
e this policy setting, Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off.Important
nection between the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout fo
missions if the profile folder already exists, and not copy files to or from the roaming folder if the permissions are not correct.By configurin
n if there are any open handles to the per-user registry keys at user logoff.
licy setting.
profile, the roaming profile is downloaded on the user's primary computer only.If you disable or do not configure this policy setting and th
use this policy setting, type the number of seconds Windows should wait for user input. The minumum value is 0 seconds, and the maximu
e deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user
s (over the course of one minute).If you enable this policy setting, you can adjust the number of times the system tries to unload and upda
he roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile. If you disable this setting o
ming) copy when the user logs off.If you disable or not configure this policy setting, the default behavior occurs, as indicated above.Note: T
etects the network connection speed. If you disable or do not configure this policy setting, the system does not consult the user. Instead,
sable or do not configure this policy setting, Windows waits for the network for a maximum of 30 seconds.
icy.If you disable or do not configure this policy setting, users logging on this computer will use their local profile or standard roaming user
"Run at specified time of day" is chosen, then a time of day must be specified. Once set, Windows uploads the registry file at the same tim
placeholder for the user name because the user name will be appended at logon.Note: The Drive letter box is ignored if you choose ΓÇ£On
p apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this optio
s set in the "Prompt user when slow link is detected" policy setting), but does not respond in the time allowed (as set in the "Timeout for d
that Windows File Protection provides.
more frequent corrections. Values that are too low can lead to overcorrection and instability. Values that are too high can lead to slow syn
s the authentication that W32time uses. The default value is NT5DS.CrossSiteSyncFlagsThis value, expressed as a bitmask, controls how W
usted zones.
Windows Store apps when using a special profile.If you disable or do not configure this policy setting, Group Policy blocks deployment oper
r the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrus
events any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot r
r Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the eng
his policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnosti
flects those changes.
avior for autorun to: a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatical
t use this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting, A
redentials.
rgets their logon credentials.
splay the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.Note: This policy se
ngth (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)
ng, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.
ssword as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file.
fication field on the drive matches the value configured in the identification field. In a similar manner, BitLocker will only update the BitLoc
ation about setting up AD DS backup for BitLocker is available on Microsoft TechNet.BitLocker recovery information includes the recovery
enable this policy setting, the object identifier specified in the "Object identifier" box must match the object identifier in the smart card c
ck box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is p
owed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Select "Omit recovery options from the
are-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is enc
e this policy setting, users can configure a password that meets the requirements you define. To require the use of a password, select "Req
ards can be used to authenticate user access to a BitLocker-protected drive.
ng, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
changed with the server to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\Securit
enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the "Use enhanced Boot Configuration Data validation p
ery information" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery
assword or recovery key be provided to unlock the drive.If you disable or do not configure this policy setting, the TPM uses the default pla
mputers using native UEFI firmware.If you enable this policy setting before turning on BitLocker, you can configure the boot components t
computers with UEFI firmware with a CSM enabled.If you enable this policy setting before turning on BitLocker, you can configure the bo
e hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive
ive.If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requir
on a device that uses the Windows touch keyboard.Note that if you do not enable this policy setting, options in the "Require additional aut
e drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you wil
a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key
hat controls boot debugging (0x16000010) will always be validated and will have no effect if it is included in the provided fields.
vable drives" check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader
sers are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Select "Omit recovery option
hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive
ure a password that meets the requirements that you define. To require the use of a password, select "Require password for removable d
tting, smart cards are available to authenticate user access to a BitLocker-protected removable data drive.
otection.If you do not configure this policy setting, users can use BitLocker on removable disk drives.If you disable this policy setting, users
olicy setting.If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and
e PC by using Windows SmartScreen Settings in Action Center.Options:ΓÇó Require approval from an administrator before running downlo
nd protocol associations.
do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data c
is enabled, is 3.
ectory) password synchronization" setting on the Configuration tab of the Password Synchronization Properties dialog box is configured.
make changes using the Windows To Go Startup Options Control Panel item.
disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that re
2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following:* A client connecting to a Windows Server 2003
he RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.If you disable this policy setti
D Session Host server without authenticating the RD Session Host server.Do not connect if authentication fails: The client establishes a con
d check box on the Log on Settings tab in Remote Desktop Session Host Configuration.If you disable or do not configure this policy setting,
u configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for
Remote tab in the System properties sheet. By default, remote connections are not allowed. Note: You can limit which clients are able to
ote Desktop Connection.
ow often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999.If you disable or do not configu
e or from the command line.
he maximum for the server. To specify an unlimited number of connections, type 999999.If the status is set to Enabled, the maximum num
mine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, a
ator to watch the session of a remote user without the user's consent.If you disable this policy setting, administrators can interact with a u
Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a compute
.If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC.If you d
ection is always allowed if Clipboard redirection is allowed.If you do not configure this policy setting, client drive redirection and Clipboard
fic types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Devic
ity that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Se
u log on as a local administrator.
sion Host server.If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Gr
not found, the client's printer is not available. This is the default behavior."Default to PCL if one is not found" - If no suitable printer driver
the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy
mum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming
m of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatica
Desktop Services automatically appends this at logon.Note: The Drive Letter field is ignored if you choose to specify a local path. If you ch
r Profile" policy setting.
arm name is not specified at the Group Policy level. Notes: 1. This policy setting is not effective unless both the Join RD Connection Brok
this policy setting, the policy setting is not specified at the Group Policy level.Notes: 1. For Windows Server 2008, this policy setting is su
oker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host C
ss of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the l
policy setting, you can configure the RD Session Host server to participate in RD Connection Broker load balancing by using the Remote D
ote Desktop Connection (RDC) or by using the "allow desktop composition" setting in a Remote Desktop Protocol (.rdp) file. In addition, th
uter. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote
memory usage and bandwidth is used.You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compre
Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. Howe
If you enable this policy setting, font smoothing will not be allowed for remote connections, even if font smoothing is enabled in RDC or
le to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affec
ion, depending on the client configuration.If the status is set to Not Configured, the default behavior applies.
epth for connections is not specified at the Group Policy level. Note: 1.Setting the color depth to 24 bits is only supported on Wind
gs tab in the Remote Desktop Session Host Configuration tool.
g also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the serve
the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directo
dapters and used as hardware renderers. The GPU configuration of the local session is not affected by this policy setting.
e over LAN connections and RDP 7.1.If you disable this policy setting, RemoteFX will be disabled.If you do not configure this policy setting,
y default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you dis
automatically by supplying their passwords in the Remote Desktop Connection client.If you do not configure this policy setting, automatic
method of managing user access is by adding a user to the Remote Desktop Users group.
ed.Note: The RPC interface is used for administering and configuring Remote Desktop Services.
ons, but the RD Session Host server is not authenticated.* RDP: The RDP method uses native RDP encryption to secure communications be
e phrase Network Level Authentication supported.If you disable this policy setting, Network Level Authentication is not required for user a
at was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use th
e Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.* Client Compatible: T
es its time-out limit.If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified ot
mote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to
allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a ses
behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected sessio
mit is reached, the user will reconnect to the disconnected session on the RD Session Host server.If you disable or do not configure this pol
unless specified otherwise by the server administrator.Note: This setting only takes effect if per-session temporary folders are in use on t
on the remote computer.If you disable this policy setting, per-session temporary folders are always created, even if the server administrat
hresults.aspx?SearchString=$wThis adds intranet search location to:1) The Windows Deskbar2) The Desktop Search results search box3) Th
where XXXX is the locale ID of your WSS Service. For example, the English locale ID is 1033.http://sitename/_layouts/XXXX/searchresults.a
ed for the location of the index to maintain security for encrypted files.
web or display web results in Search" policy setting, queries won't be performed on the web over metered connections and web results wo
"Enable Indexing of Uncached Exchange Folders" policy has no effect on online delegate mailboxes. To stop indexing of online mailboxes a
components. If your users have Administrator permissions or can install software, this policy prevents them from specifically using Windo
ect.If you do not congifure this policy setting, the Security Center is turned off for domain members. If you enable this policy setting, Secur
ows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. Note: This setti
certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be a
ed. If you disable , the subject name will be displayed as it appears in the certificate.
setting in the Input Panel Options dialog box.If you do not configure this policy, Input Panel will provide text prediction suggestions. Users
put Panel Options dialog box.If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this b
log box.If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available.
d text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy, rarely used Chinese, Ka
ng tab in Input Panel Options.Caution: If you enable both the ΓÇ£Prevent Input Panel from appearing next to text entry areasΓÇ¥ policy and
to complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setti
nput Panel Options dialog box. If you enable this policy and choose ΓÇ£Medium-LowΓÇ¥ from the drop-down box, password security is se
Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users w
ven if this setting is Disabled or Not Configured.Note: This setting appears in the Computer Configuration and User Configuration folders. I
tting in User Configuration.Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created task
he Scheduled Tasks folder. To prevent this action, use the "Prohibit Drag-and-Drop" setting.Note: This setting appears in the Computer Con
recedence over the setting in User Configuration.
ng. If both are disabled, the service will be stopped.
ntact you.Possible options are:(0x0) Disabled (default)(0x1) Basic membership(0x2) Advanced membershipBasic membership will send bas
etting, definition retirement will be disabled.
ue does not exist, resolves to the default (0).If you enable this setting, the specified type of monitoring will be enabled.If you disable or do
ources will be contacted in a default order.
nd default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings
r settings in Control Panel for Windows Error Reporting are applied.

t on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on
administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel.T
t configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is
ors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must inclu
nfigure this policy setting, errors are reported on all Microsoft and Windows applications by default.
to report all application errors.If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If a
ermined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the u
solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.- 3 (Send parameters and safe a
e only when the installation program is running in a privileged security context in which it has access to directories denied to the user.This
with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
ktop or displayed in Add or Remove Programs, only system administrators can install from removable media.Also, see the "Prevent remov
m administrator does not distribute or offer.Note: This policy setting appears both in the Computer Configuration and User Configuration
e Windows Installer will use available free space for the baseline file cache. If you disable or do not configure this policy setting, the W
he Windows Installer will use less restrictive rules for component upgrades.
h elevated products" policy setting.
r is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whethe
cure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setti
ndows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager f
registered in their user profile.
eges, such as installations offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only. It d
olicy setting, Windows Installer stores transform files in the Application Data directory in the user's profile.If you do not configure this polic
Logging policy.If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packag
sktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 fa
2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the inform
unctions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license resto
te: This policy setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configura
er the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-in
puter Configuration" has precedence over "User Configuration."If you disable or do not configure this policy setting, it reverts to a per-mac
ecified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more
cy setting,any values that were previously configured for RunAsPassword will need to be reset.
annel binding token is accepted (though it is not protected from credential-forwarding attacks). If HardeningLevel is set to None, all req
e two situations where the effect of this setting depends on the operating system: Hide/Restore updates, and Cancel an install.On XP: If yo
policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
ct.Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.Note: This policy is not supported on Windows RT
installed Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interr
pact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and
gured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this p
ery power, when Windows Update wakes it up, it will not install updates and the system will automatically return to hibernation in 2 minu
onfigured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
f Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go
the notification as appropriate.In Windows 7, this policy setting will only control detailed notifications for optional applications. In Window
this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine
r all languages, even when handwriting personalization is available. See Tablet PC Help for more information.If you enable this policy setti
cy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BIT
base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peerca
re it, the default value of 30 percent of the slowest active network interface will be used. Note: This setting has no effect if the "Allow
- Transfer unless surcharge applies (when not roaming or overcap) - Transfer unless nearing limit (when not roaming or
Note: The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. If you disable or do not configure this policy setting
lue of 90 (days) will be used for the inactive job timeout.
ers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache laten
h their operating system.- Enabled. With this selection, this policy setting is applied to client computers based on the value of the option se
g can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running W
he servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.W
s. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache age setting that you use on in
g, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy settin
do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then
che client computer cache settings on individual client computers. Because the domain Group Policy setting is not configured, it will not ov
ndividual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you u
rch list.If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp"
s "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes.If you enable this policy setting, one DNS suffix
d name resolution policy setting is disabled or not configured.
f a global suffix search list is configured using Group Policy.If a global suffix search list is not configured, and the Append primary and conne
alog box.Devolution is not enabled if a global suffix search list is configured using Group Policy.If a global suffix search list is not configured
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNco
nding A records was successful.If you disable this policy setting, or if you do not configure this policy setting, computers will use locally con
records.To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is th
e this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic
ou use on individual servers where you want to enable BranchCache.- Enabled. With this selection, hash publication is turned on for all file
V1 and V2 hash generation and retrieval are supported.- Enabled. With this selection, the policy setting is applied and the hash version(s)
do not configure this policy setting, the default behavior for the Responder will apply.
setting; insert the fully qualified domain name or IPv6 address of the corporate seed server; and check the checkbox. Using the corporate s
will publish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrap
he cloud scope.If you disable or do not configure this policy setting, all PNRP clouds are turned on by default, and PNRP creates a cloud if t
it will publish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstr
it will publish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstr
s), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall throug
e Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the o
cess and the Internet is not routed through the internal network.
ws Firewall deployment information at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=25131).
mputer. If you enable this policy setting and allow certain message types, then later disable this policy setting, Windows Firewall deletes t
and Printer Sharing" check box is cleared and administrators cannot select it.If you do not configure this policy setting, Windows Firewall
omputer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subne
strators cannot select it.If you do not configure this policy setting, Windows Firewall does not open this port. Therefore, the computer can
Windows Firewall component of Control Panel, the "UPnP framework" check box is cleared and administrators cannot select it.If you do not
ettings\Windows Firewall with Advanced Security to specify that local firewall rules should not apply.
ws Settings\Security Settings\Windows Firewall with Advanced Security to specify that local firewall rules should not apply.
rewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds infor
t exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local port
dialog box type a definition string that uses the syntax format. To remove a program, click its definition, and then press the DELETE key. T
ot select it.If you do not configure this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messa
ssages that detect name conflicts.
mputer. If you enable this policy setting and allow certain message types, then later disable this policy setting, Windows Firewall deletes t
and Printer Sharing" check box is cleared and administrators cannot select it.If you do not configure this policy setting, Windows Firewall
omputer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subne
strators cannot select it.If you do not configure this policy setting, Windows Firewall does not open this port. Therefore, the computer can
Windows Firewall component of Control Panel, the "UPnP framework" check box is cleared and administrators cannot select it.If you do not
ettings\Windows Firewall with Advanced Security to specify that local firewall rules should not apply.
ws Settings\Security Settings\Windows Firewall with Advanced Security to specify that local firewall rules should not apply.
rewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds infor
t exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local port
dialog box type a definition string that uses the syntax format. To remove a program, click its definition, and then press the DELETE key. T
ot select it.If you do not configure this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messa
ssages that detect name conflicts.
k Isolation.Example: [3efe:3022::1000];18.0.0.1;18.0.0.2 For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
ts to automatically discover your private network hosts.Example: 3efe:1092::/96,18.1.1.1/10 For more information see: http://go.microso
Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence ove
lected Work Offline mode. This mode is in effect when a user selects the Work Offline button for a specific share. When selected, all config
specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip network latency detection is faster. Y
ached files is limited to 10 percent of the system drive by default, but users can change it.Tip: To change the amount of disk space used fo
latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network
ociated network copy is not. The user cannot encrypt Offline Files through the user interface.If you do not configure this policy setting, enc
ver hosting the offline file is reconnected to the network.Note: This setting appears in the Computer Configuration and User Configuration
iles cache is located. The limit for automatically cached files is 100 percent of the total disk space limit.If you do not configure this policy s
s from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this se
ns, click the Offline Files tab, and then click "View Files."
able this setting. You do not have to disable any other settings in this folder.
Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
onfiguration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is
offline use by Group Policy.Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings
dence over the setting in User Configuration.Tip: To change the synchronization method without changing a setting, in Windows Explorer,
erforms a quick synchronization by default, but users can change this option.This setting appears in the Computer Configuration and User
e Valid Communities configured on the local computer instead.Best practice: For security purposes, it is recommended to restrict the HKL
e HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control.Note: This policy
if the SNMP agent is not installed on the client computer.Also, see the other two SNMP settings: "Specify permitted managers" and "Speci
BC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_
ent, the host will have a 6to4 interface.Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no glo
.Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured with a link-local address and an ad
ount of network traffic over the less preferred connection drops below a certain threshold. For example, when a computer is connected t
al connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual
ontrol Panel\Printers.
ternet" page, click "Network and Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On
uning Retry" settings to adjust the contact interval and number of contact attempts.
t.Note: This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue pri
, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet
ng" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templa
t configure or disable this setting, the default values are used. Note: This setting is used only on domain controllers.
it kernel-mode printer drivers as they cannot be installed and associated with a print queue.
er, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windo
nt drivers loaded by applications. Print drivers loaded by the print spooler are not affected.-This policy setting is only checked once during
the event log. If you disable or do not configure this policy setting, the contact events are not recorded in the event log. Note: T
signature of all drivers that are downloaded from print servers.If this setting is disabled, or not configured, package point and print will no
mputers can point and print to any server. -Windows Vista computers will show a warning and an elevated command prompt when us
on field by default.If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the s
You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-re
n, the layout won't be changed. Users cannot customize their Start screen while this setting is enabled.If you disable this setting or do not
d on" for supported versions.)If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the comp
both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
ptions Control Panel.
. Note: An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %program
disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the file
tandard Access Denied message.
can contain sensitive or private information such as passwords or user data.

fault credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which t
ERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERM
N represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying th
The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted w
mes (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is p
mitted to any machine.Note: The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to on
neTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session
machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop S
s.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com R
emplates\System\Credentials Delegation).
arches source locations for device drivers.
etting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remot
te desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop serve
ws can install and update device drivers for removable devices as allowed or prevented by other policy settings.
not configure this policy setting, the default behavior is to turn on support for the NV cache.
he system uses the physical space on the volume as the quota limit.Note: To turn on or turn off disk quota management without specifying
ue to write to the volume as long as physical space is available.Note: This policy setting overrides user settings that enable or disable quot
dless of whether or not you choose to enforce the disk quota limit.Also, this policy setting does not affect the Quota Entries window on the
Entries window changes.Note: To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Prope
ota tab in Volume Properties).If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk q
o this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list
art drivers to initialize the next time the computer is started.If you disable or do not configure this policy setting, the boot start drivers det
figure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to.Note: If
cy redirection policy already deployed for these folders in your existing localized environment.
behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest.If you
wing behavior:- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Gro
aps preference extension will not be applied. Note: There are two conditions that will cause Group Policy to be processed synchronously e
tion prevents the system from updating affected preference items in the background while the computer is in use. When background upda
" option prevents the system from updating affected preference items in the background while the computer is in use. When background
he system from updating affected preference items in the background while the computer is in use. When background updates are disabl
s a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow
ing" option prevents the system from updating affected policies in the background while the computer is in use. When background update
on prevents the system from updating affected preference items in the background while the computer is in use. When background upda
tem from updating affected policies in the background while the computer is in use. When background updates are disabled, policy chang
ound processing" option prevents the system from updating affected preference items in the background while the computer is in use. W
m from updating affected preference items in the background while the computer is in use. When background updates are disabled, prefer
The "Do not apply during periodic background processing" option prevents the system from updating affected preference items in the bac
h as a telephone line. Updates across slow connections can cause significant delays.The "Process even if the Group Policy objects have no
he system from updating affected preference items in the background while the computer is in use. When background updates are disable
ior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the do
d to be fast.If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.This setting appea
the system from updating affected preference items in the background while the computer is in use. When background updates are disab
ply during periodic background processing" option prevents the system from updating affected policies in the background while the comp
n prevents the system from updating affected preference items in the background while the computer is in use. When background update
periodic background processing" option prevents the system from updating affected policies in the background while the computer is in us
during periodic background processing" option prevents the system from updating affected preference items in the background while the
"Do not apply during periodic background processing" option prevents the system from updating affected preference items in the backgro
ocessing" option prevents the system from updating affected preference items in the background while the computer is in use. When back
apply during periodic background processing" option prevents the system from updating affected preference items in the background whi
ays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected preference items in t
processing" option prevents the system from updating affected preference items in the background while the computer is in use. When b
es the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. How
ts the system from updating affected preference items in the background while the computer is in use. When background updates are dis
not apply during periodic background processing" option prevents the system from updating affected preference items in the background
es in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the nex
option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be update
the system from updating affected preference items in the background while the computer is in use. When background updates are disab
ents the system from updating affected preference items in the background while the computer is in use. When background updates are d
twork connection, such as a telephone line. Updates across slow connections can cause significant delays.The "Process even if the Group
on prevents the system from updating affected preference items in the background while the computer is in use. When background updat
efined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the
from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes w
e system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy c
mputer Configuration\Administrative Templates\System\GroupPolicy.
behavior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the d
art your computer for it to take effect.
very 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off bac
puter is in use, select the "Turn off background refresh of Group Policy" setting.This setting also lets you specify how much the actual upda
Windows 7 configured for workplace connectivity.
on. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tra
ption. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration t
e no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: This pref
If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracin
tion. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tr
rence items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: This preference ex
ng" option. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configura
no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: This prefe
no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: This prefe
re no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: This pre
uter, and you must turn on the "Tracing" option. If there are no preference items under User Configuration in this extension, no user trace
"Tracing" option. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Con
acing" option. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Config
ng" option. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configura
e no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: This pref
"Tracing" option. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Con
Tracing" option. If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Confi
ere are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing: Thi
If there are no preference items under User Configuration in this extension, no user trace file is created.2. Computer Configuration tracing
soft. Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative
t to share their writing samples from the handwriting recognition personalization tool with Microsoft.
component in Control Panel to enable Windows Customer Experience Improvement Program for all users.
ing Windows Server 2008 R2 or earlier operating systems.Note: For the following options of this KDC policy to be effective, the Kerberos G
Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and en
efault Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
compound authentication.
sable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.If you do not configure this pol
a mapping, remove the current entry from the list and add a new one with different parameters.If you disable this policy setting, the inter
e domain enforce the use of Kerberos armoring when possible as supported by the target domain.
client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can b
Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with W
the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.If you disable or d
is always provided for this computer account.If you disable this policy setting, Never will be used.If you do not configure this policy setting
e machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy
t Configured at the computer level, then restrictions will be based on per-User policies.To set this policy on a per-user basis, make sure tha
mputer, unless restricted by the "Disallow selection of Custom Locales" policy setting.If this policy setting is enabled at the computer level
password will be required immediately upon the screen turning off. Note: This policy setting only applies to domain-joined devices that su
mputer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon
ser Configuration.Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then
create a customized run list by using a policy setting, use the ""Run these applications at startup"" policy setting.Also, see the ""Do not pr
see the ""Do not process the legacy run list"" policy setting.
d, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User C
nitial setup and this policy setting is not configured, users new to this computer will not see the animation. Note: The first sign-in anim
ow the negotiation and use of older cryptography algorithms. If you do not configure this policy setting, Net Logon will not allow the negoti
etlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive
ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, wh
eries may be excessive.

try to find a DC.If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network tra
r frequency.To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.If you do not configure this po
ed for NetBIOS domain name based DC location.If you disable or do not configure this policy setting, this DC processes incoming mailslot m
r do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-
default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses t
v6 DC address. This is the default behavior of the DC Locator.If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC add
nfiguration.
bled, and then enter a value. The range of values is from 0 to 2.If you do not configure this policy setting, it is not applied to any DCs, and D
c._msdcs.<DnsForestName>DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName>Kdc SRV _kerberos._tcp.dc._msdcs.<Dn
avenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refres
the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names
DCs, and DCs use their local configuration.
d, and enter the sites' names in a space-delimited format.If you do not configure this policy setting, it is not applied to any GCs, and GCs us
r.If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator
DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that ha
osts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the
el) will be unavailable. However, with this policy setting disabled, users can still restore the computer to the original state or from a user-cr
f users or user groups that are allowed to offer remote assistance.To configure the list of helpers, click "Show." In the window that opens,
ide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."The "Maximum ti
uthenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service
remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using con
ts RPC to maintain basic state information only if the computer has at least 64 MB of memory.-- "Auto2" directs RPC to maintain basic sta
rmation for all processes. RPC only generates an error code.-- "On with Exceptions" enables extended error information, but lets you disab
Windows Client and the value of "None" used for Server SKUs that support this policy setting. If you enable this policy setting, it directs th
90 seconds. The maximum is 7200 seconds (2 hours).If you disable this policy setting, the idle connection timeout on the IIS server running
wing order for DesktopIT:Within GPO B: B.ps1, B.cmdWithin GPO C: C.ps1, C.cmd For DesktopSales, GPOs B and C are applied, but not GPO
C: C.ps1, C.cmd For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order fo
s synchronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop. An excessively long int
er Manager uses the refresh interval settings that are specified in the Server Manager console.Note: The default refresh interval for Serve
n" policy setting is used to determine whether the option to configure System Restore is available.
enario-specific policy settings.This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled.
nt" policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA t
setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubleshooting only state.If you disab
nsole. Note: For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and th
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. This policy setting takes
vices snap-in to the Microsoft Management Console.No system restart or service restart is required for this policy setting to take effect: ch
will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
uters.If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools.No reboots or service re
tting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Wi
leshooting and resolution by default.No reboots or service restarts are required for this policy to take effect: changes take effect immedia
crosoft servers that host the Windows Online Troubleshooting Service.

nable Windows Boot Performance for resolution by default.This policy setting takes effect only if the diagnostics-wide scenario execution
cy setting, the DPS will enable Windows Resource Exhaustion for resolution by default.This policy setting takes effect only if the diagnostic
setting, the DPS will enable Windows Shutdown Performance for resolution by default.This policy setting takes effect only if the diagnosti
do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default.This policy settin
setting, the DPS will enable Windows System Responsiveness for resolution by default.This policy setting takes effect only if the diagnostic
ng of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the loc
to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands
Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM com
ply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. This valu
er threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Lockout T
o thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authoriza
and access control settings on the domain before AD DS backup can succeed. Consult online documentation for more information about se
this folder.Note: If the policy setting is enabled after the profile is created, the policy setting has no effect.Note: The policy setting must be
e 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing
en the user logs off.Important: Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link,
etwork connection timeout for user profiles" policy setting), the system applies the other policy settings set in this folder to determine how
s are not correct.By configuring this policy setting, you can alter this behavior.If you enable this policy setting Windows will not check the p
figure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every computer that the user logs on to.
e is 0 seconds, and the maximum is 600 seconds.If you disable or do not configure this policy setting, Windows waits 30 seconds for user in
during user logon when a user profile is deleted and that user subsequently logs on to the machine.If you disable or do not configure this p
stem tries to unload and update the user's registry settings. (You cannot adjust the retry rate.)If you disable this policy setting or do not co
file. If you disable this setting or do not configure it, the default behavior occurs, as indicated above.If you enable both the "Prevent Roami
urs, as indicated above.Note: This policy setting only affects roaming profile users.
not consult the user. Instead, the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" po
ofile or standard roaming user profile.Note: There are four ways to configure a roaming profile for a user. Windows reads profile configura
he registry file at the same time every day, as long as the user is logged on.For both scheduling options, there is a random one hour delay
s ignored if you choose ΓÇ£On the local computerΓÇ¥ from the Location list. If you choose ΓÇ£On the local computerΓÇ¥ and enter a file sh
, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on th
ed (as set in the "Timeout for dialog boxes" policy setting).Waiting for the remote profile is appropriate when users move between compu
e too high can lead to slow synchronization. Default: 4 (scalar).HoldPeriodThis parameter indicates how many potentially accurate time sa
d as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0
Policy blocks deployment operations of Windows Store apps when using a special profile.
ed vulnerabilities from untrusted sources, reducing the associated risk.
r 16-bit components cannot run.If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer.If the status is s
pplication problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applicatio
roubleshooting and Diagnostics->Application Compatibility Diagnostics.Note: The Diagnostic Policy Service (DPS) and Program Compatibili
Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting, Windows Vista or
configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Con
in a folder.Note: This policy setting does not prevent the user from saving the recovery password in another folder.
ows Server 2008, Windows 7)" policy setting, if it is set. If neither policy is set, BitLocker will use the default encryption method of AES 128
pecified by the setup script.
covery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example, not allowing the 48-di
ker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identificati
rmation includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protect
t identifier in the smart card certificate.If you disable or do not configure this policy setting, a default object identifier is used.
Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identificati
mit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a
default when the drive is encrypted.If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encr
use of a password, select "Require password for fixed data drive". To enforce complexity requirements on the password, select "Require c
tion\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate" on the domain control
Configuration Data validation profile" group policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot po
password or a 256-bit recovery key.Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recove
the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation p
figure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any o
ker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating syst
used by default when the drive is encrypted.If you do not configure this policy setting, BitLocker will use hardware-based encryption with t
. To enforce complexity requirements on the password, select "Require complexity".When set to "Require complexity" a connection to a d
in the "Require additional authentication at startup" policy might not be available on such devices. These options include:- Configure TPM
en the password then you will need to use one of the BitLocker recovery options to access the drive.On a computer with a compatible TPM
is protected solely by the key material on this USB flash drive.If you enable this policy setting, the wizard will display the page to allow the
the provided fields.

ives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive h
y.Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on Bit
ed by default when the drive is encrypted.If you do not configure this policy setting, BitLocker will use hardware-based encryption with th
uire password for removable data drive". To enforce complexity requirements on the password, select "Require complexity".When set to "
isable this policy setting, users cannot use BitLocker on removable disk drives.
will be mounted with read and write access.Note: This policy setting can be overridden by the policy settings under User Configuration\Ad
strator before running downloaded unknown softwareΓÇó Give user a warning before running downloaded unknown softwareΓÇó Turn off
a limited set of folders.

me network share, any data contained in the redirected folders is deleted if this policy setting is not enabled.
es dialog box is configured.
RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configu
ng to a Windows Server 2003 terminal server* A client connecting to a Windows 2000 terminal serverIf you enable this policy setting, the
t.If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP
ls: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated.If you disable
t configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted t
bination of the list defined for the computer and the list defined for the user.This policy setting overrides the behavior of the "Allow .rdp fi
limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configura
f you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state.
to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode
om a low-speed connection, and it will not try to adapt the user experience to varying network quality.If you disable or do not configure th
nistrators can interact with a user's Remote Desktop Services session, with the user's consent.
when connecting to a computer running Windows 8, Windows Server 2012 R2, Windows 7, Windows Vista, or Windows XP Professional.If y
on is specified in RDC.If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level.
rive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
stem\Device Installation\Device Installation Restrictions policy settings.

used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if th
ecify a license server at the Group Policy level.
" - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver."Default to PS if one is no
use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver canno
the size of the entire roaming user profile cache is less than the maximum size specified.If you disable or do not configure this policy settin
e Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, R
o specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desk
h the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using
er 2008, this policy setting is supported on at least Windows Server 2008 Standard. 2. This policy setting is not effective unless the Join R
emote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
en a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Sessi
ancing by using the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI provider.Note: If you enable th
tocol (.rdp) file. In addition, the client computer must have the necessary hardware to support Windows Aero features.Note: Additional c
client connects to the remote computer.Note: If this policy setting is enabled, then the "Start a program on connection" policy setting is ig
ing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware dev
cs data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that yo
moothing is enabled in RDC or in the .rdp file. If you disable or do not configure this policy setting, font smoothing is allowed for remote
l (RDP) 7.1, and does not affect clients that are using other RDP versions.
its is only supported on Windows Server 2003 and Windows XP Professional. 2.The value specified in this policy setting is not applied t
on remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote De
ed path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory
olicy setting.
t configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX
over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be
this policy setting, automatic logon is not specified at the Group Policy level.
n to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not auth
tion is not required for user authentication before allowing remote connections to the RD Session Host server.If you do not configure this
llment request and will use the current certificate until the request is completed. If more than one certificate is found that was created wi
servers.* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key stren
ut session, even if specified otherwise by the server administrator.If you do not configure this policy setting, Remote Desktop Services disc
t Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Com
nd instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administr
e session, disconnected session time limits do not apply.If you disable or do not configure this policy setting, this policy setting is not speci
ble or do not configure this policy setting, when a user closes the last RemoteApp program, the session will be disconnected from the RD Se
mporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no
even if the server administrator specifies otherwise.If you do not configure this policy setting, per-session temporary folders are created u
Search results search box3) The WDS search box in Search Companion
_layouts/XXXX/searchresults.aspx?SearchString=$wThese additional intranet search locations are added to the All Locations list in the Des
onnections and web results won't be displayed when a user performs a query in Search.
indexing of online mailboxes and online delegate mailboxes you must disable both policies.
m from specifically using Windows Desktop Search-related add-ins.Note: Because of a limitation in the Group Policy editor, you must add at
nable this policy setting, Security Center is turned on for all users. If you disable this policy setting, Security Center is turned off for domain
will be shown. Note: This setting will be applied after the following policy: "Allow time invalid certificates"If you enable or do not configure
than the default will not be available for logon.
prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and W
as in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.Ca
here this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed
text entry areasΓÇ¥ policy and the ΓÇ£Prevent Input Panel tab from appearingΓÇ¥ policy, and disable the ΓÇ£Show Input Panel taskbar ico
l be able to configure this setting on the Text completion tab in Input Panel Options.
n box, password security is set to ΓÇ£Medium-Low.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-scree
s XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy an
d User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in U
operties of newly created tasks, use the "Remove Advanced Menu" setting.
g appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configura
asic membership will send basic information to Microsoft about software that has been detected, including where the software came from
e enabled.If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.
f users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the polic
able notification by default on computers that are running Windows Server.See also the Configure Error Reporting policy setting.
blems page in Control Panel.The Maximum number of reports to queue setting determines how many reports can be queued before older
ault setting in Control Panel is Upload all applications.This policy setting is ignored if the Configure Error Reporting policy setting is disable
box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on thi
setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the excl
y, and Windows prompts the user for consent to send any additional data that is requested by Microsoft.- Send all data: any error reportin
3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an ex
ctories denied to the user.This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installa
.Also, see the "Prevent removable media source for any install" policy setting.
ation and User Configuration folders. To make this policy setting effective, you must enable it in both folders.Caution: Skilled users can tak
gure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
cy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context."
ble, do not use this policy setting unless it is essential.This policy setting appears in the Computer Configuration and User Configuration fol
le still using Restart Manager for detection.If you disable or do not configure this policy setting, Windows Installer will use Restart Manage
cts Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search f
you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstall
erate log files for those packages that include the MsiLogging property.
er on Windows Server 2003 family when the policy is not configured.-- The "Always" option indicates that Windows Installer is disabled.T
ws could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the dom
des, and perform license restoration.
sent, the Computer Configuration version of this policy setting takes precedence.
erty of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and then type the mo
setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
v6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer an
ningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks).
d Cancel an install.On XP: If you enable this policy setting, users will not see a User Account Control window and do not need elevated per
not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
he user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to
not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
abled or not configured, this policy has no effect.Note: This policy is not supported on Windows RT. Setting this policy will not have any eff
eturn to hibernation in 2 minutes.
led, this policy has no effect.
organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.If
tional applications. In Windows Vista, this policy setting controls detailed notifications for optional applications and updates.If you disable
gs" policy setting to determine whether to automatically set up Work Folders for a given user.
n.If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Pa
d be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. If y
setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the max
tting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
ng limit (when not roaming or nearing cap) - Transfer only if unconstrained - Custom--allows you to specify a bitmask, in
and other schedules.
ot configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and t
d on the value of the option setting "Select from the following versions" that you specify.- Disabled. With this selection, this policy setting
omputers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set B
manually or by Group Policy.When this policy setting is applied, the client computer performs or does not perform automatic hosted cach
e age setting that you use on individual client computers.- Enabled. With this selection, the BranchCache client computer cache age setting
the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers wh
Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain
is not configured, it will not over-write the client computer cache setting that you use on individual client computers.- Enabled. With this s
the enabled setting that you use on individual client computers where you want to enable BranchCache.- Enabled. With this selection, Bra
rms a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." seco
policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the faile
he Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-
ffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appe
n specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomp
computers will use locally configured settings.
The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes.If
ource records during dynamic update.If you disable this policy setting, existing A resource records that contain conflicting IP addresses wil
blication is turned on for all file servers where Group Policy is applied. For example, if Hash Publication for BranchCache is enabled in doma
pplied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved.- Disabled. With this selection, b
heckbox. Using the corporate seed server only will prevent your mobile users from being able to use their peer to peer applications at hom
st protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must be enabled (which it is by default) fo
, and PNRP creates a cloud if the computer has an IPv6 address compatible with the cloudΓÇÖs scope.
ticast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must enabled (which it is by default) fo
ticast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must be enabled (which it is by default
net Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote acce
he user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizar
ng, Windows Firewall deletes the list of message types that you had enabled.If you do not configure this policy setting, Windows Firewall b
icy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator us
ecify the IP addresses or subnets from which these incoming messages are allowed.If you disable or do not configure this policy setting, W
. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In
s cannot select it.If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot
ould not apply.

ates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact.If you do not confi
ows Firewall: Allow local port exceptions" policy setting.If you disable this policy setting, the port exceptions list defined by Group Policy is
then press the DELETE key. To edit a definition, remove the current definition from the list and add a new one with different parameters.
w unsolicited incoming messages. In the Windows Firewall component of Control Panel, the "Block all incoming connections" check box is
ng, Windows Firewall deletes the list of message types that you had enabled.If you do not configure this policy setting, Windows Firewall b
icy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator us
ecify the IP addresses or subnets from which these incoming messages are allowed.If you disable or do not configure this policy setting, W
. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In
s cannot select it.If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot
ould not apply.

ates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact.If you do not confi
ows Firewall: Allow local port exceptions" policy setting.If you disable this policy setting, the port exceptions list defined by Group Policy is
then press the DELETE key. To edit a definition, remove the current definition from the list and add a new one with different parameters.
w unsolicited incoming messages. In the Windows Firewall component of Control Panel, the "Block all incoming connections" check box is
fwlink/p/?LinkId=234043
mation see: http://go.microsoft.com/fwlink/p/?LinkId=234043
uration takes precedence over the setting in User Configuration.Tip: To configure this setting without establishing a setting, in Windows Ex
hare. When selected, all configured settings will apply to shares in user selected Work Offline mode as well.If you disable or do not configu
k latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you do not specify a Latency or Throughput v
amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Optio
nd trip latency of the network is less than 60ms, reads to remote files will not be cached.If you enable this policy setting, transparent cach
nfigure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state
ration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the se
u do not configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive whe
m actions established via this setting.Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, c
y ... minutes" option.
Available Offline" command is unavailable for all specified files and folders.The "Make Available Offline" command is called "Always availa
folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use.
setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offlin
puter Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes preceden
akes precedence over the setting in User Configuration.Tip: To display or hide reminder balloons without establishing a setting, in Window
ommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full co
p full control.Note: This policy setting has no effect if the SNMP agent is not installed on the client computer.Also, see the other two SNMP
rmitted managers" and "Specify Community Name".
CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDH
have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface.Policy Disabled State: 6to4 is turned off a
a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISA
en a computer is connected to Internet using a Wi-Fi connection and the user plugs in to an Ethernet network, network traffic is routed th
disconnected and the manual connection is allowed. - When the computer is already connected to either a non-domain based network
dvanced sharing settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on network discover
spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any p
on the IP address and subnet mask of the user's computer.

ration\Administrative Templates\Control Panel\Printers. Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder
n controllers.
rise, and all versions of Windows Server 2008 R2 and later) to have the same behavior.
ng is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before setting
in the event log. Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged.
package point and print will not be restricted to specific print servers.
ed command prompt when users create a printer connection to any server using Point and Print. -Windows Vista computers will show
ximity is estimated using the standard method (that is, based on IP address and subnet mask).
ptions from the "Prune non-republishing printers" box: -- "Never" specifies that printer objects that are not automatically republish
u disable this setting or do not configure it, the Start screen layout won't be changed and users will be able to customize it.
when you shut down the computer.If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs.
er Configuration.
stem. For example, %programfiles% is not defined on some early versions of Windows. The "Shortcut" command is used to add a link t
ed in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer.
nts the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying th
es.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com R
s permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.comRemote Desktop Session Host running on
dcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Sessio
a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Des
policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentia
m.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be used in combinati
brikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be used in com
manresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting ca
e desktop client to the remote desktop server.If you disable or do not configure this policy setting, and no other policy setting describes th
t to the remote desktop server.If you disable or do not configure this policy setting, and no other policy setting describes the device, the "P
anagement without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, an
gs that enable or disable quota enforcement on their volumes.Note: To specify a disk quota limit, use the "Default quota limit and warning
e Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because the
file system volume, click Properties, and then click the Quota tab.
users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.Whe
If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardle
tting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determ
at the user logs on to.Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuratio
from the trusted forest.If you disable this policy setting, the behavior is the same as if it is not configured.
th a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Ad
be processed synchronously even if this policy setting is enabled:1 - At the first computer startup after the client computer has joined the
n use. When background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. Th
r is in use. When background updates are disabled, preference item changes do not take effect until the next user logon or system restart
ackground updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process ev
essing across a slow link (slow network connection). If you enable this policy, when Group Policy cannot determine the bandwidth speed
use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.The "Process ev
use. When background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. Th
ates are disabled, policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objec
hile the computer is in use. When background updates are disabled, preference item changes do not take effect until the next user logon
d updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the G
ed preference items in the background while the computer is in use. When background updates are disabled, preference item changes do
Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy imp
ackground updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process eve
wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeou
per second.This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defi
background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process e
e background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user
use. When background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The
nd while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or sy
in the background while the computer is in use. When background updates are disabled, preference item changes do not take effect unti
reference items in the background while the computer is in use. When background updates are disabled, preference item changes do not
computer is in use. When background updates are disabled, preference item changes do not take effect until the next user logon or system
e items in the background while the computer is in use. When background updates are disabled, preference item changes do not take effe
affected preference items in the background while the computer is in use. When background updates are disabled, preference item chang
he computer is in use. When background updates are disabled, preference item changes do not take effect until the next user logon or sys
ated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a use
n background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process
rence items in the background while the computer is in use. When background updates are disabled, preference item changes do not take
ill not take effect until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option upda
ns specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired
background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process e
hen background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. The "Proc
he "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not chan
use. When background updates are disabled, preference item changes do not take effect until the next user logon or system restart.3. Th
ed. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.If you d
are disabled, policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objects ha
updates are disabled, policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy o
wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout v
n use, select the "Turn off background refresh of Group Policy" policy.The Set Group Policy refresh interval for computers policy also lets y
cify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates sim
2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration tracing
d.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration trac
onfiguration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not applica
Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is
d.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration traci
on tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not applicable.3. Gro
reated.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration
nfiguration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not applicab
onfiguration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not applica
Configuration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not applic
n this extension, no user trace file is created.2. Computer Configuration tracing: This preference extension is available under User Configur
file is created.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer config
is created.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configura
reated.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration
Configuration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not applica
file is created.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer config
e is created.2. Computer Configuration tracing: This preference extension is available under User Configuration only, so computer configur
uter Configuration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is not a
omputer Configuration tracing: This preference extension is available under User Configuration only, so computer configuration tracing is
rs" settings in "Administrative Templates/Windows Components/Event Viewer".
to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be
about previous logons, and enabling this policy setting does not affect anything.
f you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry
le this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.If you do not configure this policy s
he EKU extensions which can be issued to any server.
2,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is n
parameters.If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by G
not configure this policy setting, Automatic will be used.
hine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based o
per-user basis, make sure that the per-computer policy is set to Not Configured.
enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-use
domain-joined devices that support connected standby.
directory, or user object logon script, may take up to two logons to be detected.If a user with a roaming profile, home directory, or user ob
oint to System Tools, and then click ""Getting Started."" To suppress the welcome screen without specifying a setting, clear the ""Show this
tting.Also, see the ""Do not process the run once list"" policy setting.
ograms specified in the User Configuration setting.Also, see the ""Do not process the legacy run list"" and the ""Do not process the run on
Note: The first sign-in animation will not be shown on Server, so this policy will have no effect.
Logon will not allow the negotiation and use of older cryptography algorithms.
he files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When
sting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is en
produce excessive network traffic.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
processes incoming mailslot messages. This is the default behavior of DC Locator.
allback mechanism when DNS-based discovery fails. This is the default behavior.If you disable this policy setting, the DC location algorithm
d if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.If yo
s will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IP
not applied to any DCs, and DCs use their local configuration.
_kerberos._tcp.dc._msdcs.<DnsDomainName>KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>Dc
hese zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in t
nd then enter the site names in a space-delimited format.If you do not configure this policy setting, it is not applied to any DCs, and DCs u
pplied to any GCs, and GCs use their local configuration.

uter. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honore
r is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single
olution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest t
original state or from a user-created system image by restarting the computer and accessing the System Recovery Options menu, if it is av
w." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of t
computer."The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by us
erver Endpoint Mapper Service.Note: This policy will not be applied until the system is rebooted.
d connect to servers using constrained delegation. If you enable this policy setting, then:-- "Off" directs the RPC Runtime to generate RPC_
ects RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, W
information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in
this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine
meout on the IIS server running the RPC HTTP proxy will be used.If you do not configure this policy setting, it will remain disabled. The idle
and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:Within GPO B: B.cmd
C run in the following order for Tamara:Within GPO B: B.cmd, B.ps1Within GPO C: C.cmd, C.ps1Note: This policy setting determines the or
esktop. An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks
fault refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows
when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured.No reboots or service
must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console
hooting only state.If you disable this setting, the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution w
component is installed and the Remote Desktop Services role is not installed.
ately. This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenari
policy setting to take effect: changes take effect immediately.
tools.No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.This policy setting w
s client), Silent (default on Windows server), or Troubleshooting Only. If you disable this policy setting, the troubleshooting and recovery
: changes take effect immediately.This policy setting will only take effect when the Task Scheduler service is in the running state. When th
stics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy to take effect: changes
es effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this po
kes effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this po
on by default.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or s
es effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this pol
user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM own
st of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm inte
local lists of blocked TPM commands.
quires authorization. This value is the maximum number of authorization failures each standard user may have before the user is not allow
. The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have be
he TPM that requires authorization. The Standard User Individual Lockout value is the maximum number of authorization failures each sta
for more information about setting up Active Directory Domain Services for TPM.Note: The TPM cannot be used to provide enhanced secu
ote: The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer se
ses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy settin
re. To respond to a slow link, the system requires a local copy of the user's roaming profile.
n this folder to determine how to proceed. By default, when the connection is slow, the system loads the local copy of the user profile.
g Windows will not check the permissions for the folder in the case where the folder exists.If you disable or do not configure this policy setti
puter that the user logs on to.

ws waits 30 seconds for user input before applying the default user profile .
able or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and G
this policy setting or do not configure it, the system repeats its attempt 60 times.If you set the number of retries to 0, the system tries just
able both the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting, ro
ait for remote user profile" policy setting, the system downloads the remote copy of the user profile without consulting the user. In Micros
indows reads profile configuration in the following order and uses the first configured policy setting it reads.1. Terminal Services roaming p
re is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example, if the settings
omputerΓÇ¥ and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive
siness apps that depend on the domain information protected by this setting to connect with network resources.If you do not configure o
n users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when
ny potentially accurate time samples the client computer must receive in a series before subsequent time samples are evaluated as potenti
, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this valu
this computer.If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\Curr
installers and these applications may fail to install or run properly.This option is useful to server administrators who require faster perform
DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Servic
olicy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
er Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes preceden
encryption method of AES 128-bit or the encryption method specified by the setup script.
xample, not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder.If
configured for the identification field.The allowed identification field is used in combination with the "Deny write access to removable dri
t contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help per
identifier is used.
drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting, the user will be p
en they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLoc
based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based e
he password, select "Require complexity".When set to "Require complexity" a connection to a domain controller is necessary when BitLoc
ficate" on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the c
cording to the Secure Boot policy setting, which is configured separately from BitLocker.Note: If the group policy setting "Configure TPM p
nt users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which rec
p script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23, The default pla
perating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption k
cker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release
dware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-b
omplexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set
ptions include:- Configure TPM startup PIN: Required/Allowed- Configure TPM startup key and PIN: Required/Allowed- Configure use of pa
mputer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted d
display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for comp
field specified, or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy se
options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you tur
ware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-ba
ire complexity".When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate
under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" poli
unknown softwareΓÇó Turn off SmartScreen
way by disabling or not configuring this policy setting.Note: You should only enable this policy setting when the license server is a member
enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session
ally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to
e authenticated.If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Conne
ne when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and W
behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.If the list contains a string that is not
setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session H
eck the session state.

ion of Windows and the mode of Remote Desktop Services running on the server.If the status is set to Disabled or Not Configured, limits t
disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network q
r Windows XP Professional.If you enable this policy setting, audio and video playback redirection is allowed.If you disable this policy settin
at the Group Policy level.
t computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configu
iver."Default to PS if one is not found" - If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver."Sho
Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.Note: If the "Do not allo
not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.Note: This p
etwork share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user pro
me Dir Root Path, Remote Desktop Services places user home directories in the network location.If the status is set to Enabled, Remote Des
abled and configured by using Group Policy. 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 200
not effective unless the Join RD Connection Broker policy setting is enabled. 3. To be an active member of an RD Session Host server far
rver to RD Connection Broker.If the policy setting is not configured, the policy setting is not specified at the Group Policy level. Notes: 1.
ession on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the
provider.Note: If you enable this policy setting, you must also enable the Join RD Connection Broker, the Configure RD Connection Broker f
ro features.Note: Additional configuration might be necessary on the remote computer to make Windows Aero features available for rem
connection" policy setting is ignored.
you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm
ption. We recommend that you set this for very specific cases only. If you disable or do not configure this policy setting, RemoteFX Adapti
oothing is allowed for remote connections.
s policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers runnin
ows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
h its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD S
Host is enabled and RemoteFX for RD Session Host is disabled.
ons that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (
Session Host server is not authenticated.* SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host se
er.If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Wind
e is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current nam
rver at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not suppo
Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.Note: This policy setting only applie
nfigure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote D
puter Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Tim
this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained f
e disconnected from the RD Session Host server but it is not logged off.Note: This policy setting appears in both Computer Configuration a
tting, this policy setting has no effect.
mporary folders are created unless the server administrator specifies otherwise.
the All Locations list in the Desktop Search results.

Policy editor, you must add at least one entry in the allow list, even if you want to enable this policy without an allow list. Create a list ent
enter is turned off for domain members.Windows XP SP2----------------------In Windows XP SP2, the essential security settings that are moni
you enable or do not configure this policy setting, filtering will take place.If you disable this policy setting, no filtering will take place.
l Options in Windows 7 and Windows Vista.
g tab in Input Panel Options.Caution: If you enable both the ΓÇ£Prevent Input Panel from appearing next to text entry areasΓÇ¥ policy and
dwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not confi
£Show Input Panel taskbar iconΓÇ¥ policy, the user will then have no way to access Input Panel.
ut Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tap
If you enable this policy and choose ΓÇ£None,ΓÇ¥ users will be able to use both the tolerant scratch-out gestures and the Z-shaped scr
ecedence over the setting in User Configuration.
setting in Computer Configuration takes precedence over the setting in User Configuration.
where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful.Adv
following settings in the policy setting:- ""Do not display links to any Microsoft ΓÇÿMore informationΓÇÖ websites"": Select this option if y
orting policy setting.
ts can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders deter
orting policy setting is disabled or not configured.For related information, see the Configure Error Reporting and Report Operating System
nerated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is
r policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusio
nd all data: any error reporting data requested by Microsoft is sent automatically.If this policy setting is disabled or not configured, then t
ata required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain p
rcumvent errors in an installation program that prevents software from being installed.
s.Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent acce
he maximum size.
r-machine context."
on and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled
taller will use Restart Manager to detect files in use and mitigate a system restart, when possible.
Network Locations, to search for installation files. Also, see the "Enable user to browse for source while elevated" policy setting.
ws Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different comput
Windows Installer is disabled.This policy setting affects Windows Installer only. It does not prevent users from using other methods to insta
e this policy setting if the domain is not at the Windows Server 2008 domain functional level.If you disable or do not configure this setting
k Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. Note: Thi
addresses on the computer and uses only addresses that fall within one of the filter ranges.You should use an asterisk (*) to indicate that t
g attacks).
and do not need elevated permissions to do either of these update-related tasks.On Vista: If you enable this policy setting, users will not s
otified that they are ready to install. After going to Windows Update, users can install them. 4 = Automatically download updates and
this policy will not have any effect on Windows RT PCs.
ates before deploying them.If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user pre
ons and updates.If you disable or do not configure this policy setting, Windows 7 users will not be offered detailed notification messages fo
figure this setting in Control Panel.If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setti
gs to have any effect. If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS wil
gin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consid
ws you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here) 0x1 - Th
ain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers.
s selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their
plied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy
erform automatic hosted cache server discovery under the following circumstances:If no other BranchCache mode-based policy settings a
nt computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled i
ndividual client computers where you want to enable BranchCache.- Enabled. With this selection, BranchCache distributed cache mode is
omputers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual c
mputers.- Enabled. With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy
nabled. With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enab
erver.corp.contoso.com." second if the first query fails.If you enable this policy setting, suffixes are allowed to be appended to an unqualifi
ffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting
e following names to a single-label name when it sends DNS queries:The primary DNS suffix, as specified on the Computer Name tab of th
selected, the DNS client appends the following names to a single-label name when it sends DNS queries:The primary DNS suffix, as specifi
r.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.Important: This policy setting is ignored on a DNS clie
1800 seconds is 30 minutes.If you enable this policy setting, registration refresh interval that you specify will be applied to all network con
in conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
anchCache is enabled in domain Group Policy, hash publication is turned on for all domain member file servers to which the policy is appli
Disabled. With this selection, both V1 and V2 hash generation and retrieval are supported.In circumstances where this setting is enabled, y
er to peer applications at home.3. In order to use a corporate seed server and the global seed server, enable the setting; insert the fully qu
abled (which it is by default) for this policy to have effect.
abled (which it is by default) for this policy to have effect.
enabled (which it is by default) for this policy to have effect.
s not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.N
d Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)By default, ICS is disabled when
cy setting, Windows Firewall behaves as if you had disabled it.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbo
ers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, th
onfigure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and
cy settings to open the port. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administra
erefore, the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required port
g file intact.If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled.
list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exi
ne with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Window
ing connections" check box is cleared by default, but administrators can change it.
cy setting, Windows Firewall behaves as if you had disabled it.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbo
ers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, th
onfigure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and
cy settings to open the port. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administra
erefore, the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required port
g file intact.If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled.
list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exi
ne with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Window
ing connections" check box is cleared by default, but administrators can change it.
ishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an
f you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a defa
ify a Latency or Throughput value, computers running Windows Vista or Windows Server 2008 will not use the slow-link mode.If you do n
Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use fo
olicy setting, transparent caching is enabled and configurable.If you disable or do not configure this policy setting, remote files will be not
erface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted
takes precedence over the setting in User Configuration.
e total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk sp
Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settin
mmand is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, W
be available for offline use.
lect the "Synchronize all offline files before logging off" option.
Configuration takes precedence over the setting in User Configuration.Tip: To change the synchronization method without setting a settin
ablishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting correspo
y the local admin group full control.Note: It is good practice to use a cryptic community name.Note: This policy setting has no effect if the
Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name".
6_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS
bled State: 6to4 is turned off and connectivity with 6to4 will not be available.
ss auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local ad
rk, network traffic is routed through the faster Ethernet connection, and the Wi-Fi traffic diminishes. Windows detects this circumstance a
a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an addition
lick "turn on network discovery", and then click "Save changes". If you would like to not display printers of a certain type, enable this
er, the client will submit any pending print jobs.Note: Some printer drivers require a custom print processor. In some cases the custom pri
hell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuratio
t be relaunched before settings take effect.

a printer is always logged. Note: This setting is used only on domain controllers.
dows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be upda
re not automatically republished are never pruned. "Never" is the default. -- "Only if Print Server is found" prunes printer objects th
o customize it.
utdown Event Tracker occurs.Note: By default, the Shutdown Event Tracker is only displayed on computers running Windows Server.
ommand is used to add a link to a Help topic, and runs executables that are external to the Help file. The "WinHelp" command is used to a
ettings for the computer.
s permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on
manresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
sktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all mac
m.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host r
ces.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Ses
er to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example
etting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers tha
licy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers
kam.comThis policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions fo
ther policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determin
ng describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the
erties, click the Quota tab, and then click "Enable quota management."
efault quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
ached their limit, because their status in the Quota Entries window changes.Note: To find the logging option, in My Computer, right-click t
ta limit and warning level.When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual vo
or that DCOM server regardless of local settings.If you disable this policy setting, the appid exemption list defined by Group Policy is delete
initialization of drivers determined to be Bad is skipped.If your malware detection application does not include an Early Launch Antimalwa
on, the Computer Configuration policy setting takes precedence.
the text in Japanese under Administrative Templates.If you disable or do not configure this setting, the Group Policy Object Editor snap-in
lient computer has joined the domain.2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. If yo
er logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference
t user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the prefer
tem restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if
termine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client s
system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the polic
r logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference
even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many
ffect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and rea
rt.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the prefe
d, preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects h
not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchan
em restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if t
liseconds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from t
n Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a
ystem restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even
take effect until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and
logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference it
until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies
hanges do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" o
eference item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have n
l the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies th
item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not chang
sabled, preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy obj
until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplie
red policy setting in case a user has changed it.
system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items eve
ence item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not c
ave not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify th
s, such as reapplying a desired policy setting in case a user has changed it.
ystem restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even
or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items e
en if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you
r logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference
user's normal settings.If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings app
n if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many polic
cess even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. M
illiseconds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the
or computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from
al from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The
omputer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference ext
o computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference
figuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when
mputer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference exten
o computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference e
tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perfo
nly, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this prefere
guration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when y
guration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when y
nfiguration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when
available under User Configuration only, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To pe
ation only, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this
n only, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this pre
nly, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this prefere
ation only, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this
on only, so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this pr
nfiguration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when
r configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension w
mputer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference exten
d Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messa
re defined in the local registry, if they exist.

u do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if
ntication context tokens, it is not advised to set this value more than 48,000 bytes.
y servers settings defined by Group Policy.
vel, restrictions will be based on per-user policy settings.To set this policy setting on a per-user basis, make sure that you do not configure
he computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per
file, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before loggi
a setting, clear the ""Show this screen at startup"" check box on the welcome screen.
e ""Do not process the run once list"" settings.
on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only
domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission w
onfiguration.
tting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
domain controller entries.If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically accordin
, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.If you do n
dcs.<DnsDomainName>Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName>DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._m
the DNS zones may result in the undesired deletion of DNS resource records.To specify the Refresh Interval of the DC records, click Enabl
applied to any DCs, and DCs use their local configuration.
Closest Site behavior is honored.If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for
tion is performed on the single-label name only, in the event that DNS resolution fails.If you disable this policy setting, when the AllowSing
n the Active Directory forest to which this computer is joined.If you do not configure this policy setting, it is not applied to any computers,
overy Options menu, if it is available.
When you enter the name of the helper user or user groups, use the following format:<Domain Name>\<User Name> or<Domain Name>\
stance invitation created by using email or file transfer can remain open.The "Select the method for sending email invitations" setting spec
RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support deleg
ning Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. -- "Server" directs RPC to maintain basi
ss while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Inform
C servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server
will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used.If you enable this policy settin
topSales:Within GPO B: B.cmd, B.ps1Within GPO C: C.cmd, C.ps1Note: This policy setting determines the order in which computer startup
olicy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setti
s too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.If you disable or do not configure th
R2, or 10 minutes in Windows Server 2012.
nfigured.No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
Microsoft Management Console.
oubleshooting or resolution will be attempted.If you do not configure this setting, the recovery behavior for corrupted files will be set to t
or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Con
mediately.This policy setting will take effect only when MSDT is enabled.This policy setting will only take effect when the Diagnostic Policy
roubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted.If you do no
in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can
policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Service is in the r
restart is required for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnos
e restart is required for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnos
figured.No system restart or service restart is required for this policy to take effect: changes take effect immediately.This policy setting wil
restart is required for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnosti
ernal storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of
ng against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands.
ave before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lockout Total Threshold valu
ch standard user may have before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lock
authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM.
used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ow
ecause the client computer sets the file share permissions for the roaming profile at creation time.Note: In the default case, administrator
work connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setti
cal copy of the user profile.

do not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the fo
g the Windows Installer and Group Policy software installation data when those profiles are deleted.Note: If this policy setting is enabled f
tries to 0, the system tries just once to unload and update the user's registry settings. It does not try again.Note: This policy setting is parti
local user profiles" setting, roaming profiles are disabled.Note: This setting only affects roaming profile users.
consulting the user. In Microsoft Windows Vista, the system will ignore the user choice made on the logon screen.Note: This policy settin
1. Terminal Services roaming profile path specified by Terminal Services policy2. Terminal Services roaming profile path specified by the us
ds. For example, if the settings dictate that the user's registry file is to be uploaded at 6pm, it will actually upload at a random time betwee
pping the file share to a drive letter.If you disable or do not configure this policy setting, the user's home folder is configured as specified in
urces.If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this o
he local copy is desirable when quick logging on is a priority.Important: If the "Do not detect slow network connections" policy setting is en
mples are evaluated as potential spikes. After a period of not receiving any usable time samples, a time client ceases to evaluate time sam
outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulat
ORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applicati
ors who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a we
configured by using the Services snap-in to the Microsoft Management Console.
Configuration takes precedence over the policy setting in User Configuration.
very information to a folder.If you disable or do not configure this policy setting, the BitLocker setup wizard will present users with ways to
write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organizatio
y passwords and may help perform specialized recovery when the disk is damaged or corrupted.If you select the option to "Require BitLoc
olicy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation, for
o use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.In "Save BitLocker
le BitLocker software-based encryption will be used instead.Note: The ΓÇ£Choose drive encryption method and cipher strengthΓÇ¥ policy
oller is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a do
method uses the TPM on the computer, so computers that do not have a TPM cannot create Network Key Protectors to automatically unlo
olicy setting "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and has PCR 7 omitted, Bitlock
ot be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determ
g from 0 to 23, The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measureme
ill not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require tha
ffect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console
available BitLocker software-based encryption will be used instead.Note: The ΓÇ£Choose drive encryption method and cipher strengthΓÇ¥
exity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adh
d/Allowed- Configure use of passwords for operating system drives.
ed protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of
figure setting options for computers with and without a TPM.If you disable or do not configure this policy setting, the BitLocker setup wiza
or your organization" policy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the dr
ery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.In "Sav
vailable BitLocker software-based encryption will be used instead.Note: The ΓÇ£Choose drive encryption method and cipher strengthΓÇ¥ p
tLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be att
Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
he license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers g
te RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RD
er name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.Note: You can define
fied in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server
or Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote con
st contains a string that is not a certificate thumbprint, it is ignored.
ces\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. Y
led or Not Configured, limits to the number of connections are not enforced at the Group Policy level.Note: This setting is designed to be
ng to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network q
f you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC,
audio playback quality configured on the remote computer, the lower level of audio playback quality will be used.Audio playback quality c
PS) fallback printer driver."Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallb
ession.Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver firs
on the local drive.Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy settin
ver and will store the user profiles locally on the RD Session Host server.If you disable or do not configure this policy setting, user profiles a
is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the netwo
n at least Windows Server 2008 Standard.

an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the follow
Group Policy level. Notes: 1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and C
alancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address t
figure RD Connection Broker farm name, and the Configure RD Connection Broker server name policy settings.
ero features available for remote desktop sessions. For example, the Desktop Experience feature must be installed on the remote comput
an RDP compression algorithm, some graphics data will still be compressed.If you disable or do not configure this policy setting, the defau
olicy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.
Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012 R2). The 32-bit color depth format is always used for these co
ected sessions" policy setting.
e of a valid directory, the RD Session Host server connection fails with an error message.If the status is set to Enabled, Remote Desktop Se
ession settings were selected (the default behavior).
nticate the RD Session Host server. If TLS is not supported, the connection fails.If you disable or do not configure this policy setting, the se
indows Server 2012 and Windows 8, Network Level Authentication is enforced by default.Important: Disabling this policy setting provides
that matches the current name of the RD Session Host server will be selected.If you disable or do not configure this policy, the certificate t
clude clients that do not support 128-bit encryption.* Low: The Low setting encrypts only data sent from the client to the server by using 5
This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out
e Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting a
sktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting appears in both Computer Confi
cted sessions are maintained for an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User
oth Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting take
t an allow list. Create a list entry by putting a space in the name field and a space in the value field and then save it. This will create a place
ecurity settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might
filtering will take place.

ext entry areasΓÇ¥ policy and the ΓÇ£Prevent Input Panel tab from appearingΓÇ¥ policy, and disable the ΓÇ£Show Input Panel taskbar icon
dialog box.If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results w
cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this p
gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If
e actions were successful.Advanced membership, in addition to basic information, will send more information to Microsoft about maliciou
bsites"": Select this option if you do not want error dialog boxes to display links to Microsoft websites.- ""Do not collect additional files"":
olution check reminders determines the interval time between the display of system notifications that remind the user to check for solutio
and Report Operating System Errors policy settings.
tion reporting policy setting is set to report no application errors.If the Report all errors in Microsoft applications or Report all errors in Win
. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes f
bled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Micr
eges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaran
d, even if it is explicitly disabled in the other folder.

elevated" policy setting.
e user is on a different computer or is not connected to the network.
m using other methods to install and upgrade programs.
r do not configure this setting, messages about the previous logon or logon failures are not displayed.
n the computer. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor.
n asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are
policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these tasks. If you d
tically download updates and install them on the schedule specified below. Specify the schedule using the options in the Group Policy
t disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.Note: I
tailed notification messages for optional applications, and Windows Vista users will not be offered detailed notification messages for optio
nnot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is
e will be disabled, and BITS will download files directly from the origin server.
for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client comp
s described here) 0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and
n individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the latency setting that you
che that is included with their operating system.In circumstances where this setting is enabled, you can also select and configure the follow
that are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Ho
mode-based policy settings are applied, the client computer performs automatic hosted cache server discovery. If one or more hosted ca
this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned o
che distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain
ng that you use on individual client computers where you want to enable BranchCache.- Enabled. With this selection, BranchCache hosted
nt computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain
r example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the
o be appended to an unqualified multi-label name if the original name query fails.If you disable this policy setting, no suffixes are appende
y appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.If you d
the Computer Name tab of the System control panel.Each connection-specific DNS suffix, assigned either through DHCP or specified in the
e primary DNS suffix, as specified on the Computer Name tab of the System control panel.Each connection-specific DNS suffix, assigned eit
setting is ignored on a DNS client computer if dynamic DNS registration is disabled.If you disable this policy setting, or if you do not configu
l be applied to all network connections used by computers that receive this policy setting.If you disable this policy setting, or if you do not
ent Viewer.
ers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-
where this setting is enabled, you can also select and configure the following option:Hash version supported:- To support V1 content inform
e the setting; insert the fully qualified domain name or IPv6 address of the corporate seed server, leave the checkbox unchecked. This is th
ork Setup Wizard is disabled.Note: If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use o
y default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When ru
Windows Firewall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them.
omponent of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.Note: If any polic
essional with at least SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from recei
eck box is cleared. Administrators can change this check box."
ngs to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel, the "UPnP framew
disabled.
a local port exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting.If you d
hat is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local program exceptions"
Windows Firewall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them.
omponent of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.Note: If any polic
essional with at least SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from recei
eck box is cleared. Administrators can change this check box."
ngs to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel, the "UPnP framew
disabled.
a local port exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting.If you d
hat is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local program exceptions"
k Advanced, and then select an option in the "When a network connection is lost" section.Also, see the "Non-default server disconnect acti
n the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Wind
he slow-link mode.If you do not configure this policy setting, computers running Windows Vista or Windows Server 2008 will not transitio
Amount of disk space to use for temporary offline files" option.
tting, remote files will be not be transparently cached on client computers.
tes so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local compu
00 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet.If you enable th
tting corresponds to the settings in the "Exception list" section.
08 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.This policy setting does not prevent files from being automatically
ethod without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select th
Files tab. This setting corresponds to the "Enable reminders" check box.
cy setting has no effect if the SNMP agent is not installed on the client computer.Also, see the other two SNMP settings: "Specify permitte
CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_RC4_128_MD
configured with a link-local address.Policy Disabled State: No ISATAP interfaces are present on the host.
ws detects this circumstance and responds by disconnecting the Wi-Fi connection. If this policy setting is disabled, multiple simultaneou
nual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual
s of a certain type, enable this policy and set the number of printers to display to 0.
. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support tra
" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop"
ection driver needs to be updated. -Windows Server 2003 and Windows XP client computers can create a printer connection to any se
und" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable.
running Windows Server.
nHelp" command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinH
esktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all mac
ikam.com
ession Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .
emote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running o
RMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Hos
pecifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresou
eptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" serv
exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" ser
setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating sav
ttings" policy setting determines whether the device can be installed.

tting determines whether the device can be installed.
lume as the quota limit.

n, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
olumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the g
fined by Group Policy is deleted, and the one defined by local computer administrators is used.If you do not configure this policy setting, t
de an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has
p Policy Object Editor snap-in always loads all ADM files from the actual GPO.Note: If the ADMs that you require are not all available local
up and logon" is enabled. If you disable or do not configure this policy setting, detecting a slow network connection will not affect whethe
s and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they are u
dates and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they a
s the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only w
ast link and process all client side extensions. If you disable this setting or do not configure it, Group Policy will evaluate the network conne
s the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. How
and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they are up
icies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to upd
anged" option updates and reapplies the preference items even if the preference items have not changed. Many policy implementations s
erence items even if the preference items have not changed. Many policy implementations specify that they are updated only when chang
n if the Group Policy objects have not changed" option updates and reapplies the preference items even if the preference items have not c
u might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only wh
will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group
User Configuration defines a slow link for settings in the User Configuration folder.Also, see the "Do not detect slow network connections
es the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only
t changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they
and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they are upd
option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are update
y objects have not changed" option updates and reapplies the preference items even if the preference items have not changed. Many poli
he Group Policy objects have not changed" option updates and reapplies the preference items even if the preference items have not chan
ption updates and reapplies the preference items even if the preference items have not changed. Many policy implementations specify th
p Policy objects have not changed" option updates and reapplies the preference items even if the preference items have not changed. Man
ss even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the preference items hav
" option updates and reapplies the preference items even if the preference items have not changed. Many policy implementations specify
plies the preference items even if the preference items have not changed. Many policy implementations specify that they are updated onl
Group Policy objects have not changed" option updates and reapplies the preference items even if the preference items have not changed
cy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as re
es the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only
applies the preference items even if the preference items have not changed. Many policy implementations specify that they are updated o
when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has cha
and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they are up
mines which user settings apply.Note: This setting is effective only when both the computer account and the user account are in at least W
have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update u
e policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to
l wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Po
the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random num
ndom number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you
or items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" b
g for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace
s preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the loca
items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box
g for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace"
nce extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the location wher
racing for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning
preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the locati
s preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the locati
his preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the loc
Modeling query tracing: To perform tracing for items in this preference extension when you perform a Group Policy Modeling query, you
rform tracing for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Pla
m tracing for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planni
racing for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning
is preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to the loca
rform tracing for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Pla
orm tracing for items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Plan
in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box to th
items in this preference extension when you perform a Group Policy Modeling query, you must provide a path in the "Planning trace" box
erberos authentication messages will not use these features. If you configure "Supported", the domain controller supports claims, compo
defined in the local registry, if they exist.

ure that you do not configure the per-machine policy setting.
, restrictions are based on per-user policies.
rk to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the networ
the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availabilit
e with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL sh
iscovery fails.
discovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive ne
ocator APIs will fail.If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavio
_tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName>Rfc1510KdcAtSite SRV _k
of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in sec
will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be
cy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS nam
not applied to any computers, and computers use their local configuration.
er Name> or<Domain Name>\<Group Name>If you enable this policy setting, you should also enable firewall exceptions to allow Remote A
email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program,
ontext does not support delegation.-- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if de
r" directs RPC to maintain basic state information on the computer, regardless of its capacity.-- "Full" directs RPC to maintain complete RP
gs in the Extended Error Information Exception field.-- "Off with Exceptions" disables extended error information, but lets you enable it fo
communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticate
.If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the tim
er in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific scrip
ou can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: Us
disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the defa
immediately.
corrupted files will be set to the regular recovery behavior.No system or service restarts are required for changes to this policy to take imm
e Microsoft Management Console. Note: For Windows Server systems, this policy setting applies only if the Desktop Experience optional c
ct when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not e
will be attempted.If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery be
he Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console.
nostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS ca
take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will no
y take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will n
ediately.This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or d
take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will no
depend on preventing reset of the TPM Æanti-hammering
┬ logic or changing the TPM owner authorization value. Some TPM-based applic
s of blocked TPM commands.
r Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard use
TPM. The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have
ing authorization to the TPM. This value is the maximum total number of authorization failures all standard users may have before all stan
st setting an owner. To take ownership of the TPM with an owner password, run "tpm.msc" and select the action to "Initialize TPM".Note:
he default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves
f roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connectio
up are not the owner of the folder, Windows will not copy files to or from the roaming folder. The user will be shown an error message and
this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy softwa
ote: This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the u
screen.Note: This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow
profile path specified by the user object3. A per-computer roaming profile path specified in this policy4. A per-user roaming profile path sp
load at a random time between 6pm and 7pm.Note: If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise,
der is configured as specified in the user's Active Directory Domain Services account.If the "Set Remote Desktop Services User Home Direct
n it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend o
onnections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is e
t ceases to evaluate time samples for spikes as soon as the first potentially accurate time sample is received. When a series of time sample
omain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to sync
his prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, o
is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the lo
will present users with ways to store recovery options.Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker
able drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations.
the option to "Require BitLocker backup to AD DS" BitLocker cannot be turned on unless the computer is connected to the domain and th
the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP w
licy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to s
and cipher strengthΓÇ¥ policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based en
mplexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no
rotectors to automatically unlock with Network Unlock.If you disable or do not configure this policy setting, BitLocker clients will not be ab
nd has PCR 7 omitted, Bitlocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validatio
ptions for the drive are determined by the policy setting.In "Save BitLocker recovery information to Active Directory Domain Services", cho
e Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (M
overy console and require that either the recovery password or recovery key be provided to unlock the drive.If you disable or do not confi
he BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.If you disabl
method and cipher strengthΓÇ¥ policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-ba
o validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted
it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (P
tting, the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard
der will be deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Server 2008, W
d by the policy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery info
thod and cipher strengthΓÇ¥ policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-bas
a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are fo
to the RDS Endpoint Servers group when the license server is a member of a domain.
RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensin
blocked.Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure th
to the RD Session Host server when the client cannot authenticate the RD Session Host server.
e credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client com
twork Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Compu
This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host rol
perience to varying network quality.
edirection is specified in RDC, or video playback is specified in the .rdp file.If you do not configure this policy setting audio and video playb
used.Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protoc
w both PS and PCL-based fallback printer drivers.If you disable this policy setting, the RD Session Host server fallback driver is disabled and
op Easy Print printer driver first" policy setting is ignored.
ng to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
is policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Deskt
e local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias.If the stat
a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Comput
ction Broker farm name and Configure RD Connection Broker server name policy settings. 2. For Windows Server 2008, this policy setting
irectly connect by IP address to RD Session Host servers in the load-balanced farm.If you do not configure this policy setting, the Use IP ad
stalled on the remote computer, and the maximum color depth on the remote computer must be set to 32 bits per pixel. Also, the Theme
e this policy setting, the default RDP compression algorithm will be used.
mat is always used for these connections. 3.For connections from client computers that are using Remote Desktop Protocol 7.1 or earl
Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the prog
gure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Po
ng this policy setting provides less security because user authentication will occur later in the remote connection process.
ure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authen
client to the server by using 56-bit encryption.If you disable or do not configure this setting, the encryption level to be used for remote co
ng does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configu
ched.Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the C
ppears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy s
puter Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes preced
nfiguration policy setting takes precedence.
save it. This will create a placeholder entry that is ignored by the program.
ote that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows X
Show Input Panel taskbar iconΓÇ¥ policy, the user will then have no way to access Input Panel.
cluded in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text con
dialog box. If you enable this policy and choose ΓÇ£MediumΓÇ¥ from the drop-down box, password security is set to ΓÇ£Medium.ΓÇ¥ At th
anel Options dialog box. If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scra
on to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names,
not collect additional files"": Select this option if you do not want additional files to be collected and included in error reports.- ""Do not c
d the user to check for solutions to problems. A value of 0 disables the reminder.If you disable or do not configure this policy setting, Wind
tions or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error
Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting.If you disable or do n
ding data.
tional data requested by Microsoft.- 4 (Send all data): Any data requested by Microsoft is sent automatically.If you disable or do not config
his policy setting is not guaranteed to be secure.

tion in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
d, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.For example, if you want the
o either of these tasks. If you do not enable this policy setting, then users will always see an Account Control window and require elevated
he options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be every day at 3:00 AM. If a
ate site on the Internet.Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.Note: This policy is not
notification messages for optional applications or updates.By default, this policy setting is disabled.If you are not using the Microsoft Upda
handwriting personalization is turned on.If you do not configure this policy, users can choose to enable or disable automatic learning eithe
dwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
stricted of usage charges and capacity constraints. 0x2 - The usage of this connection is unrestricted up to a certain data limit 0x
te the latency setting that you use on individual client computers.- Enabled. With this selection, the BranchCache maximum round trip late
select and configure the following option:Select from the following versions- Windows Vista with BITS 4.0 installed, Windows 7, or Window
y setting "Set BranchCache Hosted Cache Mode."If you do not configure this policy setting, or if you disable this policy setting, client compu
very. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode.If the policy setting "Set Bra
pecify in the policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selection, Bran
is policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to
election, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enab
ter cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for
client computers to which the policy is applied.- Disabled. With this selection, BranchCache is turned off for all client computers where the
etting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.If you do not configure this policy s
or all suffixes are tried.If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network co
rough DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each conn
pecific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP
etting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connec
policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client comput
that is stored in BranchCache-enabled file shares.- Disabled. With this selection, hash publication is turned off for all file servers where Gro
- To support V1 content information only, configure "Hash version supported" with the value of 1.- To support V2 content information only
heckbox unchecked. This is the setting which will allow your mobile users to use peer to peer applications at both work and home seamles
licy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that
nced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.Note:
licy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exceptio
is check box.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by th
EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assig
ntrol Panel, the "UPnP framework" check box is cleared. Administrators can change this check box."
eptions" policy setting.If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrat
ow local program exceptions" policy setting.If you disable this policy setting, the program exceptions list defined by Group Policy is deleted
licy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exceptio
is check box.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by th
EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assig
ntrol Panel, the "UPnP framework" check box is cleared. Administrators can change this check box."
eptions" policy setting.If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrat
ow local program exceptions" policy setting.If you disable this policy setting, the program exceptions list defined by Group Policy is deleted
-default server disconnect actions" setting.
utes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the d
Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use
ministrator on the local computer to encrypt or decrypt the Offline Files cache.Note: By default, this cache is protected on NTFS partitions
ontrol applet.If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and th
files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make A
ne Files tab, and then select the "Synchronize all offline files before logging on" option.
MP settings: "Specify permitted managers" and "Specify trap configuration".

TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5
disabled, multiple simultaneous connections to the Internet, to a Windows domain, or to both are allowed. If this policy setting value is
is maintained and the manual connection attempt is blocked. If this policy setting is not configured or is disabled, computers are allowe
nt server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spoole
the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop.

a printer connection to any server in their forest using Point and Print. If you disable this policy setting: -Windows Vista client co
the printer is unavailable. -- "Whenever printer is not found" prunes printer objects that are not automatically republished whenev
ow the "Shortcut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on the Settings ta
ession Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in
st running on all machines in .humanresources.fabrikam.com

esktop Session Host running on all machines in humanresources.fabrikam.com
Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
t running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*
ating default credentials" server list.
legating fresh credentials" server list.
s in the "Allow delegating saved credentials" server list.
the range of volumes in the group.This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk
configure this policy setting, the appid exemption list defined by local computer administrators is used.Notes:The DCOM Activation secur
been disabled, this setting has no effect and all boot-start drivers are initialized.
quire are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in t
nection will not affect whether Group Policy processing will be synchronous or asynchronous.
tations specify that they are updated only when changed. However, you might want to update unchanged preference items, such as reapp
mentations specify that they are updated only when changed. However, you might want to update unchanged preference items, such as r
that they are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a desire
ill evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link.
ated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has ch
ations specify that they are updated only when changed. However, you might want to update unchanged preference items, such as reapp
wever, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged preferenc
are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a desired preferen
he preference items have not changed. Many policy implementations specify that they are updated only when changed. However, you mig
that they are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a desired
y. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controlle
ect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the
fy that they are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a desir
ementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplyin
tions specify that they are updated only when changed. However, you might want to update unchanged preference items, such as reapply
ns specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired
have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update
eference items have not changed. Many policy implementations specify that they are updated only when changed. However, you might w
cy implementations specify that they are updated only when changed. However, you might want to update unchanged preference items, s
items have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to up
en if the preference items have not changed. Many policy implementations specify that they are updated only when changed. However, y
policy implementations specify that they are updated only when changed. However, you might want to update unchanged preference item
cify that they are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a des
ence items have not changed. Many policy implementations specify that they are updated only when changed. However, you might want
unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
fy that they are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a desir
pecify that they are updated only when changed. However, you might want to update unchanged preference items, such as reapplying a d
policies in case a user has changed it.
ations specify that they are updated only when changed. However, you might want to update unchanged preference items, such as reappl
e user account are in at least Windows 2000 domains.
er, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
d. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
his stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is
r each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance.
variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broa
path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and
e a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, a
Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must turn
th in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and yo
a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, an
race" box to the location where a planning trace file can be created on the computer where you run modeling, and you must turn on the "
ovide a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeli
anning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must turn
lanning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must turn
"Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must tu
p Policy Modeling query, you must provide a path in the "Planning trace" box to the location where a planning trace file can be created on
must provide a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run
t provide a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run mo
rovide a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run model
Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must tur
must provide a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run
Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must tu
ust provide a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run m
"Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you must tu
the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and you mu
th in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling, and yo
troller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers
ers always wait for the network to be initialized.If you enable this policy setting, computers wait for the network to be fully initialized befo
s, and in general the availability of the Netlogon share on the domain will be decreased.If you enable this policy setting, domain administra
e availability of the SYSVOL share on the domain will be decreased.If you enable this policy setting, domain administrators should ensure t
(1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value
ss. This is the default behavior of the DC Locator.
me>Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName>GenericGc SRV _gc._tcp.<DnsForestName>Generi
terval of the DC records in seconds (for example, the value 3600 is 60 minutes).If you do not configure this policy setting, it is not applied t
t Closest Site behavior will be used.
lied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a s
exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depe
nding on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SM
support delegation even if delegation was asked for.Note: This policy setting will not be applied until the system is rebooted.
s RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it
ation, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect,
accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.-- "Non
e connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in second
policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: Computer Configuratio
policy settings for the GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogonUser Configuration\Policies\Windo
s (10 minutes). This is the default.
anges to this policy to take immediate effect after a Group Policy refresh.Note: This policy setting will take effect only when the Diagnostic
Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
set to the default recovery behavior.No system or service restarts are required for changes to this policy setting to take immediate effect
l not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
ed, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
ed, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console
hen the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to th
d, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
value. Some TPM-based applications may require this setting be changed before features which depend on the TPM Æanti-hammering
┬ lo
y have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protec
es all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TP
users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed
ction to "Initialize TPM".Note: If the TPM owner information is lost or is not available, limited TPM management is possible by running "tp
this folder to grant themselves file permissions.Note: The behavior when this policy setting is enabled is exactly the same behavior as in W
stem detects a slow connection.
e shown an error message and an entry will be written to the event log. The user's cached profile will be used, or a temporary profile issue
nstaller or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
te Desktop Services edits the users' registry settings when they log off, the system's first few attempts to unload the user settings are more
oaming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earl
er-user roaming profile path specified in the user object

ption is disregarded. Likewise, if "Run at set time of day" is chosen, the "Interval (hours)" option is disregarded.If you enable this policy setti
top Services User Home Directory" policy setting is enabled, the ΓÇ£Set user home folderΓÇ¥ policy setting has no effect.
f business apps that depend on the domain information protected by this setting to connect with network resources if users choose to tur
ing profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
. When a series of time samples (as indicated by HoldPeriod) is received, the time client evaluates subsequent time samples for spikes. A ti
ers when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization
hat value is also not present, on Windows 8.1 and above the OS will launch the 16-bit application support control panel to allow an elevate
and the performance of the loader is essential.NOTE: Many system processes cache the value of this setting for performance reasons. If y
s needed during the BitLocker setup, TPM owner information will be saved or printed with the BitLocker recovery information.Note: The 4
r other external organizations.You can configure the identification fields on existing drives by using manage-bde.exe.If you enable this poli
nnected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ens
Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check bo
cker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package", both the BitL
m used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive
ules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity a
BitLocker clients will not be able to create and use Network Key Protectors.Note: For reliability and security, computers should also have a
n Data (BCD) integrity validation.Warning: Disabling this policy may result in BitLocker recovery when firmware is updated. If you disable th
rectory Domain Services", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backu
2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), a
e.If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profi
o unlock the drive.If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform
algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on t
assword will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
sonal identification number (PIN), or both.If you enable this policy setting, users can configure advanced startup options in the BitLocker s
with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.
nning Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on
which BitLocker recovery information to store in AD DS for removable data drives. If you select "Backup recovery password and key packa
gorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the
if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encry
t server unless the RD Licensing grace period for the RD Session Host server has not expired.If you disable or do not configure this policy s
ation node. If you configure this policy setting for the computer, all users on the computer are affected.
e prompted on the client computer to provide credentials for a remote connection.
ng the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desk
mote Desktop Session Host role service installed).
setting audio and video playback redirection is not specified at the Group Policy level.
g in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic.If you disable or do not configure this policy
r fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver.If you do not configure this po
m\User Profiles is enabled.

file path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.Notes:1. The roaming user profiles enabl
and the user's alias.If the status is set to Disabled or Not Configured, the user's home directory is as specified at the server.
uters, Session Broker Computers, or RDS Endpoint Servers.

Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
is policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be u
bits per pixel. Also, the Themes service must be started on the remote computer.If you disable or do not configure this policy setting, desk
e Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012 R2, the m
Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program.If the s
s not specified at the Group Policy level.

ction process.
ed certificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the RD
level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. ImportantFIPS compliance can b
ears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes pre
settings are configured, the Computer Configuration policy setting takes precedence.
mputer Configuration policy setting takes precedence.
on policy setting takes precedence.
uter is restarted for Windows XP SP2 computers. Windows Vista---------------------In Windows Vista, this policy setting monitors essential sec
s setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
is set to ΓÇ£Medium.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin sw
gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If y
n of the software, file names, how the software operates, and how it has impacted your computer.If you enable this setting, you will join M
ed in error reports.- ""Do not collect additional computer data"": Select this if you do not want additional information about the computer
nfigure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem oc
tting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting.
y setting.If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence.
.If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in C
onfiguration policy setting.
.For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.Ranges are specified using the syntax IP1
window and require elevated permissions to do either of these tasks.On Windows 7 : This policy setting has no effect. Users will always se
l be every day at 3:00 AM. If any updates require a restart to complete the installation, Windows will restart the computer automatically. (
effect.Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
not using the Microsoft Update service, then the Software Notifications policy setting has no effect.If the "Configure Automatic Updates"
sable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.This policy settin
ow link (56Kbs).
to a certain data limit 0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 perce
ache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchC
stalled, Windows 7, or Windows Server 2008 R2. If you select this version, later versions of Windows run the version of BranchCache that
his policy setting, client computers that are configured with hosted cache mode still function correctly.Policy configurationSelect one of th
e.If the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy, the client computer performs autom
abled. With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client compu
member client computers to which the policy is applied.- Disabled. With this selection, BranchCache distributed cache mode is turned off
r example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client com
in the policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selection, BranchCac
all client computers where the policy is applied.* This policy setting is supported on computers that are running Windows Vista Business, E
u do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified mu
mary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
ttings dialog box for each connection.For example, when a user submits a query for a single-label name such as "example," the DNS client a
DNS tab in the Advanced TCP/IP Settings dialog box for each connection.For example, when a user submits a query for a single-label name
source records using a connection-specific DNS suffix.
tting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours an
off for all file servers where Group Policy is applied.In circumstances where this policy setting is enabled, you can also select the following c
rt V2 content information only, configure "Hash version supported" with the value of 2.- To support both V1 and V2 content information,
both work and home seamlessly.4. In order to not use any seed server, enable the setting; do not insert a seed server name; and check th
s no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Se
an choose to enable ICS.Note: Internet Connection Sharing is only available when two or more network connections are present.Note: Wh
le and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define inbound po
quests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Polic
ng additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the "W
xceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to
ned by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local p
le and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define inbound po
quests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Polic
ng additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the "W
xceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to
ned by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local p
d Windows Server 2012, the default sync interval is 120 minutes.
ndows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers ru
protected on NTFS partitions by ACLs.This setting is applied at user logon. If this setting is changed after user logon then user logoff and lo
the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size
cts the display of the "Make Available Offline" command in File Explorer.If the "Remove 'Make Available Offline' command" policy setting
_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHATLS_RSA_WITH_NULL_MD5 TLS 1.2 SHA256 and SHA384 ciph
If this policy setting value is Not Configured, the default policy setting is enabled. This is different than enabling the policy setting with Gr
isabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
or mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override
-Windows Vista client computers can create a printer connection to any server using Point and Print. -Windows Vista computer
matically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. Note: This setting
the text box on the Settings tab of the Policy Properties dialog box blank. If you disable or do not configure this policy setting, these co
ost running on all machines in .humanresources.fabrikam.com
g on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fa
led on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their
es:The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatche
that have been configured in the GPO that you are editing.
reference items, such as reapplying a desired preference setting in case a user has changed it.
ed preference items, such as reapplying a desired preference setting in case a user has changed it.
ms, such as reapplying a desired preference setting in case a user has changed it.
o process over a slow link.
ed setting in case a user has changed it.
eference items, such as reapplying a desired preference setting in case a user has changed it.
changed it.
update unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
s reapplying a desired preference setting in case a user has changed it.
en changed. However, you might want to update unchanged preference items, such as reapplying a desired preference setting in case a us
s, such as reapplying a desired preference setting in case a user has changed it.
nnection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The def
stem\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP
nged policies, such as reapplying a desired policy setting in case a user has changed it.
ference items, such as reapplying a desired preference setting in case a user has changed it.
s, such as reapplying a desired policy setting in case a user has changed it.
er, you might want to update unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
hanged. However, you might want to update unchanged preference items, such as reapplying a desired preference setting in case a user h
unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
However, you might want to update unchanged preference items, such as reapplying a desired preference setting in case a user has change
ly when changed. However, you might want to update unchanged preference items, such as reapplying a desired preference setting in cas
te unchanged preference items, such as reapplying a desired preference setting in case a user has changed it.
tems, such as reapplying a desired preference setting in case a user has changed it.
ed. However, you might want to update unchanged preference items, such as reapplying a desired preference setting in case a user has ch
e items, such as reapplying a desired preference setting in case a user has changed it.
eference items, such as reapplying a desired preference setting in case a user has changed it.
has changed it.
ction to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The defau
imit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large numbe
ge number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significant
where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no pre
er where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no p
n modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items
here you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no prefer
er where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no p
g, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this ex
mputer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are
modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items i
n modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items
un modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference item
ng trace file can be created on the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performin
the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or th
computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there
mputer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are
un modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items
the computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or th
he computer where you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or ther
ou run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference
here you run modeling, and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no prefer
to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerbero
work to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. On servers running Window
icy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those app
administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the admin
7200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.If you disable this policy setting, Force R
_tcp.<DnsForestName>GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName>Rfc1510UdpKdc SRV _kerberos._udp.<Dns
olicy setting, it is not applied to any DCs, and DCs use their local configuration.
tory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is s
ted) Remote Assistance depend on the version of Windows you are running.Windows Vista and laterEnable the Remote Assistance excep
ugh an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not avai
stem is rebooted.
el can degrade performance, it is recommended for use only while you are investigating an RPC problem.Note: To retrieve the RPC state in
e this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information E
for this policy setting.-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is app
The timeout is given in seconds.Note: This policy setting will not be applied until the system is rebooted.
e GPO: Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\StartupComputer Configuration\Policies\Window
Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogoffThis policy setting appears in the Computer Configuration and Use
ffect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery wi
ft Management Console.
tting to take immediate effect after a Group Policy refresh.Note: This policy setting will take effect only when the Diagnostic Policy Service
crosoft Management Console.

icrosoft Management Console.
with the Services snap-in to the Microsoft Management Console.
crosoft Management Console.
he TPM Æanti-hammering
┬ logic can be used.Choose the operating system managed TPM authentication setting of "Delegated" to store o
The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many c
rization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode whe
TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives to
ment is possible by running "tpm.msc" on the local computer.
ctly the same behavior as in Windows NT 4.0.
d, or a temporary profile issued if no cached profile exists. Note: The policy setting must be configured on the client computer not the serv
files on the machine.

oad the user settings are more likely to fail.This policy setting does not affect the system's attempts to update the files in the user profile.T
otice in operating systems earlier than Microsoft Windows Vista, use the "Timeout for dialog boxes" policy setting.Important: If the "Do no
ed.If you enable this policy setting, Windows uploads the registry file of the user's roaming user profile in the background according to the
as no effect.
esources if users choose to turn the setting off.

detects a slow connection.
nt time samples for spikes. A time sample is considered to be a spike when the time difference between a time sample and the client comp
ates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 h
ntrol panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to
for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes
overy information.Note: The 48-digit recovery password will not be available in FIPS-compliance mode.Important: This policy setting provid
bde.exe.If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identifi
selected by default to help ensure that BitLocker recovery is possible. If this option is not selected, AD DS backup is attempted but network
the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the dr
nd key package", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering
orithm configured on the drive to encrypt the drive. The ΓÇ£Restrict encryption algorithms and cipher suites allowed for hardware-based e
actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", n
computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server
re is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
m drives. If you select "Backup recovery password and key package", both the BitLocker recovery password and key package are stored in
the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensi
r the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Regis
lidation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Co
the algorithm configured on the drive to encrypt the drive. The ΓÇ£Restrict encryption algorithms and cipher suites allowed for hardware-
g that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done.Passwords must b
rtup options in the BitLocker setup wizard.If you disable or do not configure this policy setting, users can configure only basic options on co
o Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable dr
overy password and key package", both the BitLocker recovery password and key package are stored in AD DS. If you select "Backup recov
he algorithm configured on the drive to encrypt the drive. The ΓÇ£Restrict encryption algorithms and cipher suites allowed for hardware-b
xity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity va
r do not configure this policy setting, the license server will exhibit the default behavior noted earlier.
Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum C
or do not configure this policy setting, audio playback quality will be set to Dynamic.
If you do not configure this policy setting, the fallback printer driver behavior is off by default.Note: If the "Do not allow client printer redir
he roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windo
d at the server.
y level and the default will be used. This setting is enabled by default.Notes: 1. For Windows Server 2008, this policy setting is supported
nfigure this policy setting, desktop composition is not allowed for remote desktop sessions, even if desktop composition is enabled in RDC
Windows Server 2012 R2, the minimum of the following values is used as the color depth format: a.Value specified by this policy setting
ectory for the program.If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unle
e used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting.
portantFIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and s
onfiguration setting takes precedence.
setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and
en keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able
nel Options dialog box. If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-sh
able this setting, you will join Microsoft MAPS with the membership specified.If you disable or do not configure this setting, you will not joi
ormation about the computer to be collected and included in error reports.- ""Force queue mode for application errors"": Select this optio
at the time that a problem occurs.
o the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.)If you disable this p
y setting takes precedence.
hose specified by the user in Control Panel, or in the Configure Default Consent policy setting.
specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter.Example IPv4 filters:\n2.0.0.1-2.0.0.20
no effect. Users will always see an Account Control window and require elevated permissions to do either of these tasks.On Windows 8 a
the computer automatically. (If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given t
ows RT PCs.
onfigure Automatic Updates" policy setting is disabled or is not configured, then the Software Notifications policy setting has no effect.
opt-in dialog.This policy setting is related to the "Turn off handwriting personalization" policy setting.Note: The amount of stored ink is lim
lan usage is less than 80 percent of the limit. 0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usage is
example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in
version of BranchCache that is included in these operating systems rather than later versions of BranchCache.- Windows 8. If you select t
y configurationSelect one of the following:- Not Configured. With this selection, BranchCache settings are not applied to client computers b
ent computer performs automatic hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-
f 28 days on the client computer.In circumstances where this setting is enabled, you can also select and configure the following option:- Sp
uted cache mode is turned off for all client computers where the policy is applied.* This policy setting is supported on computers that are
all domain member client computers to which the policy is applied.- Disabled. With this selection, BranchCache hosted cache mode is tur
With this selection, BranchCache client computers use the default client computer cache setting of five percent of the total disk space on
ning Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
ry behavior for unqualified multi-label names.
as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the
a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example
ecords once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed
can also select the following configuration options:- Allow hash publication for all shared folders. With this option, BranchCache generate
and V2 content information, configure "Hash version supported" with the value of 3.
eed server name; and check the check box.If this setting is disabled or not configured, the protocol will revert to using a public registry key
hen you install Windows XP Service Pack 2.If you disable this setting or do not configure it, the Internet Connection Firewall is disabled wh
ections are present.Note: When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remot
ws Firewall: Define inbound port exceptions."Note: Other Windows Firewall policy settings affect only incoming messages, but several of t
etting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exce
does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.Note: Malicious users often attempt
olicy settings can continue to open or block ports.Note: If you type an invalid definition string, Windows Firewall adds it to the list without
Windows Firewall: Allow local program exceptions" policy setting.If you do not configure this policy setting, Windows Firewall uses only the
ws Firewall: Define inbound port exceptions."Note: Other Windows Firewall policy settings affect only incoming messages, but several of t
etting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exce
does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.Note: Malicious users often attempt
olicy settings can continue to open or block ports.Note: If you type an invalid definition string, Windows Firewall adds it to the list without
Windows Firewall: Allow local program exceptions" policy setting.If you do not configure this policy setting, Windows Firewall uses only the
slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transiti
r logon then user logoff and logon is required for this setting to take effect.
ward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjuste
ffline' command" policy setting is enabled, this setting has no effect.

1.2 SHA256 and SHA384 cipher suites:TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_RSA_W
bling the policy setting with Group Policy, however - when the policy setting is Not Configured, the policy setting is configurable on the loc
olicy setting does not override this behavior.Note: In cases where the client print driver does not match the server print driver (mismatche
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any se
nters. Note: This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not app
ure this policy setting, these commands are fully functional for all Help files. Note: Only folders on the local computer can be specified i
machines in humanresources.fabrikam.com
rs reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission sec
preference setting in case a user has changed it.
user at boot or logon. The default is 5000 milliseconds. If you disable this policy setting, the Group Policy client will not cache app
profile server does not have IP connectivity, the SMB timing is used.
n case a user has changed it.
erence setting in case a user has changed it.
tting in case a user has changed it.

esired preference setting in case a user has changed it.
ce setting in case a user has changed it.

er at boot or logon. The default is 5000 milliseconds. If you disable or do not configure this policy setting, the Group Policy client will no
minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be
es might be delayed significantly.Note: This setting is used only when you are establishing policy for a domain, site, organizational unit (OU
y Modeling or there are no preference items in this extension, no planning trace file is created.
icy Modeling or there are no preference items in this extension, no planning trace file is created.
there are no preference items in this extension, no planning trace file is created.
odeling or there are no preference items in this extension, no planning trace file is created.
cy Modeling or there are no preference items in this extension, no planning trace file is created.
no preference items in this extension, no planning trace file is created.
p Policy Modeling or there are no preference items in this extension, no planning trace file is created.
here are no preference items in this extension, no planning trace file is created.
here are no preference items in this extension, no planning trace file is created.
r there are no preference items in this extension, no planning trace file is created.
ption. If you are not performing Group Policy Modeling or there are no preference items in this extension, no planning trace file is created
ng Group Policy Modeling or there are no preference items in this extension, no planning trace file is created.
roup Policy Modeling or there are no preference items in this extension, no planning trace file is created.
p Policy Modeling or there are no preference items in this extension, no planning trace file is created.
there are no preference items in this extension, no planning trace file is created.
g Group Policy Modeling or there are no preference items in this extension, no planning trace file is created.
Group Policy Modeling or there are no preference items in this extension, no planning trace file is created.
ng or there are no preference items in this extension, no planning trace file is created.
odeling or there are no preference items in this extension, no planning trace file is created.
c Access Control and Kerberos armoring. Domain functional level requirementsFor the options "Always provide claims" and "Fail unarmor
ly. On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and
ty in the domain are those approved by the administrator.
those approved by the administrator.

ble this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.If you do not configure this polic
c SRV _kerberos._udp.<DnsDomainName>Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName>Rfc1510UdpKpwd SRV _kpasswd
case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory
the Remote Assistance exception for the domain profile. The exception must contain:Port 135:TCP%WINDIR%\System32\msra.exe%WIND
. This policy setting is not available in Windows Vista since SMAPI is the only method supported.If you enable this policy setting you should
e: To retrieve the RPC state information from a system that maintains it, you must use a debugging tool.Note: This policy setting will not b
e Extended Error Information Exception field.-- "On" enables extended error information for all processes.Note: For information about the
which the policy setting is applied.-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC S
onfiguration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
mputer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting s
abled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Con
n the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attem
etting of "Delegated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setti
e when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all us
a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout m
kout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global
e client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profi
e the files in the user profile.Tip: Consider increasing the number of retries specified in this policy setting if there are many user profiles st
etting.Important: If the "Do not detect slow network connections" setting is enabled, this policy setting is ignored. Also, if the "Delete cach
e background according to the schedule set here while the user is logged on. Regular profiles are not affected.If this setting is disabled or n
me sample and the client computer's local clock is greater than that of the LargePhaseOffset value. Default: Five time samples.LargePhaseO
fault value is 2 decimal (0x02 hexadecimal).ResolvePeerBackoffMinutesThis value, expressed in minutes, controls how long W32time wait
ill allow 16-bit applications to run.Note: This setting appears in only Computer Configuration.
curately reflects those changes.
rtant: This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of k
d drive and any allowed identification field used by your organization.When a BitLocker-protected drive is mounted on another BitLocker-e
ckup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recove
enable users to unlock the drive on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with
package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only," only th
allowed for hardware-based encryptionΓÇ¥ option enables you to restrict the encryption algorithms that BitLocker can use with hardware
o "Do not allow complexity", no password complexity validation will be done.Passwords must be at least 8 characters. To configure a grea
he wired network or the server at startup.
and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If
computers that use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard
f Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key aga
onsists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the en
r suites allowed for hardware-based encryptionΓÇ¥ option enables you to restrict the encryption algorithms that BitLocker can use with ha
will be done.Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number o
figure only basic options on computers with a TPM.Note: If you want to require the use of a startup PIN and a USB flash drive, you must c
installed on the removable drive to enable users to unlock the drive on computers running Windows Server 2008, Windows Vista, Window
DS. If you select "Backup recovery password only" only the recovery password is stored in AD DS.Select the "Do not enable BitLocker until r
suites allowed for hardware-based encryptionΓÇ¥ option enables you to restrict the encryption algorithms that BitLocker can use with hard
y", no password complexity validation will be done.Passwords must be at least 8 characters. To configure a greater minimum length for th
the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
o not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled.
user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precede
this policy setting is supported on at least Windows Server 2008 Standard.
omposition is enabled in RDC or in the .rdp file.
specified by this policy setting b.Maximum color depth supported by the client c.Value requested by the client If the client doe
tart with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templa
for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Po
ngs, User Account Control, and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect.
tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose to ΓÇ£M
atch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Opti
ure this setting, you will not join Microsoft MAPS.
ation errors"": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue direct
s category.)If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence
e IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FED
f these tasks.On Windows 8 and Windows RT: This policy setting has no effect. Users will always see an Account Control window and requ
ser will be notified and given the option to delay the restart.) On Windows 8 and later, you can set updates to install during automatic
policy setting has no effect.

he amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached an
ain data limit and plan usage is between 80 percent and 100 percent of the limit. 0x10 - Usage of this connection is unrestricted up to
ency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied.- Disabled. W
he.- Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system.
t applied to client computers by this policy setting.- Enabled. With this selection, the policy setting is applied to client computers, which ar
und, the client computer self-configures for hosted cache mode only.If the policy setting "Set BranchCache Hosted Cache Mode" is applied
figure the following option:- Specify the age in days for which segments in the data cache are valid.
ported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Serv
che hosted cache mode is turned off for all client computers where the policy is applied.In circumstances where this setting is enabled, yo
ent of the total disk space on the client computer.In circumstances where this setting is enabled, you can also select and configure the foll
(BITS) 4.0 installed.
osoft.com," before sending the query to a DNS server.If a DNS suffix search list is not specified, the DNS client attaches the primary DNS su
esulting in the query "example.microsoft.com," before sending the query to a DNS server.If a DNS suffix search list is not specified, the DN
CP lease is granted or renewed.
option, BranchCache generates content information for all content in all shares on the file server. - Allow hash publication only for shared f
t to using a public registry key to determine the seed server to bootstrap from.
nection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection pr
properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are s
ing messages, but several of the options of the "Windows Firewall: Allow ICMP exceptions" policy setting affect outgoing communication.
nd file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Defin
Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacture
wall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with confli
indows Firewall uses only the local program exceptions list that administrators define by using the Windows Firewall component in Contro
ing messages, but several of the options of the "Windows Firewall: Allow ICMP exceptions" policy setting affect outgoing communication.
nd file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Defin
Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacture
wall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with confli
indows Firewall uses only the local program exceptions list that administrators define by using the Windows Firewall component in Contro
f 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be ne
e limit is automatically adjusted downward to 100 percent of the size of the drive.If you enable this setting and specify a total size limit less
C_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_RSA_W
tting is configurable on the local computer. When the policy setting is applied with Group Policy, it is not configurable locally. With the poli
server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy.
a printer connection to any server using Point and Print. -Windows Vista computers will not show a warning or an elevated comman
or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. Tip: If you disable automatic pruning, remem
al computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands fo
o the volume.
custom launch permission security descriptor if it exists, or otherwise against the configured defaults.If the DCOM server's custom launch
Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it down
, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchrono
p. However, updates might be delayed significantly.This setting establishes the update rate for computer Group Policy. To set an update ra
n, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this settin
o planning trace file is created.

ide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier t
ssing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during com
you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the loc
510UdpKpwd SRV _kpasswd._udp.<DnsDomainName>If you disable this policy setting, DCs configured to perform dynamic registration
oined, in the Active Directory forest.

R%\System32\msra.exe%WINDIR%\System32\raserver.exeWindows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition
e this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
e: This policy setting will not be applied until the system is rebooted.
ote: For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK).Note: Extend
on above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces t
precedence over the setting set in User Configuration.
e Microsoft Management Console.
file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
b in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. Exte
out mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authoriza
en the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption.
ers a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of
missions for the roaming profile at creation time.Note: The behavior when this policy setting is enabled is exactly the same behavior as in W
here are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile.Also,
ored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load w
d.If this setting is disabled or not configured, the registry file for a roaming user profile will not be uploaded in the background while the us
Five time samples.LargePhaseOffsetThis parameter specifies the time variation from the client computer's local clock (phase offset) that a
ntrols how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes.
vent data loss due to lack of key information. If you do not allow both user recovery options you must enable the "Store BitLocker recover
ounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether t
atically retried and the recovery password may not have been stored in AD DS during BitLocker setup.If you disable or do not configure th
with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.If this policy setting is disabled, fixed data drives form
covery password only," only the recovery password is stored in AD DS.Select the "Do not enable BitLocker until recovery information is sto
Locker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-base
haracters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password le
s been physically corrupted. If you select "Backup recovery password only," only the recovery password is stored in AD DS.Select the "Do n
omputers that use a standard BIOS.Warning: Changing from the default platform validation profile affects the security and manageability o
ecures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the
alidation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable e
that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardwa
rd, enter the desired number of characters in the "Minimum password length" box.If you disable or do not configure this policy setting, the
a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encrypti
2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.If this policy settin
Do not enable BitLocker until recovery information is stored in AD DS for removable data drives" check box if you want to prevent users fro
hat BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardwar
greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box.If you disable th
driver is disabled.
er profile always takes precedence in a Remote Desktop Services session.2. To configure a mandatory Remote Desktop Services roaming u
the client If the client does not support at least 16 bits, the connection is terminated.
uration\Administrative Templates\System\Logon\Run these programs at user logon" setting.)Note: This setting appears in both Computer
ngs\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the se
is policy setting to take effect.
his policy and choose to ΓÇ£Medium-HighΓÇ¥ from the drop-down box, password security is set to ΓÇ£Medium-High.ΓÇ¥ At this setting, w
estures tab in Input Panel Options.
rs are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft.- ""Corpor
olicy setting takes precedence.Also see the ""Default Application Reporting"" and ""Application Exclusion List"" policies.This setting will be
000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
ount Control window and require elevated permissions to do either of these tasks.If you disable this policy setting, then only administrative
es to install during automatic maintenance instead of a specific schedule. Automatic maintenance will install updates when the computer
en these limits are reached and new data is collected, old data is deleted to make room for more recent data.Note: Handwriting personali
onnection is unrestricted up to a certain data limit, which has been exceeded. Surcharge applied or unknown. 0x20 - Usage of this con
policy is applied.- Disabled. With this selection, BranchCache client computers use the default latency setting of 80 milliseconds.In circum
the operating system.
to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cac
Hosted Cache Mode" is applied, the client computer does not perform automatic hosted cache discovery. This is also true in cases where th
round Intelligent Transfer Service (BITS) 4.0 installed.

here this setting is enabled, you can also select and configure the following option:- Type the name of the hosted cache server. Specifies th
o select and configure the following option:- Specify the percentage of total disk space allocated for the cache. Specifies an integer that is
t attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. I
ch list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS
h publication only for shared folders on which BranchCache is enabled. With this option, content information is generated only for shared
anced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Int
ess connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked.N
ect outgoing communication.

and "Windows Firewall: Define inbound port exceptions."
you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require R
s for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different S
Firewall component in Control Panel.Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking fo
ect outgoing communication.

and "Windows Firewall: Define inbound port exceptions."
you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require R
s for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different S
Firewall component in Control Panel.Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking fo
broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency.In Windows Vist
nd specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adju
256_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_W
figurable locally. With the policy setting value of Not Configured, new automatic connection attempts are not made, and less preferred con
tting of this policy.

rning or an elevated command prompt when an existing printer connection driver needs to be updated. -Windows Server 2003 and W
ble automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server.
" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. For additional options, see t
DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously
cy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow lin
n Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determ
oup Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuratio
, the system ignores this setting.
ws Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is
ork to be initialized during computer startup). If the server is configured as follows, this policy setting takes effect during Group Policy proc
2 hour interval, unless the local machine setting in the registry is a different value.
perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.If you do not configure this policy se
ws XP Professional x64 Edition with Service Pack 1 (SP1)Port 135:TCP%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe%WINDIR%\PCHe
munications.
opment Kit (SDK).Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft opera
ons are granted to interfaces that have requested them.-- "Authenticated without exceptions" allows only authenticated RPC Clients (per
anagement Console.
PM anti-hammering logic. External or remote storage of the full TPM owner authorization value, for example by backing up the value to A
tion. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may en
e BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufactur
e Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPM
actly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional.
ble to unload the profile.Also, check the Application Log in Event Viewer for events generated by Userenv. The system records an event w
f the roaming profile to load when the system detects a slow connection.
n the background while the user is logged on.
cal clock (phase offset) that a time sample must have to be considered a spike. Time samples that have time variations larger than the Larg
e default value is 15 minutes.ResolvePeerBackoffMaxTimesThis value controls how many times W32time attempts to resolve a DNS name
e the "Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)" policy setting
e used to determine whether the drive is from an outside organization.If you disable or do not configure this policy setting, the identificatio
disable or do not configure this policy setting, BitLocker recovery information is not backed up to AD DS.Note: Trusted Platform Module (T
disabled, fixed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Wind
til recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the
able the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC m
in the "Minimum password length" box.If you disable this policy setting, the user is not allowed to use a password.If you do not configure
ored in AD DS.Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if y
e security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or d
tform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the N
CR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).Warning: Changing
will disable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in
onfigure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity
of the BitLocker Drive Encryption setup wizard.
der installed.If this policy setting is disabled, removable data drives formatted with the FAT file system that are BitLocker-protected cannot
f you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recover
will disable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in
rd length" box.If you disable this policy setting, the user is not allowed to use a password.If you do not configure this policy setting, passwo
e Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together wi
ng appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting ov
a sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryptio
um-High.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is al
eports to Microsoft.- ""Corporate file path"": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified l
st"" policies.This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured.
etting, then only administrative users will receive update notifications.Note: On Windows 8 and Windows RT this policy setting is enabled b
l updates when the computer is not in use, and avoid doing so when the computer is running on battery power. If automatic maintenance
a.Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
. 0x20 - Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speed
g of 80 milliseconds.In circumstances where this policy setting is enabled, you can also select and configure the following option:- Type the
hat you specify in "Hosted cache servers."- Disabled. With this selection, this policy is not applied to client computers.In circumstances wh
is is also true in cases where the policy setting "Configure Hosted Cache Servers" is applied.This policy setting can only be applied to client
sted cache server. Specifies the computer name of the hosted cache server. Because the hosted cache server name is also specified in the
he. Specifies an integer that is the percentage of total client computer disk space to use for the BranchCache client computer cache.* This
is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the l
s, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DN
n is generated only for shared folders on which BranchCache is enabled. If you use this setting, you must enable BranchCache for individua
n the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New
or the connection is blocked.Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of t
r LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.Note: If any policy setti
ries. If entries have different Status values, any definition with the Status set to "disabled" overrides all definitions with the Status set to "e
to the list without checking for errors. This allows you to add programs that you have not installed yet, but be aware that you can acciden
r LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.Note: If any policy setti
ries. If entries have different Status values, any definition with the Status set to "disabled" overrides all definitions with the Status set to "e
to the list without checking for errors. This allows you to add programs that you have not installed yet, but be aware that you can acciden
twork latency.In Windows Vista or Windows Server 2008, once transitioned to slow-link mode, users will continue to operate in slow-link m
size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full.If you e
384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_ECDSA_
t made, and less preferred connections are disconnected.

-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "
t server.
For additional options, see the "Restrict these programs from being launched from Help" policy.
ns that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail inste
timates to determine slow link thresholds. (See the ΓÇ£Configure Group Policy Slow Link DetectionΓÇ¥ policy setting to configure asynchro
bandwidth estimates to determine slow link thresholds. (See the ΓÇ£Configure Group Policy Slow Link DetectionΓÇ¥ policy setting to config
g (located in User Configuration\Administrative Templates\System\Group Policy).This setting is only used when the "Turn off background r
the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the do
ffect during Group Policy processing at user logon:ΓÇó The server is configured as a terminal server (that is, the Terminal Server role servic
do not configure this policy setting, DCs use their local configuration.
\Helpsvc.exe%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe%WINDIR%\System32\Sessmgr.exeFor computers running Windows Serv
ems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information.Note: Th
uthenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applie
e by backing up the value to Active Directory Domain Services (AD DS), is recommended when using this setting. Choose the operating sys
facturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past
d out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization fa
PM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures dependin
he system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fa
variations larger than the LargePhaseOffset value are considered spikes. Default: 50,000,000 100-nanosecond units (ns), which is five seco
ttempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait
Windows Vista)" policy setting to prevent a policy error.
policy setting, the identification field is not required.Note: Identification fields are required for management of certificate-based data reco
e: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the "Turn on TPM backup to Active Directory D
ed on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will no
m enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds
or example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
sword.If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password com
g system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the
r authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
TFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11).Warning: Cha
ol (PCR 11).Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLoc
OID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
passwords and no complexity checks will occur.Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography
re BitLocker-protected cannot be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windo
e backup of BitLocker recovery information to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery information is stored in
ID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
gure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements an
this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configurati
puter Configuration setting overrides.
g Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications be
by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to config
rs are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can
this policy setting is enabled by default. In all prior versions of windows, it is disabled by default.If the "Configure Automatic Updates" pol
wer. If automatic maintenance is unable to install updates for 2 days, Windows Update will install updates right away. Users will then be no
rty recognizers.
o surcharge applies, but speeds are likely reduced. 0x40 - The connection is costed on a per-byte basis. 0x80 - The connection is
the following option:- Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of tim
omputers.In circumstances where this setting is enabled, you can also select and configure the following option:- Hosted cache servers. To
g can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Wi
er name is also specified in the certificate enrolled to the hosted cache server, the name that you enter here must match the name of the h
client computer cache.* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate
x of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name,
lient devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary
able BranchCache for individual shares in Share and Storage Management on the file server.- Disallow hash publication on all shared folder
reated through the Make New Connection Wizard have the Internet Connection Firewall enabled.
ection Sharing, regardless of this setting.Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS serv
etting.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by
itions with the Status set to "enabled," and the port does not receive messages. Therefore, if you set the Status of a port to "disabled," yo
be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters
etting.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by
itions with the Status set to "enabled," and the port does not receive messages. Therefore, if you set the Status of a port to "disabled," yo
be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters
tinue to operate in slow-link mode until the user clicks the Work Online button on the toolbar in Windows Explorer. Data will only be sync
is then considered full.If you enable this setting and specify an auto-cached space limit greater than the total size limit, the auto-cached lim
384_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_EC
ng Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and
running, might now fail instead. The proper action in this situation is to re-configure the DCOM server's custom launch permission settin
y setting to configure asynchronous foreground behavior.)
tionΓÇ¥ policy setting to configure asynchronous foreground behavior.)
en the "Turn off background refresh of Group Policy" setting is not enabled.Note: Consider notifying users that their policy is updated peri
s client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring
the Terminal Server role service is installed and configured on the server); andΓÇó The ΓÇ£Allow asynchronous user Group Policy processi
puters running Windows Server 2003 with Service Pack 1 (SP1)Port 135:TCP%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe%WINDIR%
nd to the information.Note: The default policy setting, "Off," is designed for systems where extended error information is considered to be
hich the policy setting is applied. No exceptions are allowed.Note: This policy setting will not be applied until the system is rebooted.
tting. Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems and
tion failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the
me with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Othe
uthorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may re
so records an event when it fails to update the files in a user profile.
nd units (ns), which is five seconds.MaxAllowedPhaseOffsetThis parameter controls how W32time corrects the clock based on the size of t
s, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts.SpecialPollIn
t of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data rec
M backup to Active Directory Domain Services" policy setting in System\Trusted Platform Module Services to ensure that TPM information
SP2. Bitlockertogo.exe will not be installed.Note: This policy setting does not apply to drives that are formatted with the NTFS file system.
nformation to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" che
4.1.42
h do not include password complexity requirements and require only 8 characters.Note: Passwords cannot be used if FIPS-compliance is e
nected to the domain and the backup of BitLocker recovery information to AD DS succeeds.Note: If the "Do not enable BitLocker until reco
Control (PCR 11).Warning: Changing from the default platform validation profile affects the security and manageability of your computer. B
bility of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upo
1.101.3.4.1.42
ed. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer Configuratio
ndows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe will not be installed.Note: This policy setting does not apply to drives that
covery information is stored in AD DS for fixed data drives" check box is selected, a recovery password is automatically generated.If you en
101.3.4.1.42
d complexity requirements and require only 8 characters.Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryp
ocated in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. T
evel when communications between clients and RD Session Host servers requires the highest level of encryption.
Users will not be able to configure this setting in the Input Panel Options dialog box.If you enable this policy and choose ΓÇ£HighΓÇ¥ from t
to log onto the computer can send the error reports to Microsoft.- ""Replace instances of the word ΓÇÿMicrosoftΓÇÖ with"": You can spec
figure Automatic Updates" policy setting is disabled or is not configured, then the Elevate Non-Admin policy setting has no effect.
ht away. Users will then be notified about an upcoming restart, and that restart will only take place if there is no potential for accidental d
0x80 - The connection is roaming. 0x80000000 - Ignore congestion.
ns. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally.
on:- Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show
omputers that are running Windows 7 or Windows Vista. If you disable, or do not configure this setting, a client will not attempt to discov
must match the name of the hosted cache server that is specified in the server certificate. Hosted cache clients must trust the server certi
ness, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
uffix to the single-label name, and submits this new query to a DNS server.For example, if the primary DNS suffix ooo.aaa.microsoft.com is
ttaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.For example, if the primary
publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer an
orking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the netwo
messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Po
tus of a port to "disabled," you can prevent administrators from using the Windows Firewall component in Control Panel to enable the po
atus values. Scope parameters are combined for multiple entries.Note: If you set the Status parameter of a definition string to "disabled,"
messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Po
tus of a port to "disabled," you can prevent administrators from using the Windows Firewall component in Control Panel to enable the po
atus values. Scope parameters are combined for multiple entries.Note: If you set the Status parameter of a definition string to "disabled,"
xplorer. Data will only be synchronized to the server if the user manually initiates synchronization by using Sync Center.In Windows 7, Win
l size limit, the auto-cached limit is automatically adjusted downward to equal the total size limit.This setting replaces the Default Cache S
_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDH
y to Windows Server 2003 and Windows XP SP1 (and later service packs).
stom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compa
hat their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows des
ontrol and Kerberos armoring, and: - If you set the "Always provide claims" option, always returns claims for accounts and supports the R
ous user Group Policy processing when logging on through Terminal ServicesΓÇ¥ policy setting is enabled. This policy setting is located und
inaries\Helpsvc.exe%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exeAllow Remote Desktop Exception
nformation is considered to be sensitive, and it should not be made available remotely.Note: This policy setting will not be applied until th
the system is rebooted.
evious operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this
Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administrator with
exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mo
t mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administ
he clock based on the size of the calculated time variation between the time sample and the client computer's local clock. If a response is
s seven attempts.SpecialPollIntervalThis NTP client value, expressed in seconds, controls how often a manually configured time source is p
date certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on th
ensure that TPM information is also backed up.
tted with the NTFS file system.

D DS for fixed data drives" check box is selected, a recovery password is automatically generated.If you enable this policy setting, you can
be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" poli
not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected, a recovery password
nageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased dependin
d or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR 7 omitted, will ov
tting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is e
does not apply to drives that are formatted with the NTFS file system.
omatically generated.If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-prote
e is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer Co
es\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain
and choose ΓÇ£HighΓÇ¥ from the drop-down box, password security is set to ΓÇ£High.ΓÇ¥ At this setting, when users enter passwords from
osoftΓÇÖ with"": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with th
setting has no effect.
is no potential for accidental data loss. Automatic maintenance can be further configured by using Group Policy settings here: Comput
content locally.
and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers.
ent will not attempt to discover hosted cache servers by service connection point.Policy configurationSelect one of the following:- Not Co
nts must trust the server certificate that is issued to the hosted cache server. Ensure that the issuing CA certificate is installed in the Truste
uffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.
er.For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and t
ny shares on the computer and does not send content information to client computers that request content.
k Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box.
y setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing e
Control Panel to enable the port.Note: The only effect of setting the Status value to "disabled" is that Windows Firewall ignores other defin
efinition string to "disabled," Windows Firewall ignores port requests made by that program and ignores other definitions that set the Sta
y setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing e
Control Panel to enable the port.Note: The only effect of setting the Status value to "disabled" is that Windows Firewall ignores other defin
efinition string to "disabled," Windows Firewall ignores port requests made by that program and ignores other definitions that set the Sta
ync Center.In Windows 7, Windows Server 2008 R2, Windows 8 or Windows Server 2012, when operating in slow-link mode Offline Files s
g replaces the Default Cache Size setting used by pre-Windows Vista systems.
_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_W
-term as an application compatibility deployment aid.DCOM servers added to this exemption list are only exempted if their custom launch
y is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, suc
or accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmo
s policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\.If this configuration is n
tting will not be applied until the system is rebooted.
ot be stored locally. Using this setting might cause issues with some TPM-based applications.If this policy setting is disabled or not configu
ut mode.An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Co
the TPM exits the lockout mode.An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using t
he lockout mode.An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Manag
r's local clock. If a response is received that has a time variation that is larger than this value, W32time sets the client computer's local cloc
ally configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enable
l to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
ble this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.If this poli
tion, hashing, and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options spe
elected, a recovery password is automatically generated.If you enable this policy setting, you can control the methods available to users to
reased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

icy with PCR 7 omitted, will override the "Allow Secure Boot for integrity validation" group policy, preventing BitLocker from using Secure
s whether FIPS-compliance is enabled.
ver data from BitLocker-protected removable data drives.If this policy setting is not configured or disabled, the default recovery options a
policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-comp
e" policy setting should contain the mandatory profile.
en users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel doe
Microsoft"" is replaced with the specified text.If you do not configure this policy setting, users can change Windows Error Reporting setting
p Policy settings here: Computer Configuration->Administrative Templates->Windows Components->Maintenance Scheduler 5 = Allow
of the hosted cache servers.
one of the following:- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting,
tificate is installed in the Trusted Root Certification Authorities certificate store on all hosted cache client computers.* This policy setting is
S query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified
e-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drop
ound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: De
ws Firewall ignores other definitions for that port that set the Status to "enabled." If another policy setting opens a port, or if a program in
her definitions that set the Status of that program to "enabled." Therefore, if you set the Status to "disabled," you prevent administrators
ound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: De
ws Firewall ignores other definitions for that port that set the Status to "enabled." If another policy setting opens a port, or if a program in
her definitions that set the Status of that program to "enabled." Therefore, if you set the Status to "disabled," you prevent administrators
slow-link mode Offline Files synchronizes the user's files in the background at regular intervals, or as configured by the "Configure Backgr
_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_NULL_SHA256TLS 1.2 ECC GCM cipher suites:TLS_ECDHE_ECDS
empted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or
mposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress.
). - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.Warning: When "Fail unarmore
Policy\.If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logo
etting is disabled or not configured and the "Turn on TPM backup to Active Directory Domain Services" policy setting is also disabled or no
sing the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard use
hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout log
ut logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior stan
he client computer's local clock immediately to the time that is accepted as accurate from the Network Time Protocol (NTP) server. If the
e SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of the Min
ed fixed data drives.If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. B
al Policies\Security Options specifies whether FIPS-compliance is enabled.
e methods available to users to recover data from BitLocker-protected operating system drives.If this policy setting is disabled or not config
g BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLo
he default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by th
s specifies whether FIPS-compliance is enabled.

allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input
ndows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows X
nance Scheduler 5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install upda
mputers by this policy setting, and client computers do not perform hosted cache server discovery.- Enabled. With this selection, the polic
mputers.* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with B
leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS s
es the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com.
n," and "Windows Firewall: Define inbound port exceptions."
pens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.Note: If
" you prevent administrators from allowing the program to ask Windows Firewall to open additional ports. However, even if the Status is
n," and "Windows Firewall: Define inbound port exceptions."
pens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.Note: If
" you prevent administrators from allowing the program to ask Windows Firewall to open additional ports. However, even if the Status is
ured by the "Configure Background Sync" policy. While in slow-link mode, Windows periodically checks the connection to the folder and b
cipher suites:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDH
e, or RemoteActivate grant or deny entries for any users or groups. Also note, exemptions for DCOM Server Appids added to this list will
Warning: When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to
p Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon).If you disable or do
y setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this polic
out logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediatel
he TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM no
ware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again im
e Protocol (NTP) server. If the time variation is less than this value, the client computer's local clock is corrected gradually. Default: 300 sec
ollInterval, instead of the MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. The default val
orted for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery passwor
etting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the re
g this policy may result in BitLocker recovery when firmware is updated. If you set this policy to include PCR 0, suspend BitLocker prior to a
options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD D
figure this setting in the Input Panel Options dialog box. If you disable this policy, password security is set to ΓÇ£Medium-High.ΓÇ¥ At this
rs that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003.If you disable this policy settin
s should notify and install updates. With this option, local administrators will be allowed to use the Windows Update control panel to s
. With this selection, the policy setting is applied to client computers, which perform automatic hosted cache server discovery and which a
, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is subm
r example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the q
irewall opens the port.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the
However, even if the Status is "disabled," the program can still receive unsolicited incoming messages through a port if another policy setti
irewall opens the port.Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the
However, even if the Status is "disabled," the program can still receive unsolicited incoming messages through a port if another policy setti
onnection to the folder and brings the folder back online if network speeds improve.In Windows 8 or Windows Server 2012, set the Laten
GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS
r Appids added to this list will apply to both 32-bit and 64-bit versions of the server if present.
Kerberos armoring will fail to authenticate to the domain controller.To ensure this feature is effective, deploy enough domain controllers
ser logon).If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2
n the local registry. If this policy is disabled or not configured and the "Turn on TPM backup to Active Directory Domain Services" group po
M normally again immediately.If this value is not configured, a default value of 4 is used.A value of zero means the OS will not allow stand
dard users to use the TPM normally again immediately.If this value is not configured, a default value of 480 minutes (8 hours) is used.
se the TPM normally again immediately.If this value is not configured, a default value of 9 is used. A value of zero means the OS will not a
ted gradually. Default: 300 seconds.MaxNegPhaseCorrectionThis parameter controls the maximum allowable clock correction that can be
he time source. The default value is 3600 seconds (1 hour).EventLogFlagsThis value is a bitmask that controls events that may be logged to
ncluding the recovery password and recovery key, and recovery information is not backed up to AD DS
efault a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery
0, suspend BitLocker prior to applying firmware updates.

ation is not backed up to AD DS
ΓÇ£Medium-High.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switc
If you disable this policy setting, configuration settings in the policy setting are left blank.See related policy settings Display Error Notificati
ows Update control panel to select a configuration option of their choice. Local administrators will not be allowed to disable the configura
e server discovery and which are configured as hosted cache mode clients.- Disabled. With this selection, this policy is not applied to client
xample.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example
fied devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified dev
P echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting woul
h a port if another policy setting opens that port.Note: Windows Firewall opens ports for the program only when the program is running a
P echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting woul
h a port if another policy setting opens that port.Note: Windows Firewall opens ports for the program only when the program is running a
ws Server 2012, set the Latency threshold to 1ms to keep users always working offline in slow-link mode.If you disable this policy setting,
S_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521How to modify this setting:1. Open a blank notepad d
oy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-awa
ver running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network
ory Domain Services" group policy setting is enabled, then only the administrative delegation and the user delegation blobs are stored in
ans the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
minutes (8 hours) is used.
f zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
e clock correction that can be made in a reverse direction. If a time sample is received that indicates a time in the past (as compared to the
events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whene
nd recovery key, and recovery information is not backed up to AD DS.
keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able
ettings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Adm
owed to disable the configuration for Automatic Updates.If the status for this policy is set to Disabled, any updates that are available on W
s policy is not applied to client computers.
n level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be d
ues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two.
xceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and p
when the program is running and "listening" for incoming messages. If the program is not running, or is running but not listening for those
xceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and p
when the program is running and "listening" for incoming messages. If the program is not running, or is running but not listening for those
ou disable this policy setting, computers will not use the slow-link mode.
tting:1. Open a blank notepad document.2. Copy and paste the list of available suites into it.3. Arrange the suites in the correct order; remo
and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy r
does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied async
delegation blobs are stored in the local registry.Note: If the operating system managed TPM authentication setting is changed from "Full"
ilure.
rization failure.
n the past (as compared to the client computer's local clock) that has a time difference that is greater than the MaxNegPhaseCorrection va
me will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever
tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not configure this policy, password
n Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
pdates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using S
rimary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffi
g to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be co
ewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Wind
ing but not listening for those messages, Windows Firewall does not open its ports.
ewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Wind
ing but not listening for those messages, Windows Firewall does not open its ports.
ites in the correct order; remove any suites you don't want to use.4. Place a comma at the end of every suite name except the last. Make s
ollers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is,
. Group Policy is applied asynchronously in the background.Notes: -If you want to guarantee the application of Folder Redirection, Softwa
setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original T
he MaxNegPhaseCorrection value, the time sample is discarded. If this happens, the Windows Time source logs an event in the System log
will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicat
onfigure this policy, password security is set to ΓÇ£Medium-HighΓÇ¥ by default. At this setting, when users enter passwords from Input Pa
et Communication settings.
h for Windows Update using Start.If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy leve
red using the primary DNS suffix devolution level policy setting. The default devolution level is two.If you enable this policy setting, or if yo
The devolution level can be configured using this policy setting. The default devolution level is two.If you enable this policy setting and DN
tration exception," and "Windows Firewall: Define inbound port exceptions."
tration exception," and "Windows Firewall: Define inbound port exceptions."

e name except the last. Make sure there are NO embedded spaces.5. Remove all the line breaks so that the cipher suite names are on a sin
armoring is required (that is, the "Supported" option is enabled).Impact on domain controller performance when this policy setting is ena
of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Win
nd any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD
ogs an event in the System log of Event Viewer. Default: 172,800 seconds.MaxPosPhaseCorrectionThis parameter controls the maximum a
ddition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged.
enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display
cified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
able this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenation
able this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.If this policy setting is
cipher suite names are on a single, long line.6. Copy the cipher-suite line to the clipboard, then paste it into the edit box. The maximum len
when this policy setting is enabled: - Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
olicy setting to ensure that Windows waits for the network to be available before applying policy. -If Folder Redirection policy will apply du
wner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
meter controls the maximum allowable clock correction that can be made in a forward direction. If a time sample is received that indicates
Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input
el names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.If you disable this policy settin
u specify.If this policy setting is disabled, or if this policy setting is not configured, DNS clients use the default devolution level of two provid
he edit box. The maximum length is 1023 characters.
dditional message exchanges. - Claims and compound authentication for Dynamic Access Control increases the size and complexity of the
edirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network
D DS when it is changed.
mple is received that indicates a time in the future (as compared to the client computer's local clock) that has a time difference greater tha
g on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista.Caution: If you lower password security settings, people wh
f you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolv
devolution level of two provided that DNS devolution is enabled.
the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. - Kerbe
next update cycle, if network connectivity is available.
rd security settings, people who can see the userΓÇÖs screen might be able to see their passwords.
single-label name to be resolved and the devolved primary DNS suffix.
ros service ticket size. - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased process
ch results in increased processing time, but does not change the service ticket size.
Policy Path
Control Panel
Control Panel
Control Panel
Control Panel
Control Panel\Add or Remove Programs
Control Panel\Display
Control Panel\Display
Control Panel\Printers
Control Panel\Programs
Control Panel\Regional and Language Options\Handwriting personalizat
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop\Active Directory
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Shared Folders
Shared Folders
Start Menu and Taskbar\Notifications
System
System
System
System
System
System
System
System
System
System
System\Ctrl+Alt+Del Options
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Internet Communication Management
System\Internet Communication Management\Internet Communication
System\Logon
System\Logon
System\Logon
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
Windows Components\Add features to Windows 8.1
Windows Components\Attachment Manager
Windows Components\Desktop Window Manager\Window Frame Color
Windows Components\Desktop Window Manager\Window Frame Color
Windows Components\Digital Locker
Windows Components\File Explorer\Common Open File Dialog
Windows Components\File Explorer\Explorer Frame Pane
Windows Components\File Explorer\Explorer Frame Pane
Windows Components\IME
Windows Components\Instant Search
Windows Components\Microsoft Management Console
Windows Components\Microsoft Management Console
Windows Components\Microsoft Management Console\Restricted/Perm
Windows Components\Microsoft Management Console\Restricted/Permit
Windows Components\Microsoft Management Console\Restricted/Permi
Windows Components\Microsoft Management Console\Restricted/Permitte
Windows Components\NetMeeting\Application Sharing
Windows Components\NetMeeting\Audio & Video
Windows Components\NetMeeting\Options Page
Windows Components\Network Sharing
Windows Components\Presentation Settings
Windows Components\Remote Desktop Services\RD Gateway
Windows Components\Remote Desktop Services\Remote Desktop Conne
Windows Components\Remote Desktop Services\Remote Desktop Sessi
Windows Components\Remote Desktop Services\Remote Desktop Session
Windows Components\Remote Desktop Services\Remote Desktop Sessio
Windows Components\Remote Desktop Services\RemoteApp and Deskt
Windows Components\Sound Recorder
Windows Components\Tablet PC\Cursors
Windows Components\Tablet PC\Pen Flicks Learning
Windows Components\Tablet PC\Pen UX Behaviors
Windows Components\Tablet PC\Tablet PC Pen Training
Windows Components\Windows Calendar
Windows Components\Windows Color System
Windows Components\Windows Error Reporting\Advanced Error Report
Windows Components\Windows Error Reporting\Consent
Windows Components\Windows Media Center
Windows Components\Windows Media Player\Networking
Windows Components\Windows Media Player\Playback
Windows Components\Windows Media Player\Playback
Windows Components\Windows Media Player\User Interface
Windows Components\Windows Mobility Center
Windows Components\File Revocation
Windows Components\Work Folders
Windows Components\Remote Desktop Services\Remote Desktop Session
Policy Setting Name
Always open All Control Panel Items when opening Control Panel
Hide specified Control Panel items
Prohibit access to Control Panel and PC settings
Show only specified Control Panel items
Go directly to Components Wizard
Hide Add New Programs page
Hide Add/Remove Windows Components page
Hide Change or Remove Programs page
Hide the "Add a program from CD-ROM or floppy disk" option
Hide the "Add programs from Microsoft" option
Hide the "Add programs from your network" option
Hide the Set Program Access and Defaults page
Remove Add or Remove Programs
Remove Support Information
Specify default category for Add New Programs
Disable the Display Control Panel
Hide Settings tab
Enable screen saver
Force a specific visual style file or force Windows Classic
Force specific screen saver
Load a specific theme
Password protect the screen saver
Prevent changing color and appearance
Prevent changing color scheme
Prevent changing desktop background
Prevent changing desktop icons
Prevent changing mouse pointers
Prevent changing screen saver
Prevent changing sounds
Prevent changing theme
Prevent changing visual style for windows and buttons
Prohibit selection of visual style font size
Screen saver timeout
Browse a common web site to find printers
Browse the network to find printers
Default Active Directory path when searching for printers
Only use Package Point and print
Package Point and print - Approved servers
Point and Print Restrictions
Prevent addition of printers
Prevent deletion of printers
Hide "Get Programs" page
Hide "Installed Updates" page
Hide "Programs and Features" page
Hide "Set Program Access and Computer Defaults" page
Hide "Windows Features"
Hide "Windows Marketplace"
Hide the Programs Control Panel
Hide Regional and Language Options administrative options
Hide the geographic location option
Hide the select language group options
Hide user locale selection and customization options
Restrict selection of Windows menus and dialogs language
Restricts the UI languages Windows should use for the selected user
Turn off autocorrect misspelled words
Turn off highlight misspelled words
Turn off insert a space after selecting a text prediction
Turn off offer text predictions as I type
Turn off automatic learning
Do not add shares of recently opened documents to Network Locations
Don't save settings at exit
Hide and disable all items on the desktop
Hide Internet Explorer icon on desktop
Hide Network Locations icon on desktop
Prevent adding, dragging, dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
Prohibit User from manually redirecting Profile Folders
Remove Computer icon on the desktop
Remove My Documents icon on the desktop
Remove Properties from the Computer icon context menu
Remove Properties from the Documents icon context menu
Remove Properties from the Recycle Bin context menu
Remove Recycle Bin icon from desktop
Remove the Desktop Cleanup Wizard
Turn off Aero Shake window minimizing mouse gesture
Enable filter in Find dialog box
Hide Active Directory folder
Maximum size of Active Directory searches
Add/Delete items
Allow only bitmapped wallpaper
Desktop Wallpaper
Disable Active Desktop
Disable all items
Enable Active Desktop
Prohibit adding items
Prohibit changes
Prohibit closing items
Prohibit deleting items
Prohibit editing items
Ability to change properties of an all user remote access connection
Ability to delete all user remote access connections
Ability to Enable/Disable a LAN connection
Ability to rename all user remote access connections
Ability to rename LAN connections
Ability to rename LAN connections or remote access connections available to all users
Enable Windows 2000 Network Connections settings for Administrators
Prohibit access to properties of a LAN connection
Prohibit access to properties of components of a LAN connection
Prohibit access to properties of components of a remote access connection
Prohibit access to the Advanced Settings item on the Advanced menu
Prohibit access to the New Connection Wizard
Prohibit access to the Remote Access Preferences item on the Advanced menu
Prohibit adding and removing components for a LAN or remote access connection
Prohibit changing properties of a private remote access connection
Prohibit connecting and disconnecting a remote access connection
Prohibit deletion of remote access connections
Prohibit Enabling/Disabling components of a LAN connection
Prohibit renaming private remote access connections
Prohibit TCP/IP advanced configuration
Prohibit viewing of status for an active connection
Turn off notifications when a connection has only limited or no connectivity
Action on server disconnect
Event logging level
Initial reminder balloon lifetime
Non-default server disconnect actions
Prevent use of Offline Files folder
Prohibit user configuration of Offline Files
Reminder balloon frequency
Reminder balloon lifetime
Remove "Make Available Offline" command
Remove "Make Available Offline" for these files and folders
Remove "Work offline" command
Specify administratively assigned Offline Files
Synchronize all offline files before logging off
Synchronize all offline files when logging on
Synchronize offline files before suspend
Turn off reminder balloons
Prohibit access of the Windows Connect Now wizards
Allow DFS roots to be published
Allow shared folders to be published
Add "Run in Separate Memory Space" check box to Run dialog box
Add Logoff to the Start Menu
Add Search Internet link to Start Menu
Add the Run command to the Start Menu
Change Start Menu power button
Clear history of recently opened documents on exit
Clear history of tile notifications on exit
Clear the recent programs list for new users
Do not allow pinning items in Jump Lists
Do not allow pinning programs to the Taskbar
Do not allow taskbars on more than one display
Do not display any custom toolbars in the taskbar
Do not display or track items in Jump Lists from remote locations
Do not keep history of recently opened documents
Do not search communications
Do not search for files
Do not search Internet
Do not search programs and Control Panel items
Do not use the search-based method when resolving shell shortcuts
Do not use the tracking-based method when resolving shell shortcuts
Force classic Start Menu
Gray unavailable Windows Installer programs Start Menu shortcuts
Hide the notification area
Lock all taskbar settings
Lock the Taskbar
Prevent changes to Taskbar and Start Menu Settings
Prevent grouping of taskbar items
Prevent users from adding or removing toolbars
Prevent users from moving taskbar to another screen dock location
Prevent users from rearranging toolbars
Prevent users from resizing the taskbar
Prevent users from uninstalling applications from Start
Remove access to the context menus for the taskbar
Remove All Programs list from the Start menu
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands
Remove Balloon Tips on Start Menu items
Remove Clock from the system notification area
Remove common program groups from Start Menu
Remove Default Programs link from the Start menu.
Remove Documents icon from Start Menu
Remove Downloads link from Start Menu
Remove Favorites menu from Start Menu
Remove frequent programs list from the Start Menu
Remove Games link from Start Menu
Remove Help menu from Start Menu
Remove Homegroup link from Start Menu
Remove links and access to Windows Update
Remove Logoff on the Start Menu
Remove Music icon from Start Menu
Remove Network Connections from Start Menu
Remove Network icon from Start Menu
Remove Pictures icon from Start Menu
Remove pinned programs from the Taskbar
Remove pinned programs list from the Start Menu
Remove programs on Settings menu
Remove Recent Items menu from Start Menu
Remove Recorded TV link from Start Menu
Remove Run menu from Start Menu
Remove Search Computer link
Remove Search link from Start Menu
Remove See More Results / Search Everywhere link
Remove the "Undock PC" button from the Start Menu
Remove the Action Center icon
Remove the battery meter
Remove the networking icon
Remove the volume control icon
Remove user folder link from Start Menu
Remove user name from Start Menu
Remove user's folders from the Start Menu
Remove Videos link from Start Menu
Show "Run as different user" command on Start
Show QuickLaunch on Taskbar
Turn off all balloon notifications
Turn off automatic promotion of notification icons to the taskbar
Turn off feature advertisement balloon notifications
Turn off notification area cleanup
Turn off personalized menus
Turn off taskbar thumbnails
Turn off user tracking
Turn off notifications network usage
Turn off tile notifications
Turn off toast notifications
Turn off toast notifications on the lock screen
Century interpretation for Year 2000
Custom User Interface
Do not display the Getting Started welcome screen at logon
Don't run specified Windows applications
Download missing COM components
Prevent access to registry editing tools
Prevent access to the command prompt
Restrict these programs from being launched from Help
Run only specified Windows applications
Windows Automatic Updates
Remove Change Password
Remove Lock Computer
Remove Logoff
Remove Task Manager
Code signing for device drivers
Configure driver search locations
Turn off Windows Update device driver search prompt
Do not automatically make all redirected folders available offline
Do not automatically make specific redirected folders available offline
Enable optimized move of contents in Offline Files cache on Folder Redirection server path change
Redirect folders on primary computers only
Use localized subfolder names when redirecting Start Menu and My Documents
Configure Group Policy domain controller selection
Configure Group Policy slow link detection
Create new Group Policy Object links disabled by default
Determine if interactive users can generate Resultant Set of Policy data
Enforce Show Policies Only
Set default name for new Group Policy objects
Set Group Policy refresh interval for users
Turn off automatic update of ADM files
Restrict Internet communication
Turn off access to the Store
Turn off downloading of print drivers over HTTP
Turn off handwriting recognition error reporting
Turn off Help Experience Improvement Program
Turn off Help Ratings
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Online
Disallow changing of geographic location
Disallow selection of Custom Locales
Disallow user override of locale settings
Restrict user locales
Do not process the legacy run list
Do not process the run once list
Run these programs at user logon
Prompt for password on resume from hibernate/suspend
All Removable Storage classes: Deny all access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny read access
Removable Disks: Deny write access
Set time (in seconds) to force reboot
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
Display instructions in logoff scripts as they run
Display instructions in logon scripts as they run
Run legacy logon scripts hidden
Run logon scripts synchronously
Run Windows PowerShell scripts first at user logon, logoff
Connect home directory to root of the share
Exclude directories in roaming profile
Limit profile size
Specify network directories to sync at logon/logoff time only
Prevent the wizard from running.
Block launching desktop apps associated with a file.
Turn off Program Compatibility Assistant
Default risk level for file attachments
Do not preserve zone information in file attachments
Hide mechanisms to remove zone information
Inclusion list for high risk file types
Inclusion list for low file types
Inclusion list for moderate risk file types
Notify antivirus programs when opening attachments
Trust logic for file attachments
Disallow Autoplay for non-volume devices
Prevent AutoPlay from remembering user choices.
Set the default behavior for AutoRun
Turn off Autoplay
Do not display the password reveal button
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
Do not allow Flip3D invocation
Do not allow window animations
Do not allow color changes
Specify a default color
Do not allow Digital Locker to run
Turn off switching between recent apps
Turn off tracking of app usage
Default Protections for Internet Explorer
Default Protections for Popular Software
Default Protections for Recommended Software
Allow only per user or approved shell extensions
Disable binding directly to IPropertySetStorage without intermediate layers.
Disable Known Folders
Display confirmation dialog when deleting files
Display the menu bar in File Explorer
Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon
Do not display the Welcome Center at user logon
Do not move deleted files to the Recycle Bin
Do not request alternate credentials
Do not track Shell shortcuts during roaming
Hide these specified drives in My Computer
Hides the Manage item on the File Explorer context menu
Location where all default Library definition files for users/machines reside.
Maximum allowed Recycle Bin size
Maximum number of recent documents
No Computers Near Me in Network Locations
No Entire Network in Network Locations
Pin Internet search sites to the "Search again" links and the Start menu
Pin Libraries or Search Connectors to the "Search again" links and the Start menu
Prevent access to drives from My Computer
Prevent users from adding files to the root of their Users Files folder.
Remove "Map Network Drive" and "Disconnect Network Drive"
Remove CD Burning features
Remove DFS tab
Remove File Explorer's default context menu
Remove File menu from File Explorer
Remove Hardware tab
Remove Search button from File Explorer
Remove Security tab
Remove Shared Documents from My Computer
Remove the Search the Internet "Search again" link
Remove UI to change keyboard navigation indicator setting
Remove UI to change menu animation setting
Request credentials for network installations
Start File Explorer with ribbon minimized
Turn off caching of thumbnail pictures
Turn off common control and window animations
Turn off display of recent search entries in the File Explorer search box
Turn off numerical sorting in File Explorer
Turn off shell protocol protected mode
Turn off the caching of thumbnails in hidden thumbs.db files
Turn off the display of snippets in Content view mode
Turn off the display of thumbnails and only display icons on network folders
Turn off the display of thumbnails and only display icons.
Turn off Windows Libraries features that rely on indexed file data
Turn off Windows+X hotkeys
Turn on Classic Shell
Hide the common dialog back button
Hide the common dialog places bar
Hide the dropdown list of recent files
Items displayed in Places Bar
Turn off Preview Pane
Turn on or off details pane
Hide previous versions list for local files
Hide previous versions list for remote files
Hide previous versions of files on backup location
Prevent restoring local previous versions
Prevent restoring previous versions from backups
Prevent restoring remote previous versions
Do not include Non-Publishing Standard Glyph in the candidate list
Restrict character code range of conversion
Turn off custom dictionary
Turn off history-based predictive input
Turn off Internet search integration
Turn off Open Extended Dictionary
Turn off saving auto-tuning data to file
Turn on misconversion logging for misconversion report
Custom Instant Search Internet search provider
Turn off location
Turn off location scripting
Turn off sensors
Restrict the user from entering author mode
Restrict users to the explicitly permitted list of snap-ins
.Net Framework Configuration
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ActiveX Control
ADSI Edit
Certificate Templates
Certificates
Certification Authority
Component Services
Computer Management
Device Manager
Disk Defragmenter
Disk Management
Distributed File System
Enterprise PKI
Event Viewer
Event Viewer (Windows Vista)
Failover Clusters Manager
FAX Service
FrontPage Server Extensions
Health Registration Authority (HRA)
Indexing Service
Internet Authentication Service (IAS)
Internet Information Services
IP Security Monitor
IP Security Policy Management
Link to Web Address
Local Users and Groups
NAP Client Configuration
Network Policy Server (NPS)
Online Responder
Performance Logs and Alerts
QoS Admission Control
Remote Desktop Services Configuration
Remote Desktops
Removable Storage Management
Routing and Remote Access
Security Configuration and Analysis
Security Templates
Server Manager
Services
Shared Folders
System Information
Telephony
TPM Management
Windows Firewall with Advanced Security
Wireless Monitor
WMI Control
AppleTalk Routing
Authorization Manager
Certification Authority Policy Settings
Connection Sharing (NAT)
DCOM Configuration Extension
Device Manager
DHCP Relay Management
Event Viewer
Event Viewer (Windows Vista)
Extended View (Web View)
IAS Logging
IGMP Routing
IP Routing
IPX RIP Routing
IPX Routing
IPX SAP Routing
Logical and Mapped Drives
OSPF Routing
Public Key Policies
RAS Dialin - User Node
Remote Access
Removable Storage
RIP Routing
Routing
Send Console Message
Service Dependencies
Shared Folders Ext
SMTP Protocol
SNMP
System Properties
Group Policy Management
Group Policy Object Editor
Group Policy tab for Active Directory Tools
Resultant Set of Policy snap-in
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
IP Security Policy Management
NAP Client Configuration
Remote Installation Services
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Windows Firewall with Advanced Security
Wired Network (IEEE 802.3) Policies
Wireless Network (IEEE 802.11) Policies
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Allow persisting automatic acceptance of Calls
Disable Chat
Disable Directory services
Disable NetMeeting 2.x Whiteboard
Disable Whiteboard
Enable Automatic Configuration
Limit the size of sent files
Prevent adding Directory servers
Prevent automatic acceptance of Calls
Prevent changing Call placement method
Prevent receiving files
Prevent sending files
Prevent viewing Web directory
Set Call Security options
Set the intranet support Web page
Disable application Sharing
Prevent Application Sharing in true color
Prevent Control
Prevent Desktop Sharing
Prevent Sharing
Prevent Sharing Command Prompts
Prevent Sharing Explorer windows
Disable Audio
Disable full duplex Audio
Limit the bandwidth of Audio and Video
Prevent changing DirectSound Audio setting
Prevent receiving Video
Prevent sending Video
Disable the Advanced Calling button
Hide the Audio page
Hide the General page
Hide the Security page
Hide the Video page
Turn off Connect to a Network Projector
Prevent users from sharing files within their profile.
Turn off Windows presentation settings
Enable connection through RD Gateway
Set RD Gateway authentication method
Set RD Gateway server address
Allow .rdp files from unknown publishers
Allow .rdp files from valid publishers and user's default .rdp settings
Do not allow passwords to be saved
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Set rules for remote control of Remote Desktop Services user sessions
Use Remote Desktop Easy Print printer driver first
Start a program on connection
End session when time limits are reached
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for active Remote Desktop Services sessions
Set time limit for disconnected sessions
Specify default connection URL
Prevent access to feed list
Prevent automatic discovery of feeds and Web Slices
Prevent downloading of enclosures
Prevent subscribing to or deleting a feed or a Web Slice
Turn off background synchronization for feeds and Web Slices
Turn on Basic feed authentication over HTTP
Do not allow Sound Recorder to run
Do not allow Inkball to run
Do not allow printing to Journal Note Writer
Do not allow Snipping Tool to run
Do not allow Windows Journal to be run
Turn off pen feedback
Prevent Back-ESC mapping
Prevent launch an application
Prevent press and hold
Turn off hardware buttons
Disable text prediction
For tablet pen input, donΓÇÖt show the Input Panel icon
For touch input, donΓÇÖt show the Input Panel icon
Include rarely used Chinese, Kanji, or Hanja characters
Prevent Input Panel tab from appearing
Turn off AutoComplete integration with Input Panel
Turn off password security in Input Panel
Turn off tolerant and Z-shaped scratch-out gestures
Prevent Flicks Learning Mode
Prevent flicks
Turn off Tablet PC Pen Training
Turn off Tablet PC touch input
Turn off Touch Panning
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
Hide Property Pages
Prevent Task Run or End
Prohibit Browse
Prohibit Drag-and-Drop
Prohibit New Task Creation
Prohibit Task Deletion
Turn off Windows Calendar
Prohibit installing or uninstalling color profiles
Disable logging
Disable Windows Error Reporting
Do not send additional data
Do not throttle additional data
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Configure Report Archive
Configure Report Queue
List of applications to be excluded
Configure Default consent
Customize consent settings
Ignore custom consent settings
Always install with elevated privileges
Prevent removable media source for any installation
Prohibit rollback
Specify the order in which Windows Installer searches for installation files
Remove logon hours expiration warnings
Report when logon server was not available during user logon
Set action to take when logon hours expire
Turn off the communities features
Turn off Windows Mail application
Do not allow Windows Media Center to run
Prevent CD and DVD Media Information Retrieval
Prevent Music File Media Information Retrieval
Prevent Radio Station Preset Retrieval
Configure HTTP Proxy
Configure MMS Proxy
Configure Network Buffering
Configure RTSP Proxy
Hide Network Tab
Streaming Media Protocols
Allow Screen Saver
Prevent Codec Download
Do Not Show Anchor
Hide Privacy Tab
Hide Security Tab
Set and Lock Skin
Do not allow Windows Messenger to be run
Do not automatically start Windows Messenger initially
Turn off Windows Mobility Center
Set the default source path for Update-Help
Turn on Module Logging
Turn on Script Execution
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Remove access to use all Windows Update features
Go to the desktop instead of Start when signing in or when all the apps on a screen are closed
List desktop apps first in the Apps view
Pin Apps to Start when installed
Prevent users from customizing their Start Screen
Search just apps from the Apps view
Show Start on the display the user is using when they press the Windows logo key
Show the Apps view automatically when the user goes to Start
Start Screen Layout
Set the time Quiet Hours begins each day
Set the time Quiet Hours ends each day
Turn off calls during Quiet Hours
Turn off Quiet Hours
Allow Microsoft accounts to be optional
Disable help tips
Do not show recent apps when the mouse is pointing to the upper-left corner of the screen
Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click
Search, Share, Start, Devices, and Settings don't appear when the mouse is pointing to the upper-right corner of the scr
Allow Windows Runtime apps to revoke enterprise data
Turn off the offer to update to the latest version of Windows
Turn off the Store application
Automatically send memory dumps for OS-generated error reports
Specify Work Folders settings
Turn off handwriting personalization data sharing
Block launching desktop apps associated with a URI scheme
DFS Management
File Server Resource Manager
Share and Storage Management
Storage Manager for SANs
DFS Management Extension
Disk Management Extension
File Server Resource Manager Extension
Share and Storage Management Extension
Storage Manager for SANS Extension
Group Policy Management Editor
Group Policy Starter GPO Editor
Permit use of Application snap-ins
Permit use of Applications preference extension
Permit use of Control Panel Settings (Computers)
Permit use of Control Panel Settings (Users)
Permit use of Data Sources preference extension
Permit use of Devices preference extension
Permit use of Drive Maps preference extension
Permit use of Environment preference extension
Permit use of Files preference extension
Permit use of Folder Options preference extension
Permit use of Folders preference extension
Permit use of Ini Files preference extension
Permit use of Internet Settings preference extension
Permit use of Local Users and Groups preference extension
Permit use of Network Options preference extension
Permit use of Network Shares preference extension
Permit use of Power Options preference extension
Permit use of Preferences tab
Permit use of Printers preference extension
Permit use of Regional Options preference extension
Permit use of Registry preference extension
Permit use of Scheduled Tasks preference extension
Permit use of Services preference extension
Permit use of Shortcuts preference extension
Permit use of Start Menu preference extension
Allow time zone redirection
Do not allow Clipboard redirection
Redirect only the default client printer
Always show desktop on connection
Remove remote desktop wallpaper
Set time limit for logoff of RemoteApp sessions
Default excluded paths
Default indexed paths
Prevent adding UNC locations to index from Control Panel
Prevent customization of indexed locations in Control Panel
Prevent indexing certain paths
Turn off storage and display of search history
MSFT 2012 R2
Enabled
Enabled: scrnsave.sc
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
nu they see when they right-click
e upper-right corner of the scr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceClassicControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowCpl, HKCU\Software\M
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictCpl, HKCU\Software\Mi
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoWindowsSetupPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoRemovePage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromCDorFloppy
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromInternet
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromNetwork
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoChooseProgramsPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddRemovePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoSupportInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!DefaultCategory
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispCPL
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispSettingsPage
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveActive
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!SetVisualStyle
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!SCRNSAVE.EXE
HKCU\Software\Policies\Microsoft\Windows\Personalization!ThemeFile
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaverIsSecure
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispAppearancePage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoColorChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoChangingWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispBackgroundPage
HKCU\Software\Policies\Microsoft\Windows\Personalization!NoChangingMousePointers
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispScrSavPage
HKCU\Software\Policies\Microsoft\Windows\Personalization!NoChangingSoundScheme
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThemesTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoVisualStyleChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoSizeChoice
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveTimeOut
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Printers Page URL
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Downlevel Browse
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Default Search Scope
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPri
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrin
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted, HKCU\Software\P
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAddPrinter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDeletePrinter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoGetPrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoInstalledUpdates
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoProgramsAndFeatures
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoDefaultPrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoWindowsFeatures
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoWindowsMarketplace
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoProgramsCPL
HKCU\Software\Policies\Microsoft\Control Panel\International!HideAdminOptions
HKCU\Software\Policies\Microsoft\Control Panel\International!HideCurrentLocation
HKCU\Software\Policies\Microsoft\Control Panel\International!HideLanguageSelection
HKCU\Software\Policies\Microsoft\Control Panel\International!HideLocaleSelectAndCustomize
HKCU\Software\Policies\Microsoft\Control Panel\Desktop!MultiUILanguageID
HKCU\Software\Policies\Microsoft\Control Panel\Desktop!PreferredUILanguages
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffAutocorrectMisspelledWords
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffHighlightMisspelledWords
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffInsertSpace
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffOfferTextPredictions
HKCU\SOFTWARE\Policies\Microsoft\InputPersonalization!RestrictImplicitTextCollection, HKCU\SOFTW
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsNetHood
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSaveSettings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetIcon
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetHood
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCloseDragDropBands
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMovingBands
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisablePersonalDirChange
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{20D04FE0-3AEA-1069-A2D
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{450D8FBA-AD25-11D0-98A
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyComputer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyDocuments
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesRecycleBin
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{645FF040-5081-101B-9F08
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktopCleanupWizard
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoWindowMinimizingShortcuts
HKCU\Software\Policies\Microsoft\Windows\Directory UI!EnableFilter
HKCU\Software\Policies\Microsoft\Windows\Directory UI!HideDirectoryFolder
HKCU\Software\Policies\Microsoft\Windows\Directory UI!QueryLimit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent!Add,
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Wallpaper, HKCU\Software\Mic
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktopChanges
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoClosingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoEditingComponents
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasAllUserProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteAllUserConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanConnect
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameAllUserRasConnecti
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameLanConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_EnableAdminProhibits
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanChangeProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasChangeProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AdvancedSettings
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_NewConnectionWizard
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DialupPrefs
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AddRemoveComponents
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasMyProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasConnect
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_ChangeBindState
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameMyRasConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowAdvancedTCPIPConfig
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_Statistics
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_IpStateChecking
HKCU\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
HKCU\Software\Policies\Microsoft\Windows\NetCache!EventLoggingLevel
HKCU\Software\Policies\Microsoft\Windows\NetCache!InitialBalloonTimeoutSeconds
HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoCacheViewer
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
HKCU\Software\Policies\Microsoft\Windows\NetCache!ReminderFreqMinutes
HKCU\Software\Policies\Microsoft\Windows\NetCache!ReminderBalloonTimeoutSeconds
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoMakeAvailableOffline
HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
HKCU\Software\Policies\Microsoft\Windows\NetCache!WorkOfflineDisabled
HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoReminders
HKCU\Software\Policies\Microsoft\Windows\WCN\UI!DisableWcnUi
HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishDfsRoots
HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishSharedFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MemCheckBoxInRunDlg
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceStartMenuLogOff
HKCU\Software\Policies\Microsoft\Windows\Explorer!AddSearchInternetLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceRunOnStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!PowerButtonAction
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentDocsOnExit
HKCU\Software\Policies\Microsoft\Windows\Explorer!ClearTilesOnExit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentProgForNewUser
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningToDestinations
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningToTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!TaskbarNoMultimon
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarsOnTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoRemoteDestinations
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsHistory
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchCommInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchFilesInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchInternetInStartMen
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchProgramsInStartMe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveSearch
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveTrack
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSimpleStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!GreyMSIAds
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayItemsDisplay
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarLockAll
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LockTaskbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetTaskbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTaskGrouping
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoAddRemoveToolba
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoRedock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoDragToolbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoResize
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoUninstallFromStart
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayContextMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMorePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoClose
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMBalloonTip
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCommonGroups
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMConfigurePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyDocs
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuDownloads
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFavoritesMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMFUprogramsLi
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyGames
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMHelp
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuHomegroup
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWindowsUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!StartMenuLogOff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyMusic
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetworkConnections
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuNetworkPlaces
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyPictures
HKCU\Software\Policies\Microsoft\Windows\Explorer!TaskbarNoPinnedList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuPinnedList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuRecordedTV
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchComputerLinkInSta
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFind
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSearchEverywhereLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuEjectPC
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAHealth
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAPower
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCANetwork
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAVolume
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserFolderInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserNameInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuSubFolders
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuVideos
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowRunAsDifferentUserInStart
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!QuickLaunchEnabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoNotification
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSystraySystemPromotion
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoBalloonFeatureAdvertisements
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoTrayNotify
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!Intellimenus
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoThumbnail
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInstrumentation
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoCloudApplication
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoTileApplicationNo
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplication
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplicatio
HKCU\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax!1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowRun, HKCU\Software\
HKCU\Software\Policies\Microsoft\Windows\App Management!COMClassStore
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableRegistryTools
HKCU\Software\Policies\Microsoft\Windows\System!DisableCMD
HKCU\Software\Policies\Microsoft\Windows\System!DisableInHelp
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictRun, HKCU\Software\M
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoLogoff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing!BehaviorOnFailedVerify
HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchFloppies, HKCU\Software\
HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
HKCU\Software\Policies\Microsoft\Windows\NetCache!DisableFRAdminPin
HKCU\Software\Policies\Microsoft\Windows\NetCache\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!FolderRedirectionEnableCacheRenam
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!PrimaryComputerEnabledFR
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!LocalizeXPRelativePaths
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DCOption
HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!NewGPOLinksDisabled
HKCU\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!ShowPoliciesOnly
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!GPODisplayName
HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime, HKCU\Software\Polic
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DisableAutoADMUpdate
HKCU\Software\Policies\Microsoft\InternetManagement!RestrictCommunication, HKCU\Software\Mic
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoUseStoreOpenWith
HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports!PreventHandwritingErrorRep
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoImplicitFeedback
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoExplicitFeedback
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
HKCU\Software\Policies\Microsoft\Messenger\Client!CEIP
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoOnlineAssist
HKCU\Software\Policies\Microsoft\Control Panel\International!PreventGeoIdChange
HKCU\Software\Policies\Microsoft\Control Panel\International!CustomLocalesNoSelect
HKCU\Software\Policies\Microsoft\Control Panel\International!PreventUserOverrides
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictUserLocales, HKCU\Software\P
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Policies\Microsoft\Windows\System\Power!PromptPasswordOnResume
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read!Deny_R
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write!Deny_W
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!RebootTimeinSeconds_stat
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA8
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogoffScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogonScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLegacyLogonScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunUserPSScriptsFirst
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ConnectHomeDirToRoot
HKCU\Software\Policies\Microsoft\Windows\System!ExcludeProfileDirs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableProfileQuota, HKCU\Sof
HKCU\Software\Policies\Microsoft\Windows\System!CscSuspendDirs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU!Disabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockFileElevation
HKCU\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!DefaultFileTypeRisk
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!SaveZoneInformation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!HideZoneInfoOnProperti
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!HighRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!LowRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!ModRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!ScanWithAntiVirus
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!UseTrustedHandlers
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoAutoplayfornonVolume
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DontSetAutoplayCheckbox
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutorun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
HKCU\Software\Policies\Microsoft\Windows\CredUI!DisablePasswordReveal
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUnsignedGa
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffSidebar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUserInstalle
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowFlip3d
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowAnimations
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowColorizationColorChanges
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DefaultColorizationColorState, HKCU\SOFTWAR
HKCU\SOFTWARE\Policies\Microsoft\Windows\Digital Locker!DoNotRunDigitalLocker
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!TurnOffBackstack
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableMFUTracking
HKCU\Software\Policies\Microsoft\EMET\Defaults!IE
HKCU\Software\Policies\Microsoft\EMET\Defaults!WindowsMediaPlayer, HKCU\Software\Policies\Mi
HKCU\Software\Policies\Microsoft\EMET\Defaults, HKCU\Software\Policies\Microsoft\EMET\Default
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!EnforceShellExtensionSecurit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableBindDirectlyToPropert
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableKnownFolders, HKCU\Software\Polici
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ConfirmFileDelete
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AlwaysShowClassicMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictWelcomeCenter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecycleFiles
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRunasInstallPrompt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LinkResolveIgnoreLinkInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoManageMyComputerVerb
HKCU\Software\Policies\Microsoft\Windows\Explorer!DefaultLibrariesLocation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RecycleBinSize
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MaxRecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoComputersNearMe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoEntireNetwork
HKCU\Software\Policies\Microsoft\Windows\Explorer!TryHarderPinnedOpenSearch, HKCU\Software\
HKCU\Software\Policies\Microsoft\Windows\Explorer!TryHarderPinnedLibrary, HKCU\Software\Polici
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewOnDrive
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreventItemCreationInUsersFi
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetConnectDisconnect
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCDBurning
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDFSTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewContextMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFileMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoHardwareTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSecurityTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSharedDocuments
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSearchInternetTryHarderButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeKeyboardNavigation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeAnimation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PromptRunasInstallNetPath
HKCU\Software\Policies\Microsoft\Windows\Explorer!ExplorerRibbonStartsMinimized, HKCU\Softwa
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThumbnailCache
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TurnOffSPIAnimations
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableSearchBoxSuggestions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStrCmpLogical
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavi
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableThumbsDBOnNetworkFolders
HKCU\Software\Policies\Microsoft\Windows\Explorer!HideContentViewModeSnippets
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableThumbnailsOnNetwork
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableThumbnails
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableIndexedLibraryExperience
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWinKeys
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoBackButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoPlacesBar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoFileMru
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place0, HKCU\Soft
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoReadingPane
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPreviewPane
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableLocalPage
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableRemotePage
HKCU\Software\Policies\Microsoft\PreviousVersions!HideBackupEntries
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableLocalRestore
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableBackupRestore
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableRemoteRestore
HKCU\software\policies\microsoft\ime\imejp!ShowOnlyPublishingStandardGlyph
HKCU\software\policies\microsoft\ime\imejp!CodeAreaForConversion
HKCU\software\policies\microsoft\ime\shared!UserDict
HKCU\software\policies\microsoft\ime\imejp!UseHistorybasedPredictiveInput
HKCU\software\policies\microsoft\ime\shared!SearchPlugin
HKCU\software\policies\microsoft\ime\shared!OpenExtendedDict
HKCU\software\policies\microsoft\ime\imejp!SaveAutoTuneDataToFile
HKCU\software\policies\microsoft\ime\shared!misconvlogging
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions!InternetExt
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocation
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocationScripting
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableSensors
HKCU\Software\Policies\Microsoft\MMC!RestrictAuthorMode
HKCU\Software\Policies\Microsoft\MMC!RestrictToPermittedSnapins
HKCU\Software\Policies\Microsoft\MMC\{18BA7139-D98B-43c2-94DA-2604E34E175D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{A994E107-6854-4F3D-917C-E6F01670F6D3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{53D6AB1D-2488-11D1-A28C-00C04FB94F17}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{43668E21-2636-11D1-A1CE-0080C88593A5}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{634BDE40-E5E1-49A1-B2CD-140FFFC830F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{D2779945-405B-4ACE-8618-508F3E3054AC}!Restrict_
HKCU\Software\Policies\Microsoft\MMC\{753EDB4D-2E1B-11D1-9064-00A0C90AB504}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{89cc9588-7628-4d29-8e4a-6550d0087059}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\{95AD72F0-44CE-11D0-AE29-00AA004B9986}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{57C596D0-9370-40C0-BA0D-AB491B63255D}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA2-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{C96401D1-0E17-11D3-885B-00C04F72C717}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{a1bc4eca-66b2-44e8-9915-be02e84438ba}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\FX:{6630f2d7-bd52-4072-bfa7-863f3d0c5da0}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{6d8880af-e518-43a8-986c-1ad21c4c976e}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{FD57D297-4FD9-11D1-854E-00C04FC31FD3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B91B6008-32D2-11D2-9888-00A0C925F917}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3D5D035E-7721-4B83-A645-6C07A3D403B7}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{3CB6973D-3E6F-11D0-95DB-00A024D77700}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{18ea3f92-d6aa-41d9-a205-2023400c8fbb}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{45ac8c63-23e2-11d1-a696-00c04fd58bc3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{23DC5869-BD9F-46fd-AADD-1F869BA64FC3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{1F5EEC01-1214-4D94-80C5-4BDCD2014DDD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{3F276EB4-70EE-11D1-8A0F-00C04FB93753}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{9EC88934-C774-11d1-87F4-00C04FC2C17B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{B708457E-DB61-4C55-A92F-0D4B5E9B1224}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2E19B602-48EB-11d2-83CA-00104BCA42CF}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{90810502-38F1-11D1-9345-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{6E8E0081-19CD-11D1-AD91-00AA00B8E05A}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{243E20B0-48ED-11D2-97DA-00A024D77700}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{DAB1A262-4FD7-11D1-842C-00C04FB6C218}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{03f1f940-a0f2-11d0-bb77-00aa00a1eab7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7AF60DD3-4979-11D1-8A6C-00C04FC33566}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}!Restrict_Run,
HKCU\Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}!Restrict_Run,
HKCU\Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{a1bc4ecb-66b2-44e8-9915-be02e84438ba}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{06993B16-A5C7-47EB-B61C-B1CB7EE600AC}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}!Restrict_Run
HKCU\Software\Policies\Microsoft\Conferencing!PersistAutoAcceptCalls
HKCU\Software\Policies\Microsoft\Conferencing!NoChat
HKCU\Software\Policies\Microsoft\Conferencing!NoDirectoryServices
HKCU\Software\Policies\Microsoft\Conferencing!NoOldWhiteBoard
HKCU\Software\Policies\Microsoft\Conferencing!NoNewWhiteBoard
HKCU\Software\Policies\Microsoft\Conferencing!Use AutoConfig, HKCU\Software\Policies\Microsoft
HKCU\Software\Policies\Microsoft\Conferencing!MaxFileSendSize
HKCU\Software\Policies\Microsoft\Conferencing!NoAddingDirectoryServers
HKCU\Software\Policies\Microsoft\Conferencing!NoAutoAcceptCalls
HKCU\Software\Policies\Microsoft\Conferencing!NoChangingCallMode
HKCU\Software\Policies\Microsoft\Conferencing!NoReceivingFiles
HKCU\Software\Policies\Microsoft\Conferencing!NoSendingFiles
HKCU\Software\Policies\Microsoft\Conferencing!NoWebDirectory
HKCU\Software\Policies\Microsoft\Conferencing!CallSecurity
HKCU\Software\Policies\Microsoft\Conferencing!IntranetSupportURL
HKCU\Software\Policies\Microsoft\Conferencing!NoAppSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoTrueColorSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoAllowControl
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingDesktop
HKCU\Software\Policies\Microsoft\Conferencing!NoSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingDosWindows
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingExplorer
HKCU\Software\Policies\Microsoft\Conferencing!NoAudio
HKCU\Software\Policies\Microsoft\Conferencing!NoFullDuplex
HKCU\Software\Policies\Microsoft\Conferencing!MaximumBandwidth
HKCU\Software\Policies\Microsoft\Conferencing!NoChangeDirectSound
HKCU\Software\Policies\Microsoft\Conferencing!NoReceivingVideo
HKCU\Software\Policies\Microsoft\Conferencing!NoSendingVideo
HKCU\Software\Policies\Microsoft\Conferencing!NoAdvancedCalling
HKCU\Software\Policies\Microsoft\Conferencing!NoAudioPage
HKCU\Software\Policies\Microsoft\Conferencing!NoGeneralPage
HKCU\Software\Policies\Microsoft\Conferencing!NoSecurityPage
HKCU\Software\Policies\Microsoft\Conferencing!NoVideoPage
HKCU\Software\Policies\Microsoft\NetworkProjector!DisableNetworkProjector
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInplaceSharing
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings!NoPresentationSe
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseProxy, HKCU\SOFTWARE\Polic
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowExplicitLogonMethod, H
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowExplicitProxyName, HKCU
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowUnsignedFiles
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowSignedFiles
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!TrustedCertThumbprints
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseUniversalPrinterDriverFirst
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fInheritInitialProgram, HKCU\S
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
HKCU\SOFTWARE\Policies\Microsoft\Workspaces!DefaultConnectionURL
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableFeedPane
HKCU\Software\Policies\Microsoft\Internet Explorer\Feed Discovery!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableEnclosureDownload
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableAddRemove
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!BackgroundSyncStatus
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!AllowBasicAuthInClear
HKCU\SOFTWARE\Policies\Microsoft\SoundRecorder!Soundrec
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableInkball
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableNoteWriterPrinting
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableJournal
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPenFeedback
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonBackEscapeMapping
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonApplicationLaunch
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonPressAndHold
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffButtons
HKCU\software\policies\microsoft\TabletTip\1.7!DisablePrediction
HKCU\software\policies\microsoft\TabletTip\1.7!HideIPTIPTarget
HKCU\software\policies\microsoft\TabletTip\1.7!HideIPTIPTouchTarget
HKCU\software\policies\microsoft\TabletTip\1.7!IncludeRareChar
HKCU\software\policies\microsoft\TabletTip\1.7!DisableEdgeTarget
HKCU\software\policies\microsoft\TabletTip\1.7!DisableACIntegration
HKCU\software\policies\microsoft\TabletTip\1.7!PasswordSecurityState, HKCU\software\policies\mi
HKCU\software\policies\microsoft\TabletTip\1.7!ScratchOutState, HKCU\software\policies\microsoft
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicksLearningMode
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicks
HKCU\SOFTWARE\Policies\Microsoft\PenTraining!DisablePenTraining
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffTouchInput
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPanning
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows!TurnOffWinCal
HKCU\Software\Policies\Microsoft\Windows\WindowsColorSystem!ProhibitInstallUninstall
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!LoggingDisabled
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!Disabled
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassDataThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassPowerThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassNetworkCostThrottl
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableArchive, HKCU\SOF
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableQueue, HKCU\SOFT
HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultConsent
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultOverrideB
HKCU\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
HKCU\Software\Policies\Microsoft\Windows\Installer!DisableMedia
HKCU\Software\Policies\Microsoft\Windows\Installer!DisableRollback
HKCU\Software\Policies\Microsoft\Windows\Installer!SearchOrder
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DontDisplayLogonHoursWarni
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ReportControllerMissing
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonHoursAction
HKCU\SOFTWARE\Policies\Microsoft\Windows Mail!DisableCommunities
HKCU\SOFTWARE\Policies\Microsoft\Windows Mail!ManualLaunchAllowed
HKCU\Software\Policies\Microsoft\WindowsMediaCenter!MediaCenter
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventCDDVDMetadataRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventMusicFileMetadataRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventRadioPresetsRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP!ProxyPolicy, HKCU\Softwa
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS!ProxyPolicy, HKCU\Softwa
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!NetworkBufferingPolicy, HKCU\Software\P
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\RTSP!ProxyPolicy, HKCU\Softwa
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HideNetworkTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols!WindowsMediaStreamingProtocol
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!EnableScreenSaver
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventCodecDownload
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!DoNotShowAnchor
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HidePrivacyTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HideSecurityTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!SetAndLockSkin, HKCU\Software\Policies\
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventRun
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter!NoMobilityCenter
HKCU\Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp!EnableUpdateHelpDefaultS
HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging!EnableModuleLogging, HK
HKCU\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts, HKCU\Software\Policies\Mic
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate!DisableWindowsUpda
HKCU\Software\Policies\Microsoft\Windows\Explorer!GoToDesktopOnSignIn
HKCU\Software\Policies\Microsoft\Windows\Explorer!DesktopAppsFirstInAppsView
HKCU\Software\Policies\Microsoft\Windows\Explorer!StartPinAppsWhenInstalled, HKCU\Software\P
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableGlobalSearchOnAppsView
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowStartOnDisplayWithForegroundOnWinK
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowAppsViewOnStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!LockedStartLayout, HKCU\Software\Policies\M
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!EntryTime
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!ExitTime
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!AllowCalls
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!Enable
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!MSAOptional
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableHelpSticker
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableRecentApps
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!ShowCommandPromptOnWinX
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableCharms
HKCU\Software\Policies\Microsoft\Windows\FileRevocation!DelegatedTuples
HKCU\Software\Policies\Microsoft\WindowsStore!DisableOSUpgrade
HKCU\Software\Policies\Microsoft\WindowsStore!RemoveWindowsStore
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!AutoApproveOSDumps
HKCU\Software\Policies\Microsoft\Windows\WorkFolders!SyncUrl, HKCU\Software\Policies\Micros
HKCU\Software\Policies\Microsoft\Windows\TabletPC!PreventHandwritingDataSharing
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation
HKCU\Software\Policies\Microsoft\MMC\FX:{671ee405-c969-4af9-ad1b-65e96b3b9a10}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\FX:{f8abd46c-1297-4474-9cdf-831ebb245f49}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{813C1B01-6624-4922-9C6C-03C315646584}!Restrict_
HKCU\Software\Policies\Microsoft\MMC\FX:{317cdc35-c09e-486f-ab09-90dd2e3fdd7d}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{f78fbadd-c21a-4e0a-b53d-c879a9c8f002}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{dbfca500-8c31-11d0-aa2c-00a0c92749a3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{f8abd46e-1297-4474-9cdf-831ebb245f49}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{f9f63d92-6225-410b-bb02-26239b8f1f59}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{317cdc37-c09e-486f-ab09-90dd2e3fdd7d}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{C11D2F3B-E2F4-4e5b-824B-84A87AB0F666}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{9FE24B92-C23D-451c-8045-73038D99E620}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{6A712058-33C6-4046-BCF9-0EA3A8808EDC}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0DA274B5-EB93-47A7-AAFB-65BA532D3FE6}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{17C6249E-BA57-4F69-AE93-4FB3D25CD9D7}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{127537A8-C1ED-40BC-9AE5-C5891DF6B2D4}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{1612b55c-243c-48dd-a449-ffc097b19776}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1b767e9a-7be4-4d35-85c1-2e174a7ba951}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{35141B6B-498A-4cc7-AD59-CEF93D89B2CE}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{3EC4E9D3-714D-471F-88DC-4DD4471AAB47}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{516FC620-5D34-4B08-8165-6A06B623EDEB}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5C935941-A954-4F7C-B507-885941ECE5C4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{79F92669-4224-476c-9C5C-6EFB4D87DF4A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{949FB894-E883-42C6-88C1-29169720E8CA}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{BFCBBEB0-9DF4-4c0c-A728-434EA66A0373}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{9AD2BAFE-63B4-4883-A08C-C3C6196BCAFD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{45B01F1C-5AC2-458c-9457-42A81B34A26D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{A8C42CEA-CDB8-4388-97F4-5831F933DA84}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B9CCA4DE-E2B9-4CBD-BF7D-11B6EBFBDDF7}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{CC5746A9-9B74-4be5-AE2E-64379C86E0E4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{CEFFA6E2-E3BD-421B-852C-6F6A79A59BC1}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{CF848D48-888D-4F45-B530-6A201E62A605}!Restrict_Run
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableTimeZoneRedirection
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableClip
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RedirectOnlyDefaultClientPrint
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fTurnOffSingleAppMode
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoRemoteDesktopWallpaper
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RemoteAppLogoffTimeLimit
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultExcludedPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultIndexedPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search!HideUNCTab
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventModifyingIndexedLocations
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchHistory
Supported On
At least Windows 2000 Service Pack 1
Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP
Supported Windows XP SP1 through Windows Server 2008 RTM
Windows Vista only
Windows 2000 only
Microsoft Windows XP Professional with SP2 and Windows Server 2003 family only
Windows Server 2008, Windows Server 2003, Windows Vista, Windows XP, and Windows 2000
Windows Server 2008, Windows Server 2003, Windows 7, Windows Vista, Windows XP, and Window
Windows Vista only
Windows Vista only
Windows Vista only
Windows 2000 only
At least Windows Server 2012, Windows 8 or Windows RT or at least Internet Explorer 10
Windows Vista only
Windows Vista Service Pack 1
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows Vista,
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
Windows Media Player for Windows XP and later.

Microsoft Windows 8 or later
Help Text
This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Co
This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Co
Disables all Control Panel programs and the PC settings app.This setting prevents Control.exe and SystemSettings.exe, the prog
This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control
Prevents users from using Add or Remove Programs to configure installed services.This setting removes the "Set up services" s
Removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the a
Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot vie
Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or ch
Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from
Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using
Prevents users from viewing or installing published programs.This setting removes the "Add programs from your network" sec
Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view o
Prevents users from using Add or Remove Programs.This setting removes Add or Remove Programs from Control Panel and re
Removes links to the Support Info dialog box from programs on the Change or Remove Programs page.Programs listed on the
Specifies the category of programs that appears when users open the "Add New Programs" page.If you enable this setting, on
Disables the Display Control Panel.If you enable this setting, the Display Control Panel does not run. When users try to start Di
Removes the Settings tab from Display in Control Panel.This setting prevents users from using Control Panel to add, configure,
Enables desktop screen savers.If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver
This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.This can be a loc
Specifies the screen saver for the user's desktop.If you enable this setting, the system displays the specified screen saver on th
Specifies which theme file is applied to the computer the first time a user logs on.If you enable this setting, the theme that you
Determines whether screen savers used on the computer are password protected.If you enable this setting, all screen savers a
Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Cont
This setting forces the theme color scheme to be the default color scheme.If you enable this setting, a user cannot change the
Prevents users from adding or changing the background design of the desktop.By default, users can use the Desktop Backgrou
Prevents users from changing the desktop icons.By default, users can use the Desktop Icon Settings dialog in the Personalizatio
Prevents users from changing the mouse pointers.By default, users can use the Pointers tab in the Mouse Control Panel to add
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users fr
Prevents users from changing the sound scheme.By default, users can use the Sounds tab in the Sound Control Panel to add, r
This setting disables the theme gallery in the Personalization Control Panel.If you enable this setting, users cannot change or s
Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.When ena
Prevents users from changing the size of the font in the windows and buttons displayed on their screens.If this setting is enabl
Specifies how much user idle time must elapse before the screen saver is launched.When configured, this idle time can be set
Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a We
Allows users to use the Add Printer Wizard to search the network for shared printers.If you enable this setting or do not config
Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option o
This policy restricts clients computers to use package point and print only.If this setting is enabled, users will only be able to po
Restricts package point and print to approved servers.This policy setting restricts package point and print connections to appro
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. T
Prevents users from using familiar methods to add local and network printers. If this policy setting is enabled, it removes
If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printe
Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing th
This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task."Installed Updates
This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are cur
This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot vie
This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Cate
This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control P
This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View
This policy setting removes the Administrative options from the Region settings control panel. Administrative options include
This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control pan
This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional O
This policy setting removes the regional formats interface from the Region settings control panel.This policy setting is used onl
This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region setting
This policy setting restricts the Windows UI language for specific users.This policy setting applies to computers with more than
This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from
This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from ch
This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an a
This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from
This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning
Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.If you disable
Prevents users from saving certain changes to the desktop.If you enable this setting, users can change the desktop, but some c
Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Compu
Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.This setting does not prev
Removes the Network Locations icon from the desktop.This setting only affects the desktop icon. It does not prevent users fro
Prevents users from manipulating desktop toolbars.If you enable this setting, users cannot add or remove toolbars from the d
Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolba
Prevents users from changing the path to their profile folders.By default, a user can change the location of their individual pro
This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view o
Removes most occurrences of the My Documents icon.This setting removes the My Documents icon from the desktop, from F
This setting hides Properties on the context menu for Computer.If you enable this setting, the Properties option will not be pre
This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.If you enable this po
Removes the Properties option from the Recycle Bin context menu.If you enable this setting, the Properties option will not be
Removes most occurrences of the Recycle Bin icon.This setting removes the Recycle Bin icon from the desktop, from File Explo
Prevents users from using the Desktop Cleanup Wizard.If you enable this setting, the Desktop Cleanup wizard does not autom
Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If y
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional
Hides the Active Directory folder in Network Locations.The Active Directory folder displays Active Directory objects in a brows
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory
Adds and deletes specified Web content items.You can use the "Add" box in this setting to add particular Web-based items or
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If u
Specifies the desktop background ("wallpaper") displayed on all users' desktops.This setting lets you specify the wallpaper on
Disables Active Desktop and prevents users from enabling it.This setting prevents users from trying to enable or disable Active
Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desk
Enables Active Desktop and prevents users from disabling it.This setting prevents users from trying to enable or disable Active
Prevents users from adding Web content to their Active Desktop.This setting removes the "New" button from Web tab in Disp
Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.This is a comprehen
Prevents users from removing Web content from their Active Desktop.In Active Desktop, you can add items to the desktop bu
Prevents users from deleting Web content from their Active Desktop.This setting removes the Delete button from the Web tab
Prevents users from changing the properties of Web content items on their Active Desktop.This setting disables the Properties
Determines whether a user can view and change the properties of remote access connections that are available to all users of
Determines whether users can delete all user remote access connections.To create an all-user remote access connection, on t
Determines whether users can enable/disable LAN connections.If you enable this setting, the Enable and Disable options for L
Determines whether nonadministrators can rename all-user remote access connections.To create an all-user connection, on t
Determines whether nonadministrators can rename a LAN connection.If you enable this setting, the Rename option is enabled
Determines whether users can rename LAN or all user remote access connections.If you enable this setting, the Rename optio
Determines whether settings that existed in Windows 2000 Server family will apply to Administrators.The set of Network Conn
Determines whether users can change the properties of a LAN connection.This setting determines whether the Properties men
Determines whether Administrators and Network Configuration Operators can change the properties of components used by
Determines whether users can view and change the properties of components used by a private or all-user remote access con
Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators
Determines whether users can use the New Connection Wizard, which creates new network connections.If you enable this setti
Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled.T
Determines whether administrators can add and remove network components for a LAN or remote access connection. This se
Determines whether users can view and change the properties of their private remote access connections.Private connections
Determines whether users can connect and disconnect remote access connections.If you enable this setting (and enable the "
Determines whether users can delete remote access connections.If you enable this setting (and enable the "Enable Network C
Determines whether administrators can enable and disable the components used by LAN connections.If you enable this settin
Determines whether users can rename their private remote access connections.Private connections are those that are availab
Determines whether users can configure advanced TCP/IP settings.If you enable this setting (and enable the "Enable Network
Determines whether users can view the status for an active connection.Connection status is available from the connection sta
This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is u
Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files
Determines which events the Offline Files feature records in the event log.Offline Files records events in the Application log in
Determines how long the first reminder balloon for a network status change is displayed.Reminder balloons appear when the
Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the
Disables the Offline Files folder.This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot u
Prevents users from enabling, disabling, or changing the configuration of Offline Files.This setting removes the Offline Files tab
Determines how often reminder balloon updates appear.If you enable this setting, you can select how often reminder balloon
Determines how long updated reminder balloons are displayed.Reminder balloons appear when the user's connection to a ne
This policy setting prevents users from making network files and folders available offline.If you enable this policy setting, users
This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" com
This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offl
This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files an
Determines whether offline files are fully synchronized when users log off.This setting also disables the "Synchronize all offline
Determines whether offline files are fully synchronized when users log on.This setting also disables the "Synchronize all offline
Determines whether offline files are synchonized before a computer is suspended.If you enable this setting, offline files are syn
Hides or displays reminder balloons, and prevents users from changing the setting.Reminder balloons appear above the Offlin
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are t
This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).If you enab
This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).If you e
Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.All DOS and 16-bit programs r
This policy only applies to the classic version of the start menu and does not affect the new style start menu.Adds the "Log Off
If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box.
If you enable this setting, the Run command is added to the Start menu. If you disable or do not configure this setting, the Run
Set the default action of the power button on the Start menu.If you enable this setting, the Start Menu will set the power butt
Clear history of recently opened documents on exit.If you enable this setting, the system deletes shortcuts to recently used do
If you enable this setting, the system deletes tile notifications when the user logs off. As a result, the Tiles in the start view will
If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.If you disable or do
This policy setting allows you to control pinning items in Jump Lists.If you enable this policy setting, users cannot pin files, fold
This policy setting allows you to control pinning programs to the Taskbar.If you enable this policy setting, users cannot change
This policy setting allows you to prevent taskbars from being displayed on more than one monitor.If you enable this policy setti
This setting affects the taskbar.The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the
This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations.The Start Menu and T
Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.I
If you enable this policy the start menu search box will not search for communications.If you disable or do not configure this p
If you enable this policy setting the Start menu search box will not search for files.If you disable or do not configure this policy
If you enable this policy the start menu search box will not search for internet history or favorites.If you disable or do not confi
If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.If you disable or
This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.If you
This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.If you enable this policy setting
This setting affects the presentation of the Start menu.The classic Start menu in Windows 2000 Professional allows users to be
Displays Start menu shortcuts to partially installed programs in gray text.This setting makes it easier for users to distinguish be
This setting affects the notification area (previously called the "system tray") on the taskbar.Description: The notification area
This policy setting allows you to lock all taskbar settings.If you enable this policy setting, the user cannot access the taskbar co
This setting affects the taskbar, which is used to switch between running applications.The taskbar includes the Start button, lis
This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.If you enable this policy setting, The user
This setting affects the taskbar buttons used to switch between running programs.Taskbar grouping consolidates similar applic
This policy setting allows you to prevent users from adding or removing toolbars.If you enable this policy setting, the user is no
This policy setting allows you to prevent users from moving taskbar to another screen dock location.If you enable this policy se
This policy setting allows you to prevent users from rearranging toolbars.If you enable this policy setting, users are not able to
This policy setting allows you to prevent users from resizing the taskbar.If you enable this policy setting, users are not be able
If you enable this setting, users cannot uninstall apps from Start.If you disable this setting or do not configure it, users can acce
This policy setting allows you to remove access to the context menus for the taskbar.If you enable this policy setting, the menu
This policy setting allows you to remove the All Programs list from the Start menu.If you enable this policy setting, the "All Pro
This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen:
Hides pop-up text on the Start menu and in the notification area.When you hold the cursor over an item on the Start menu or
Prevents the clock in the system notification area from being displayed.If you enable this setting, the clock will not be displaye
Removes items in the All Users profile from the Programs menu on the Start menu.By default, the Programs menu contains ite
This policy setting allows you to remove the Default Programs link from the Start menu.If you enable this policy setting, the De
This policy setting allows you to remove the Documents icon from the Start menu and its submenus.If you enable this policy se
This policy setting allows you to remove the Downloads link from the Start Menu.If you enable this policy setting, the Start Me
Prevents users from adding the Favorites menu to the Start menu or classic Start menu.If you enable this setting, the Display F
If you enable this setting, the frequently used programs list is removed from the Start menu.If you disable this setting or do no
If you enable this policy the start menu will not show a link to the Games folder.If you disable or do not configure this policy, t
This policy setting allows you to remove the Help command from the Start menu.If you enable this policy setting, the Help com
If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Star
This policy setting allows you to remove links and access to Windows Update.If you enable this policy setting, users are preven
This policy setting allows you to removes the "Log Off <username>" item from the Start menu and prevents users from restori
This policy setting allows you to remove the Music icon from Start Menu.If you enable this policy setting, the Music icon is no l
This policy setting allows you to remove Network Connections from the Start Menu.If you enable this policy setting, users are
This policy setting allows you to remove the Network icon from Start Menu.If you enable this policy setting, the Network icon
This policy setting allows you to remove the Pictures icon from Start Menu.If you enable this policy setting, the Pictures icon is
This policy setting allows you to remove pinned programs from the taskbar.If you enable this policy setting, pinned programs a
If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start m
This policy setting allows you to remove programs on Settings menu.If you enable this policy setting, the Control Panel, Printer
Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu.The Recen
This policy setting allows you to remove the Recorded TV link from the Start Menu.If you enable this policy setting, the Start M
Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.If you enable this setting,
If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search
This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements
If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in
If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.If
This policy setting allows you to remove the Action Center from the system control area.If you enable this policy setting, the A
This policy setting allows you to remove the battery meter from the system control area.If you enable this policy setting, the b
This policy setting allows you to remove the networking icon from the system control area.If you enable this policy setting, the
This policy setting allows you to remove the volume control icon from the system control area.If you enable this policy setting
If you enable this policy the start menu will not show a link to the user's storage folder.If you disable or do not configure this p
This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003.If
Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden.This setting is
This policy setting allows you to remove the Videos link from the Start Menu.If you enable this policy setting, the Start Menu d
This policy setting shows or hides the "Run as different user" command on the Start application bar.If you enable this setting, u
This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.If you enable this policy setting, the Quick
This policy setting allows you to turn off all notification balloons.If you enable this policy setting, no notification balloons are sh
This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.If you enable this policy setti
This policy setting allows you to turn off feature advertisement balloon notifications.If you enable this policy setting, certain no
This setting affects the notification area, also called the "system tray."The notification area is located in the task bar, generally
Disables personalized menus.Windows personalizes long menus by moving recently used items to the top of the menu and hid
This policy setting allows you to turn off taskbar thumbnails.If you enable this policy setting, the taskbar thumbnails are not di
This policy setting allows you to turn off user tracking.If you enable this policy setting, the system does not track the programs
This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw no
This policy setting turns off tile notifications. If you enable this policy setting, applications and system features will not be
This policy setting turns off toast notifications for applications. If you enable this policy setting, applications will not be ab
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be a
This policy setting determines how programs interpret two-digit years.This policy setting affects only the programs that use th
Specifies an alternate user interface.The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, b
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.If you
Prevents Windows from running the programs you specify in this policy setting.If you enable this policy setting, users cannot r
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that
Disables the Windows registry editor Regedit.exe.If you enable this policy setting and the user tries to start Regedit.exe, a mes
This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determine
This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, yo
Limits the Windows programs that users have permission to run on the computer.If you enable this policy setting, users can on
This setting controls automatic updates to a user's computer.Whenever a user connects to the Internet, Windows searches fo
This policy setting prevents users from changing their Windows password on demand.If you enable this policy setting, the 'Ch
This policy setting prevents users from locking the system.While locked, the desktop is hidden and the system cannot be used
This policy setting disables or removes all menu items and buttons that log the user off the system.If you enable this policy setti
This policy setting prevents users from starting Task Manager.Task Manager (taskmgr.exe) lets users start and stop programs;
Determines how the system responds when a user tries to install device driver files that are not digitally signed.This setting est
This setting configures the location that Windows searches for drivers when a new piece of hardware is found.By default, Win
Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the In
This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites,
This policy setting allows you to control whether individual redirected shell folders are available offline by default.For the folde
This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or si
This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to im
This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Progra
This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.If you enable this setting, y
This policy setting defines a slow connection for purposes of applying and updating Group Policy.If the rate at which data is tra
This policy setting allows you to create new Group Policy object links in the disabled state.If you enable this setting, you can cr
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.By default, interactively logged
This policy setting prevents administrators from viewing or using Group Policy preferences.A Group Policy administration (.adm
This policy setting allows you to set the default display name for new Group Policy objects.This setting allows you to specify th
This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This
Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy O
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.If yo
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file typ
This policy setting specifies whether to allow this client to download print driver packages over HTTP.To set up HTTP printing,
Turns off the handwriting recognition error reporting tool.The handwriting recognition error reporting tool enables users to re
This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience
This policy setting specifies whether users can provide ratings for Help content.If you enable this policy setting, ratings control
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering w
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandl
This policy setting specifies whether to allow printing over HTTP from this client.Printing over HTTP allows a client to print to p
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.The Orde
This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger so
This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows O
This policy setting prevents users from changing their user geographical location (GeoID).If you enable this policy setting, users
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to th
This policy setting prevents the user from customizing their locale by changing their user overrides.Any existing overrides in pl
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales t
This policy setting ignores the customized run list.You can create a customized list of additional programs and documents that
This policy setting ignores customized run-once lists.You can create a customized list of additional programs and documents th
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the s
This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hiberna
Configure access to all removable storage classes.This policy setting takes precedence over any individual removable storage p
This policy setting denies read access to the CD and DVD removable storage class.If you enable this policy setting, read access
This policy setting denies write access to the CD and DVD removable storage class.If you enable this policy setting, write acces
This policy setting denies read access to custom removable storage classes.If you enable this policy setting, read access is deni
This policy setting denies write access to custom removable storage classes.If you enable this policy setting, write access is den
This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.If you enable t
This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.If you enable
This policy setting denies read access to removable disks.If you enable this policy setting, read access is denied to this removab
This policy setting denies write access to removable disks.If you enable this policy setting, write access is denied to this remova
This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a c
This policy setting denies read access to the Tape Drive removable storage class.If you enable this policy setting, read access is
This policy setting denies write access to the Tape Drive removable storage class.If you enable this policy setting, write access
This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays,
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays
This policy setting displays the instructions in logoff scripts as they run.Logoff scripts are batch files of instructions that run wh
This policy setting displays the instructions in logon scripts as they run.Logon scripts are batch files of instructions that run whe
This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files o
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface progr
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during us
This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in
This policy setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not nee
This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reach
This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline File
By default, Add features to Windows 8.1 is available for all administrators. If you enable this policy setting, the wizard will not
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Be
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachment
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachmen
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Win
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk fi
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are reg
This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.Preferring th
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay i
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected.
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.i
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.If you
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the
This policy setting allows you to turn off desktop gadgets that have been installed by the user.If you enable this setting, Windo
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the W
This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maxim
This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent user
This policy setting controls the default color for window frames when the user does not specify a color. If you enable this polic
Specifies whether Digital Locker can run.Digital Locker is a dedicated download manager associated with Windows Marketplac
If you enable this setting, users will not be allowed to switch between recent apps. The App Switching option in the PC settings
This policy setting prevents Windows from keeping track of the apps that are used and searched most frequently. If you enabl
Apply recommended EMET protections to Internet Explorer
Apply suggested EMET protections to other popular software
Apply recommended EMET protections to WordPad, Microsoft Office, Adobe Acrobat, Adobe Acrobat Reader, and Oracle Java
This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is d
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorag
This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent t
Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin.If you en
This policy setting configures File Explorer to always display the menu bar.Note: By default, the menu bar is not displayed in Fi
This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explor
This policy setting prevents the display of the Welcome Center at user logon.If you enable this policy setting, the Welcome Cen
When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you c
Prevents users from submitting alternate logon credentials to install a program.This setting suppresses the "Install Program As
This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the u
This policy setting allows you to hide these specified drives in My Computer.This policy setting allows you to remove the icons
Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer
This policy setting allows you to specify a location where all default Library definition files for users/machines reside.If you ena
Limits the percentage of a volume's disk space that can be used to store deleted files.If you enable this setting, the user has a
This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on th
This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File
Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Ne
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search resul
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu
Prevents users from using My Computer to gain access to the content of selected drives.If you enable this setting, users can br
This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Us
Prevents users from using File Explorer or Network Locations to map or disconnect network drives.If you enable this setting, th
This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if y
This policy setting allows you to remove the DFS tab from File Explorer.If you enable this policy setting, the DFS (Distributed Fi
Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.If you enab
Removes the File menu from My Computer and File Explorer.This setting does not prevent users from using other methods to
Removes the Hardware tab.This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in C
This policy setting allows you to remove the Search button from the File Explorer toolbar.If you enable this policy setting, the S
Removes the Security tab from File Explorer.If you enable this setting, users opening the Properties dialog box for all file system
This policy setting allows you to remove the Shared Documents folder from My Computer.When a Windows client is in a work
If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer
Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel.When this Display
This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the mo
Prompts users for alternate logon credentials during network-based installations.This setting displays the "Install Program As O
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are o
This policy setting allows you to turn off caching of thumbnail pictures.If you enable this policy setting, thumbnail views are no
This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with
Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the regist
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical orde
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full fun
Turns off the caching of thumbnails in hidden thumbs.db files.This policy setting allows you to configure File Explorer to cache
This policy setting allows you to turn off the display of snippets in Content view mode.If you enable this policy setting, File Exp
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.File Explore
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.File Exp
This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If y
Turn off Windows+X hotkeys.Keyboards with a Windows key provide users with shortcuts to common shell features. For exam
This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.If you enable this settin
Hide the Back button in the Open dialog box.This policy setting lets you remove new features added in Microsoft Windows 200
Removes the shortcut bar from the Open dialog box.This setting, and others in this folder, lets you remove new features adde
Removes the list of most recently used files from the Open dialog box.If you disable this setting or do not configure it, the "File
Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify f
Hides the Preview Pane in File Explorer.If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot
This policy setting shows or hides the Details Pane in File Explorer.If you enable this policy setting and configure it to hide the p
This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come fr
This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from th
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backu
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous
This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Gly
This policy setting allows you to restrict character code range of conversion by setting character filter.If you enable this policy
This policy setting allows you to turn off the ability to use a custom dictionary.If you enable this policy setting, you cannot add
This policy setting allows you to turn off history-based predictive input.If you enable this policy setting, history-based predictiv
This policy setting allows you to turn off Internet search integration.If you enable this policy setting, you cannot add a new sea
This policy setting allows you to turn off Open Extended Dictionary.If you enable this policy setting, Open Extended Dictionary
This policy setting allows you to turn off saving the auto-tuning result to file.If you enable this policy setting, the auto-tuning d
This policy setting allows you to turn on logging of misconversion for the misconversion report.If you enable this policy setting
Set up the menu name and URL for the custom Internet search provider.If you enable this setting, the specified menu name an
This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature is t
This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location featur
This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature is turn
Prevents users from entering author mode.This setting prevents users from opening the Microsoft Management Console (MM
Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.-- If you enable this setting,
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can
Permits or prohibits use of this snap-in.If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-i
Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active D
Make the automatic acceptance of incoming calls persistent.
Disables the Chat feature of NetMeeting.
Disables the directory feature of NetMeeting.Users will not logon to a directory (ILS) server when NetMeeting starts. Users wi
Disables the 2.x whiteboard feature of NetMeeting.The 2.x whiteboard is available for compatibility with older versions of Net
Disables the T.126 whiteboard feature of NetMeeting.
Configures NetMeeting to download settings for users each time it starts.The settings are downloaded from the URL listed in t
Limits the size of files users can send to others in a conference.
Prevents users from adding directory (ILS) servers to the list of those they can use for placing calls.
Prevents users from turning on automatic acceptance of incoming calls.This ensures that others cannot call and connect to Ne
Prevents users from changing the way calls are placed, either directly or via a gatekeeper server.
Prevents users from receiving files from others in a conference.
Prevents users from sending files to others in a conference.
Prevents users from viewing directories as Web pages in a browser.
Sets the level of security for both outgoing and incoming NetMeeting calls.
Sets the URL NetMeeting will display when the user chooses the Help Online Support command.
Disables the application sharing feature of NetMeeting completely. Users will not be able to host or view shared applications.
Prevents users from sharing applications in true color. True color sharing uses more bandwidth in a conference.
Prevents users from allowing others in a conference to control what they have shared. This enforces a read-only mode; the ot
Prevents users from sharing the whole desktop. They will still be able to share individual applications.
Prevents users from sharing anything themselves. They will still be able to view shared applications/desktops from others.
Prevents users from sharing command prompts. This prevents users from inadvertently sharing out applications, since comma
Prevents users from sharing Explorer windows. This prevents users from inadvertently sharing out applications, since Explorer
Disables the audio feature of NetMeeting. Users will not be able to send or receive audio.
Disables full duplex mode audio. Users will not be able to listen to incoming audio while speaking into the microphone. Older
Limits the bandwidth audio and video will consume when in a conference. This setting will guide NetMeeting to choose the ri
Prevents user from changing the DirectSound audio setting. DirectSound provides much better audio quality, but older audio
Prevents users from receiving video. Users will still be able to send video provided they have the hardware."
Prevents users from sending video if they have the hardware. Users will still be able to receive video from others.
Disables the Advanced Calling button on the General Options page. Users will not then be able to change the call placement m
Hides the Audio page of the Tools Options dialog. Users will not then be able to change audio settings.
Hides the General page of the Tools Options dialog. Users will not then be able to change personal identification and bandwid
Hides the Security page of the Tools Options dialog. Users will not then be able to change call security and authentication setti
Hides the Video page of the Tools Options dialog. Users will not then be able to change video settings.
This policy setting disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. If
This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within
This policy setting turns off Windows presentation settings.If you enable this policy setting, Windows presentation settings can
If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Sess
Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through a
Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host serve
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files fro
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signe
Controls whether a user can save passwords using Remote Desktop Connection.If you enable this setting the credential saving
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted
If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client pr
Configures Remote Desktop Services to run a specified program automatically upon connection.You can use this setting to spe
This policy setting Sspecifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be i
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active be
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.You can use this po
This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Win
This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's compute
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice.If you enable this policy setting, the
This policy setting controls whether to have background synchronization for feeds and Web Slices.If you enable this policy setti
This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypte
Specifies whether Sound Recorder can run.Sound Recorder is a feature of Microsoft Windows Vista that can be used to record
Prevents start of InkBall game.If you enable this policy, the InkBall game will not run.If you disable this policy, the InkBall game
Prevents printing to Journal Note Writer.If you enable this policy, the Journal Note Writer printer driver will not allow printing
Prevents the snipping tool from running.If you enable this policy setting, the Snipping Tool will not run.If you disable this policy
Prevents start of Windows Journal.If you enable this policy, the Windows Journal accessory will not run.If you disable this polic
Disables visual pen action feedback, except for press and hold feedback.If you enable this policy, all visual pen action feedback
Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this beha
Prevents the user from launching an application from a Tablet PC hardware button.If you enable this policy, applications canno
Prevents press and hold actions on hardware buttons, so that only one action is available per button.If you enable this policy,
Turns off Tablet PC hardware buttons.If you enable this policy, no actions will occur when the buttons are pressed, and the bu
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from prov
Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.Tablet PC Input Panel is a Tablet PC accessory th
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is av
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and W
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture
Makes pen flicks learning mode unavailable.If you enable this policy, pen flicks are still available but learning mode is not. Pen
Makes pen flicks and all related features unavailable.If you enable this policy, pen flicks and all related features are unavailabl
Turns off Tablet PC Pen Training.If you enable this policy setting, users cannot open Tablet PC Pen Training.If you disable or do
Turn off Tablet PC touch inputTurns off touch input, which allows the user to interact with their computer using their finger.If
Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a tou
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from the last page of the Sched
Prevents users from viewing and changing the properties of an existing task.This setting removes the Properties item from the
Prevents users from starting and stopping tasks manually.This setting removes the Run and End Task items from the context m
Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for exi
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.This setting disabl
Prevents users from creating new tasks.This setting removes the Add Scheduled Task item that starts the New Task Wizard. Al
Prevents users from deleting tasks from the Scheduled Tasks folder.This setting removes the Delete command from the Edit m
Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing
This policy setting affects the ability of users to install or uninstall color profiles.If you enable this policy setting, users cannot in
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event lo
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal s
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.If you en
This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CA
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. B
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amo
This policy setting controls the behavior of the Windows Error Reporting archive.If you enable this policy setting, you can confi
This policy setting determines the behavior of the Windows Error Reporting report queue.If you enable this policy setting, you
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is
This policy setting determines the default consent behavior of Windows Error Reporting.If you enable this policy setting, you c
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.If you enable this poli
This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.If y
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.If you ena
This policy setting prevents users from installing any programs from removable media.If you enable this policy setting, if a use
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuc
This policy setting specifies the order in which Windows Installer searches for installation files.If you disable or do not configur
This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and
This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the
Windows Mail will not check your newsgroup servers for Communities support.
Denies or allows access to the Windows Mail application.If you enable this setting, access to the Windows Mail application is d
This policy setting allows or prevents Windows Media Center to run.Windows Media Center is a digital media player and video
This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.If you en
This policy setting allows you to prevent media information for music files from being retrieved from the Internet.If you enable
This policy setting allows you to prevent radio station presets from being retrieved from the Internet.If you enable this policy s
This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.If you enable this policy setting, sel
This policy setting allows you to specify the MMS proxy settings for Windows Media Player.If you enable this policy setting, sel
This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.If you en
This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.If you enable this policy setting, sel
This policy setting allows you to hide the Network tab.If you enable this policy setting, the Network tab in Windows Media Pla
This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving stre
This policy setting allows a screen saver to interrupt playback.If you enable this policy setting, a screen saver is displayed durin
This policy setting allows you to prevent Windows Media Player from downloading codecs.If you enable this policy setting, the
Prevents the anchor window from being displayed when Windows Media Player is in skin mode.This policy hides the anchor w
This policy setting allows you to hide the Privacy tab in Windows Media Player.If you enable this policy setting, the "Update m
This policy setting allows you to hide the Security tab in Windows Media Player.If you enable this policy setting, the default sec
This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin.If you enable this polic
This policy setting allows you to prevent Windows Messenger from running.If you enable this policy setting, Windows Messen
This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting, Window
This policy setting turns off Windows Mobility Center.If you enable this policy setting, the user is unable to invoke Windows M
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.If you enable th
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pip
This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.If you enable this
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choic
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Wi
This setting allows you to remove access to Windows Update.If you enable this setting, all Windows Update features are remo
This policy setting allows users to go to the desktop instead of the Start screen when they sign in, or when all the apps on a scr
This policy setting allows desktop apps to be listed first in the Apps view in Start.If you enable this policy setting, desktop apps
This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
This policy setting allows you to prevent users from changing their Start screen layout.If you enable this setting, you will preve
This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from
This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. Th
This policy setting allows the Apps view to be opened by default when the user goes to Start.If you enable this policy setting, t
Specifies the Start screen layout for users.This setting lets you specify the Start screen layout for users and prevents them from
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If you
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If you e
This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, voice and video calls wi
This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notifications will not be su
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to
Disables help tips that Windows shows to the user.By default, Windows will show the user help tips until the user has successf
This policy setting allows you to prevent the last app and the list of recent apps from appearing when the mouse is pointing to
This policy setting allows you to prevent users from replacing the Command Prompt with Windows PowerShell in the menu th
This policy setting allows you to prevent Search, Share, Start, Devices, and Settings from appearing when the mouse is pointing
Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only
Enables or disables the Store offer to update to the latest version of Windows.If you enable this setting, the Store application w
Denies or allows access to the Store application.If you enable this setting, access to the Store application is denied. Access to t
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automa
This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change s
Turns off data sharing from the handwriting recognition personalization tool.The handwriting recognition personalization tool
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI schem
This policy setting permits or prohibits the use of this snap-in.If you enable this policy setting, the snap-in is permitted and can
This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference item types). When proh
This policy setting allows you to permit or prohibit use of the Applications preference extension. When a preference extension
This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all preference extensions listed in
This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all preference extensions listed in
This policy setting allows you to permit or prohibit use of the Data Sources preference extension. When a preference extensio
This policy setting allows you to permit or prohibit use of the Devices preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Drive Maps preference extension. When a preference extension
This policy setting allows you to permit or prohibit use of the Environment preference extension. When a preference extensio
This policy setting allows you to permit or prohibit use of the Files preference extension. When a preference extension is proh
This policy setting allows you to permit or prohibit use of the Folder Options preference extension. When a preference extens
This policy setting allows you to permit or prohibit use of the Folders preference extension. When a preference extension is pr
This policy setting allows you to permit or prohibit use of the Ini Files preference extension. When a preference extension is pr
This policy setting allows you to permit or prohibit use of the Internet Settings preference extension. When a preference exten
This policy setting allows you to permit or prohibit use of the Local Users and Groups preference extension. When a preferenc
This policy setting allows you to permit or prohibit use of the Network Options preference extension. When a preference exte
This policy setting allows you to permit or prohibit use of the Network Shares preference extension. When a preference exten
This policy setting allows you to permit or prohibit use of the Power Options preference extension. When a preference extens
This policy setting allows you to permit or prohibit use of the Preferences tab. When prohibited, the Preferences tab does not
This policy setting allows you to permit or prohibit use of the Printers preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Regional Options preference extension. When a preference exte
This policy setting allows you to permit or prohibit use of the Registry preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Scheduled Tasks preference extension. When a preference exten
This policy setting allows you to permit or prohibit use of the Services preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Shortcuts preference extension. When a preference extension is
This policy setting allows you to permit or prohibit use of the Start Menu preference extension. When a preference extension
This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Se
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote co
This policy setting allows you to specify whether the default client printer is the only printer redirected in Remote Desktop Ser
This policy setting allows you to specify whether the desktop is always displayed after a client connects to a remote computer
This policy setting allows you to specify whether desktop wallpaper is displayed to clients when they are connected to a remot
This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconnected state after closing
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths
Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude the
Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Pa
If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can
If you enable this policy setting, you specify a list of paths to exclude from indexing. The user cannot enter any path that starts
This policy setting prevents search queries from being stored in the registry. If you enable this policy setting, search suggestion
y setting is enabled, the Control Panel opens to the icon view.If this policy setting is disabled, the Control Panel opens to the category view
ersonalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well
stemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC setti
e displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this settin
ves the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that
annot view or change the attached page.The Add New Programs button lets users install programs published or assigned by a system admi
s a result, users cannot view or change the associated page.The Add/Remove Windows Components button lets users configure installed s
t, users cannot view or change the attached page.The Change or Remove Programs button lets users uninstall, repair, add, or remove feat
ge. This prevents users from using Add or Remove Programs to install programs from removable media.If you disable this setting or do not
g prevents users from using Add or Remove Programs to connect to Windows Update.If you disable this setting or do not configure it, "Add
ms from your network" section from the Add New Programs page. The "Add programs from your network" section lists published program
result, users cannot view or change the associated page.The Set Program Access and Defaults button lets administrators specify default pr
from Control Panel and removes the Add or Remove Programs item from menus.Add or Remove Programs lets users install, uninstall, repa
ge.Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, t
you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can
When users try to start Display, a message appears explaining that a setting prevents the action.Also, see the "Prohibit access to the Cont
ol Panel to add, configure, or change the display settings on the computer.
disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot chang
style file.This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\a
pecified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the
setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from ch
setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.This s
e dialog in the Display Control Panel on systems where the Personalization feature is not available.This setting prevents users from using C
a user cannot change the color scheme of the current desktop theme.If you disable or do not configure this setting, a user may change th
use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop
dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons.If you enable this setting, none of the des
Mouse Control Panel to add, remove, or change the mouse pointers.If you enable this setting, none of the mouse pointer scheme settings c
is setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a sc
nd Control Panel to add, remove, or change the system Sound Scheme.If you enable this setting, none of the Sound Scheme settings can b
users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be
on their screens.When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in
eens.If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. If you disable or do no
d, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will n
tting to direct users to a Web page from which they can install printers. If you enable this setting and type an Internet or intranet addr
his setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to
rd gives users the option of searching Active Directory for a shared printer. If you enable this policy setting, these searches begin at th
sers will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers
print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent fro
ndows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a do
tting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then c
ser tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting pre
ts users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View
s" task."Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downlo
pair programs that are currently installed on the computer.If this setting is disabled or not configured, "Programs and Features" will be ava
s a result, users cannot view or change the associated page.The Set Program Access and Computer Defaults page allows administrators to
rams Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or
om the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs.Windows Marketplace allows
nd Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Window
nistrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, howeve
Region settings control panel.This policy setting is used only to simplify the Regional Options control panel.If you enable this policy setting,
e Language and Regional Options control panel.This policy setting is used only to simplify the Regional Options control panel.If you enable
s policy setting is used only to simplify the Regional and Language Options control panel.If you enable this policy setting, the user does no
ntrols in the Region settings control panel. If the specified language is not installed on the target computer, the language selection default
computers with more than one UI language installed.If you enable this policy setting, the UI language of Windows menus and dialogs for sy
ser or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not er
or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spellin
er, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text prediction o
user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not t
zation. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recogn
shared folder.If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a con
ge the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users
efcase, Recycle Bin, Computer, and Network Locations.Removing icons and shortcuts does not prevent the user from using another metho
.This setting does not prevent the user from starting Internet Explorer by using other methods.
does not prevent users from connecting to the network or browsing for shared computers on the network.Note: In operating systems earl
move toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.Note: If users have added or removed to
toolbars on docked toolbars.This setting does not prevent users from adding or removing toolbars on the desktop.Note: If users have adju
tion of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog
mputer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Compu
from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.This setti
rties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-E
s icon.If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following:Right
operties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter d
he desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.This setting doe
up wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup W
rth with the mouse. If you enable this policy, application windows will not be minimized or restored when the active window is shaken b
ns for applying additional filters to search results.If you enable this setting, the filter bar appears when the Active Directory Find dialog box
rectory objects in a browse window.If you enable this setting, the Active Directory folder does not appear in the Network Locations folder.
or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Group
cular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added agai
to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the D
specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can b
to enable or disable Active Desktop while a policy controls it.If you disable this setting or do not configure it, Active Desktop is disabled by
ng removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users canno
o enable or disable Active Desktop while a policy controls it.If you disable this setting or do not configure it, Active Desktop is disabled by d
tton from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the
ration.This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting rem
d items to the desktop but close them so they are not displayed.If you enable this setting, items added to the desktop cannot be closed; t
e button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their A
tting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each
are available to all users of the computer.To create an all-user remote access connection, on the Connection Availability page in the New C
te access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.If you enable this
e and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection
n all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.If you enable this
Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the conn
setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by usi
s.The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Win
whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users.If you
es of components used by a LAN connection.This setting determines whether the Properties button for components of a LAN connection is
all-user remote access connection.This setting determines whether the Properties button for components used by a private or all-user rem
enabled for administrators.The Advanced Settings item lets users view and change bindings and view and change the order in which the c
tions.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connecti
nections folder is enabled.The Remote Access Preferences item lets users create and change connections before logon and configure autom
access connection. This setting has no effect on nonadministrators.If you enable this setting (and enable the "Enable Network Connection
ctions.Private connections are those that are available only to one user. To create a private connection, on the Connection Availability pag
s setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the
ble the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote acce
ns.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabli
are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection W
able the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Proper
e from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection
configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic pri
he server hosting the files.This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents
ts in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage
balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first
This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" se
As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot us
moves the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and d
ow often reminder balloons updates appear and also prevent users from changing this setting.Reminder balloons appear when the user's c
user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is
le this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local cop
Make Available Offline" command.If you enable this policy setting, the "Make Available Offline" command is not available for the files and f
ually changing whether Offline Files is in online mode or offline mode.If you enable this policy setting, the "Work offline" command is not d
s that the specified files and folders are available offline to users of the computer.If you enable this policy setting, the files you enter are a
he "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option wh
he "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option whi
setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only tha
ns appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and ar
y setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set
rvices (AD DS).If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS ro
in Services (AD DS).If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared
DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program.
rt menu.Adds the "Log Off <username>" item to the Start menu and prevents users from removing it.If you enable this setting, the Log Off
e start menu search box. This button launches the default browser with the search terms.If you disable this policy, there will not be a "Sea
nfigure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu pro
nu will set the power button to the chosen action, and not let the user change this action.If you set the button to either Sleep or Hibernat
ortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty whe
Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications
w user.If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new
users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing
tting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these program
you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in
asks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custo
ons.The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items
ently opened documents.If you enable this setting, the system and Windows programs do not create shortcuts to documents opened whil
or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control p
o not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you
you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in
anel items.If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items
to resolve a shortcut.If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explain
u enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive searc
essional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Sta
for users to distinguish between programs that are fully installed and those that are only partially installed.Partially installed programs inc
tion: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system cloc
nnot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.If you disable or do no
cludes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the scre
his policy setting, The user will be prevented from opening the Taskbar Properties dialog box.If the user right-clicks the taskbar and then cl
consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full.If you enable this setting,
olicy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.If you d
If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).If you disable or do not configur
tting, users are not able to drag or drop toolbars to the taskbar.If you disable or do not configure this policy setting, users are able to rearra
tting, users are not be able to resize their taskbar.If you disable or do not configure this policy setting, users are able to resize their taskbar u
configure it, users can access the uninstall command from Start
his policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, th
policy setting, the "All Programs" item is removed from the simple Start menu. The Start Screen will show the All Apps view, but it will onl
Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-bas
item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object.If you
e clock will not be displayed in the system notification area.If you disable or do not configure this setting, the default behavior of the clock
rograms menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's
e this policy setting, the Default Programs link is removed from the Start menu.Clicking the Default Programs link from the Start menu ope
.If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only re
policy setting, the Start Menu does not show a link to the Downloads folder.If you disable or do not configure this policy setting, the Down
e this setting, the Display Favorites item does not appear in the Advanced Start menu options box.If you disable or do not configure this se
isable this setting or do not configure it, the frequently used programs list remains on the simple Start menu.
not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu contr
policy setting, the Help command is removed from the Start menu.If you disable or do not configure this policy setting, the Help command
egroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. If you disable or do not
y setting, users are prevented from connecting to the Windows Update Web site.Enabling this policy setting blocks user access to the Win
revents users from restoring it.If you enable this policy setting, the Log Off <username> item does not appear in the Start menu. This polic
tting, the Music icon is no longer available from Start Menu.If you disable or do not configure this policy setting, the Music icon is available
s policy setting, users are prevented from running Network Connections.Enabling this policy setting prevents the Network Connections fol
setting, the Network icon is no longer available from Start Menu.If you disable or do not configure this policy setting, the Network icon is a
etting, the Pictures icon is no longer available from Start Menu.If you disable or do not configure this policy setting, the Pictures icon is av
setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.If you disable or do n
pin programs to the Start menu. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize
the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and F
ssic Start menu.The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that u
policy setting, the Start Menu does not show a link to the Recorded TV library.If you disable or do not configure this policy setting, the Re
.If you enable this setting, the following changes occur:(1) The Run command is removed from the Start menu.(2) The New Task (Run) com
h in the start menu search box.If you disable or do not configure this policy, the "See all results" link will be shown when the user performs
Explorer search elements. Note that this does not remove the search box from the new style Start menu.If you enable this policy setting,
e user performs a search in the start menu search box.If you disable or do not configure this policy, a "See more results" link will be shown
PC cannot be undocked.If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and y
e this policy setting, the Action Center icon is not displayed in the system notification area.If you disable or do not configure this policy setti
le this policy setting, the battery meter is not displayed in the system notification area.If you disable or do not configure this policy setting,
able this policy setting, the networking icon is not displayed in the system notification area.If you disable or do not configure this policy setti
u enable this policy setting, the volume control icon is not displayed in the system notification area.If you disable or do not configure this p
e or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
d Windows Server 2003.If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Window
s are hidden.This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start m
y setting, the Start Menu does not show a link to the Videos library.If you disable or do not configure this policy setting, the Videos link is a
If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionalit
is policy setting, the QuickLaunch bar will be visible and cannot be turned off.If you disable this policy setting, the QuickLaunch bar will be
notification balloons are shown to the user.If you disable or do not configure this policy setting, notification balloons are shown to the use
you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons t
is policy setting, certain notification balloons that are marked as feature advertisements are not shown.If you disable do not configure this
d in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether
he top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend th
kbar thumbnails are not displayed and the system uses standard text for the tooltips.If you disable or do not configure this policy setting, t
es not track the programs that the user runs, and does not display frequently used programs in the Start Menu.If you disable or do not co
le badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Se
ystem features will not be able to update their tiles and tile badges in the Start screen. If you disable or do not configure this policy se
applications will not be able to raise toast notifications. Note that this policy does not affect taskbar notification balloons. Note t
g, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast
y the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consul
iliar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the inter
me the user logs on.If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this poli
icy setting, users cannot run programs that you add to the list of disallowed applications.If you disable this policy setting or do not configu
el (COM) components that a program requires.Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the CO
to start Regedit.exe, a message appears explaining that a policy setting prevents the action.If you disable this policy setting or do not confi
icy setting also determines whether batch files (.cmd and .bat) can run on the computer.If you enable this policy setting and the user tries
nable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file
policy setting, users can only run programs that you add to the list of allowed applications.If you disable this policy setting or do not config
net, Windows searches for updates available for the software and hardware on their computer and automatically downloads them. This h
this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.Howeve
he system cannot be used. Only the user who locked the system or the system administrator can unlock it.If you enable this policy setting,
you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging
start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, includ
tally signed.This setting establishes the least secure response permitted on the systems of users in the group. Users can use System in Con
e is found.By default, Windows searches the following places for drivers: local installation, floppy drives, CD-ROM drives, Windows Update
device drivers using the Internet.Note: This setting only has effect if "Turn off Windows Update device driver searching" in "Administrativ
ments, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default.If you enable this po
ne by default.For the folders affected by this setting, users must manually select the files they wish to make available offline.If you disable
n to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.If you enable this policy se
policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want t
d names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and lega
f you enable this setting, you can which domain controller is used according to these options:"Use the Primary Domain Controller" indicat
he rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the
ble this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new obje
fault, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.If you enable this policy setting, interactive users
Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, m
ng allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools inc
(in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.In additio
ou open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on th
re Internet resources.If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set
with an unhandled file type or protocol association.When a user opens a file type or protocol that is not associated with any applications o
P.To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.Note: This policy setting does not prevent the client from p
ng tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Micro
ram. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can impr
icy setting, ratings controls are not added to Help content.If you disable or do not configure this policy setting, ratings controls are added
shing and online ordering wizards.These wizards allow users to select from a list of companies that provide services such as online storage
pen a file with an unhandled file association.When a user opens a file that has an extension that is not associated with any applications on
allows a client to print to printers on the intranet as well as the Internet.Note: This policy setting affects the client side of Internet printing
Windows folders.The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.If you enabl
he Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.The Web Publishing Wiz
w Windows Messenger software and service is used.With the Customer Experience Improvement program, users can allow Microsoft to c
p and Support. Windows Online provides the most up-to-date Help content for Windows.If you enable this policy setting, users are preven
ble this policy setting, users cannot change their GeoID.If you disable or do not configure this policy setting, users may select any GeoID.If y
The user is restricted to the set of locales that are installed with the operating system.This does not affect the selection of replacement loc
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to
y, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a
rams and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 P
rograms and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to t
hen a user logs on to the system.If you enable this policy setting, you can specify which programs can run at the time the user logs on to th
n resuming from a hibernate or suspend state.If you enable this policy setting, the client computer is locked and prompted for a password
vidual removable storage policy settings. To manage individual classes, use the policy settings available for each class.If you enable this pol
policy setting, read access is denied to this removable storage class.If you disable or do not configure this policy setting, read access is allow
policy setting, write access is denied to this removable storage class.If you disable or do not configure this policy setting, write access is all
setting, read access is denied to these removable storage classes.If you disable or do not configure this policy setting, read access is allowe
setting, write access is denied to these removable storage classes.If you disable or do not configure this policy setting, write access is allow
oppy Drives.If you enable this policy setting, read access is denied to this removable storage class.If you disable or do not configure this po
oppy Drives.If you enable this policy setting, write access is denied to this removable storage class.If you disable or do not configure this p
s is denied to this removable storage class.If you disable or do not configure this policy setting, read access is allowed to this removable sto
ss is denied to this removable storage class.If you disable or do not configure this policy setting, write access is allowed to this removable
boot in order to enforce a change in access rights to removable storage devices.If you enable this policy setting, you can set the number of
olicy setting, read access is denied to this removable storage class.If you disable or do not configure this policy setting, read access is allow
olicy setting, write access is denied to this removable storage class.If you disable or do not configure this policy setting, write access is allo
phones, auxiliary displays, and CE devices.If you enable this policy setting, read access is denied to this removable storage class.If you disa
phones, auxiliary displays, and CE devices.If you enable this policy setting, write access is denied to this removable storage class.If you dis
of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.If you enable this
f instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.If you enable this po
on scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts
e Explorer interface program and creates the desktop.If you enable this policy setting, File Explorer does not start until the logon scripts ha
owerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you e
variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE%, these variables define the home directory of a user pro
t, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers.N
when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.If you disable this policy setting
n and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection, to help resolve issues with appli
etting, the wizard will not run.If you disable this policy setting or set it to Not Configured, the wizard will run.
ktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store
sk level for file attachments, you may also need to configure the trust logic for file attachments.High Risk: If the attachment is in the list of
about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail witho
rom saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialo
e list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet z
of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion l
the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inc
multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans fi
attachments.Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.e
s policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting,
hen a device is connected. If you enable this policy setting, AutoPlay prompts the user to choose what to do when a device is connect
nerally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media
drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
try user experiences.If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the
e deployed as compressed files, either digitally signed or unsigned.If you enable this setting, gadgets that have not been digitally signed w
ormation or utilities on the desktop.If you enable this setting, desktop gadgets will be turned off.If you disable or do not configure this setti
enable this setting, Windows will not run any user-installed gadgets.If you disable or do not configure this setting, Windows will run user-i
user to view items on the Windows desktop as they are being flipped through in three dimensions. If you enable this policy setting, Flip 3D
ng, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. If you disable or do not confi
y setting, you prevent users from changing the default window frame color. If you disable or do not configure this policy setting, you allow
or. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a colo
with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the use
ng option in the PC settings app will be disabled as well.If you disable or do not configure this policy setting, users will be allowed to switch
st frequently. If you enable this policy setting, apps will be sorted alphabetically in: - search results - the Search and Share panes -
at Reader, and Oracle Java
e this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not im
to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This behavior is con
nown folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy
o the Recycle Bin.If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the use
u bar is not displayed in File Explorer.If you enable this policy setting, the menu bar will be displayed in File Explorer.If you disable or do no
on the ribbon in File Explorer. Folder Options allows users to change the way files and folders open, what appears in the navigation pane, a
y setting, the Welcome Center is not displayed at user logon. The user can access the Welcome Center using the Control Panel or Start men
n. Using this setting, you can change this behavior.If you enable this setting, files and folders that are deleted using File Explorer will not be
ses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for t
ot find the target on the user's system.Shortcut files typically include an absolute path to the original target file as well as the relative path
s you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the s
ou right-click File Explorer or My Computer.The Manage item opens Computer Management (Compmgmt.msc), a console tool that include
machines reside.If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside
his setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation.If you disable or do no
Recent Items menu on the Start menu.The Recent Items menu contains shortcuts to the nonprogram files the user has most recently ope
f network resources in File Explorer and Network Locations.If you enable this policy setting, the system removes the "Computers Near Me"
rces in File Explorer and Network Locations.If you enable this setting, the system removes the Entire Network option and the icons represe
he bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allo
" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search bu
le this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folde
ers to the root of their Users Files folder in File Explorer.If you enable this policy setting, users will no longer be able to add new items suc
you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tool
modify re-writable CDs if you have a CD writer connected to your PC.If you enable this policy setting, all features in the File Explorer that a
ng, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such a
t-click an item.If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Ex
m using other methods to perform tasks available on the File menu.
nds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard
ble this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs th
dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, us
Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Fil
s a search in the Explorer window.If you disable this policy, there will be an "Internet" "Search again" link when the user performs a searc
ol Panel.When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not ap
perating system for the movement of windows, menus, and lists.If you enable this policy setting, the "Use transition effects for menus and
s the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local a
File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explo
ng, thumbnail views are not cached.If you disable or do not configure this policy setting, thumbnail views are cached.Note: For shared corp
ve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios.
being stored in the registry for future references.File Explorer shows suggestion pop-ups as users type into the Search Box. These sugges
her than in numerical order. If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111
ve. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the func
ure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files.If you enable this policy setting, File E
this policy setting, File Explorer will not display snippets in Content view mode.If you disable or do not configure this policy setting, File Exp
etwork folders.File Explorer displays thumbnail images on network folders by default.If you enable this policy setting, File Explorer display
he local computer.File Explorer displays thumbnail images by default. If you enable this policy setting, File Explorer displays only icons and
a to function properly. If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that
on shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Exp
or.If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a r
in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affect
emove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. The
o not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a s
is setting you can specify from 1 to 5 items to be displayed in the Places Bar.The valid items you may display in the Places Bar are:1) Shortc
lorer is hidden and cannot be turned on by the user.If you disable, or do not configure this setting, the Preview Pane is hidden by default a
d configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user.If you enable this policy setti
ous versions could come from the on-disk restore points or from backup media.If you enable this policy setting, users cannot list or restore
ous versions come from the on-disk restore points on the file share.If you enable this policy setting, users cannot list or restore previous ve
version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.If you enable this po
n the user has selected a previous version of a local file.If you enable this policy setting, the Restore button is disabled when the user select
n the user has selected a previous version of a local file, in which the previous version is stored on a backup.If you enable this policy setting
ser has selected a previous version of a file on a file share.If you enable this policy setting, the Restore button is disabled when the user se
n Publishing Standard Glyph for the word exists.If you enable this policy setting, Non-Publishing Standard Glyph is not included in the cand
r.If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You
cy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom d
ng, history-based predictive input is turned off. If you disable or do not configure this policy setting, history-based predictive input is on by
you cannot add a new search integration configuration file. A search integration configuration file that was installed before enabling this p
Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.For Japanese Microsoft IME, an Open Extended D
setting, the auto-tuning data is not saved to file. If you disable or do not configure this policy setting, auto-tuning data is saved to file by d
u enable this policy setting, misconversion logging is turned on.If you disable or do not configure this policy setting, misconversion logging
he specified menu name and URL will be used for Internet searches.If you disable or not configure this setting, the default Internet search p
g, the location feature is turned off, and all programs on this computer are prevented from using location information from the location fe
ipts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run.
, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. If you disable or do not configure t
Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in au
If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of
nap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If yo
ble the setting, the snap-in is prohibited.If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of
d Computers and Active Directory Sites and Services snap-ins.If you enable this setting, the Group Policy tab is displayed in the property sh
etMeeting starts. Users will also not be able to view or place calls via a NetMeeting directory.This policy is for deployers who have their ow
with older versions of NetMeeting only.Deployers who do not need it can save bandwidth by disabling it.
ed from the URL listed in the "Configuration URL:" text box.Group Policy based settings have precedence over any conflicting settings set b
not call and connect to NetMeeting when the user is not present.This policy is recommended when deploying NetMeeting to run always.
view shared applications.

conference.
s a read-only mode; the other participants cannot change the data in the shared application.
/desktops from others.

applications, since command prompts can be used to launch other applications.
applications, since Explorer windows can be used to launch other applications.
to the microphone. Older audio hardware does not perform well when in full duplex mode.
tMeeting to choose the right formats and send rate so that the bandwidth is limited.
o quality, but older audio hardware may not support it.
o from others.
hange the call placement method and the servers used.
dentification and bandwidth settings.

ity and authentication settings.
to a network projector. If you enable this policy setting, users cannot use the Connect to a Network Projector Wizard to connect to a proje
owed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can
s presentation settings cannot be invoked.If you disable this policy setting, Windows presentation settings can be invoked. The presentatio
ote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote
sion Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting.
o an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you
rdp) files and .rdp files from unknown publishers on the client computer.If you enable or do not configure this policy setting, users can run
from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such a
tting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. W
nts that represent trusted Remote Desktop Protocol (.rdp) file publishers.If you enable this policy setting, any certificate with an SHA1 thu
ession based on the option selected. Select the desired level of control and permission from the options list:1. No remote control allowed:
d first to install all client printers. If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remo
can use this setting to specify a program to run automatically when a user logs on to a remote computer.By default, Remote Desktop Serv
nstead of disconnecting it.You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and th
p Services session can be idle (without user input) before it is automatically disconnected.If you enable this policy setting, you must select
es session can be active before it is automatically disconnected.If you enable this policy setting, you must select the desired time limit in th
ssions.You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By
he default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are
g has no impact on the Windows RSS Platform.If you enable this policy setting, the user cannot access the feed list in the Favorites Center.
ed or Web Slice is available for an associated webpage.If you enable this policy setting, the user does not receive a notification on the tool
eed to the user's computer.If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through th
ble this policy setting, the menu command to subscribe to a feed and the menu command to delete a feed are disabled, and access to Web
you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off.If you disable or do not confi
cheme over an unencrypted HTTP connection.If you enable this policy setting, the Windows RSS Platform authenticates feeds to servers by
that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.If you enabl
his policy, the InkBall game will run.If you do not configure this policy, the InkBall game will run.
ver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail.If you disable this
un.If you disable this policy setting, the Snipping Tool will run.If you do not configure this policy setting, the Snipping Tool will run.
run.If you disable this policy, the Windows Journal accessory will run.If you do not configure this policy, the Windows Journal accessory wi
visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen c
that subscribe to this behavior.If you enable this policy, a button assigned to Back will not map to ESC.If you disable this policy, Back->ESC
s policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for
.If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Som
ns are pressed, and the buttons tab in Tablet PC Control Panel will be removed.If you disable this policy, user and OEM defined button acti
Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab w
here this behavior is available. This policy applies only when using a tablet pen as an input device.Tablet PC Input Panel is a Tablet PC acce
here this behavior is available. This policy applies only when a user is using touch input.Tablet PC Input Panel is a Tablet PC accessory that
xt. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. Th
s a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard short
s where this behavior is available.Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keybo
Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching
shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out in
learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applicatio
ed features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen
aining.If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.
puter using their finger.If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch
compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on th
the last page of the Scheduled Task Wizard. This policy is only designed to simplify task creation for beginning users.The checkbox, when
e Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, u
k items from the context menu that appears when you right-click a task. As a result, users cannot start tasks manually or force tasks to end
scheduled program for existing tasks.This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the
s folder.This setting disables the Cut, Copy, Paste, and Paste Shortcut items on the context menu and the Edit menu in Scheduled Tasks. It
s the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Schedu
command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also, the system
sonal calendars, publishing them, and subscribing to other users calendars.If you enable this setting, Windows Calendar will be turned off.I
licy setting, users cannot install new color profiles or uninstall previously installed color profiles.If you disable or do not configure this polic
ges to the system event log.If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.If yo
her Microsoft or internal servers within your organization when software unexpectedly stops working or fails.If you enable this policy setti
oft automatically.If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting r
vel report data even if a CAB file containing data about the same event types has already been uploaded to the server.If you enable this po
nning on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload add
olicy that restricts the amount of data that is sent over the network.If you enable this policy setting, WER does not check for network cost
olicy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for ea
ble this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pul
Windows Error Reporting is turned on.If you enable this policy setting, you can create a list of applications that are never included in error
le this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that
ypes.If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name
ustom consent settings.If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other co
m on the system.If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for program
this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears
se an interrupted or unsuccessful installation.If you enable this policy setting, Windows Installer is prevented from recording the original st
disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy
o expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire.If you enab
ontacted during logon and he has been logged on using previously stored account information.If enabled, a notification popup will be disp
he actions include lock the workstation, disconnect the user, or log the user off completely.If you choose to lock or disconnect a session, t
ndows Mail application is denied.If you disable or do not configure this setting, access to the Windows Mail application is allowed.
tal media player and video recorder that allows users to organize and play music and videos, and to view and record live television.If you e
rom the Internet.If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Intern
m the Internet.If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such
t.If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displayi
able this policy setting, select one of the following proxy types:- Autodetect: the proxy settings are automatically detected.- Custom: uniqu
umber of seconds.If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is
tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for
tocols when receiving streaming media from a server running Windows Media Services.If you enable this policy setting, the protocols that
en saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties d
able this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download code
policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users
cy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the M
licy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users
kin.If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab.You mu
setting, Windows Messenger does not run.If you disable or do not configure this policy setting, Windows Messenger can be used.Note: If
this policy setting, Windows Messenger is not loaded automatically when a user logs on.If you disable or do not configure this policy settin
able to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not
elp cmdlet.If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath par
able this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Ev
d to run.If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.The "Allow only signed scripts" policy
wed to be the default choice in the Shut Down Windows dialog.If you enable this policy setting, the user's last shut down choice (Hibernate
ayed in the Shut Down Windows dialog box.If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in
Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, fro
when all the apps on a screen are closed. This policy setting applies to all versions of Windows, and versions of Windows Server with the
olicy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would co
this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customiz
en the user searches from the Apps view.This policy setting is only applied when the Apps view is set as the default view for Start.If you en
the Windows logo key. This setting only applies to users who are using multiple displays.If you enable this policy setting, the Start screen w
enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps vi
rs and prevents them from changing its configuration. The Start screen layout you specify must be stored in an XML file that was generate
begin each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hou
end each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours
g, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize
notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each
that require an account to sign in. This policy only affects Windows Store apps that support it.If you enable this policy setting, Windows S
until the user has successfully completed the scenarios.If this setting is enabled, Windows will not show any help tips to the user.
n the mouse is pointing to the upper-left corner of the screen.If you enable this policy setting, the user will no longer be able to switch to r
PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key + X.If you enable this policy setti
when the mouse is pointing to the upper-right corner of the screen.If you enable this policy setting, Search, Share, Start, Devices, and Settin
entifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that
tting, the Store application will not offer updates to the latest version of Windows.If you disable or do not configure this setting the Store ap
ation is denied. Access to the Store is required for installing app updates.If you disable or don't configure this setting, access to the Store ap
e sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other tha
rs are allowed to change settings when setting up Work Folders on a domain-joined computer.If you enable this policy setting, affected us
nition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing sam
sktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI schem
ap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If yo
ce item types). When prohibited, no Application preference item types appear when you attempt to create a new Application preference i
en a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable thi
ference extensions listed in the Group Policy Management Editor window of the GPMC under Computer Configuration\Preferences\Contro
ference extensions listed in the Group Policy Management Editor window of the GPMC under User Configuration\Preferences\Control Pan
hen a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable th
preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this pol
en a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this
hen a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable th
eference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this policy
When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable
. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enabl
ension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you
n. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enab
Preferences tab does not appear when you view a preference extension in the Group Policy Management Editor window of the GPMC. Th
preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this po
. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enab
When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enabl
a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this p
en a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this
to the Remote Desktop Services session.If you enable this policy setting, clients that are capable of time zone redirection send their time z
tion) between a remote computer and a client computer during a Remote Desktop Services session.You can use this setting to prevent use
ed in Remote Desktop Services sessions.If you enable this policy setting, only the default client printer is redirected in Remote Desktop Se
cts to a remote computer or whether an initial program can run. It can require that the desktop be displayed after a client connects to a re
y are connected to a remote server using RDP. You can use this setting to enforce the removal of wallpaper during a Remote Desktop Servi
nected state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.By default, if a user cl
r may override these paths and include them in indexing. On a per-user basis, this policy setting will work only if a protocol handler referen
ese paths and exclude them from indexing. On a per-user basis, this policy setting will work only if a protocol handler referencing a SID-ba
exing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed.When this p
ns dialog. Otherwise it can be opened. Disabled by default.
enter any path that starts with one of the paths you specified. On a per-user basis, this policy setting will work only if a protocol handler r
setting, search suggestions based on previous searches won't appear in the search pane. Search suggestions provided by apps or by Wind
nel opens to the category view.If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel ses
Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that u
t start Control Panel or PC settings, or run any of their items.This setting removes Control Panel from:The Start screenFile ExplorerThis setti
those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items
tion lists system services that have not been configured and offers users easy access to the configuration tools.If you disable this setting or
or assigned by a system administrator.If you disable this setting or do not configure it, the Add New Programs button is available to all use
lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows fr
all, repair, add, or remove features of installed programs.If you disable this setting or do not configure it, the Change or Remove Programs
u disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users.This setting do
ng or do not configure it, "Add programs from Microsoft" is available to all users.This setting does not prevent users from using other tools
ection lists published programs and provides an easy way to install them.Published programs are those programs that the system administ
ministrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessi
ets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Window
on" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation
grams" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories.To use this s
e "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings
As a result, users cannot change the screen saver options.If you do not configure it, this setting has no effect on the system.If you enable it
a UNC path (\\Server\Share\aero.msstyles).If you enable this setting, the visual style file that you specify will be used. Also, a user may not
he Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver.If you disable
s not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen s
set on any screen saver.This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or
g prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista
setting, a user may change the color scheme of the current desktop theme.For Windows 7 and later, use the "Prevent changing color and
n (wallpaper) to their desktop.If you enable this setting, none of the Desktop Background settings can be changed by the user.To specify w
le this setting, none of the desktop icons can be changed by the user.For systems prior to Windows Vista, this setting also hides the Deskto
ouse pointer scheme settings can be changed by the user.
puter. It does not prevent a screen saver from running.
e Sound Scheme settings can be changed by the user.
, and screen saver can still be changed (unless policies are set to turn them off).If you disable or do not configure this setting, there is no e
list on the Appearance tab in Display Properties.When enabled on Windows XP and later systems, this setting prevents users and applicati
isabled. If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appeara
to zero, the screen saver will not be started.This setting has no effect under any of the following circumstances: - The setting is disabled
e an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizar
inter, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer
tting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of A
nt and print, client computers will check the driver signature of all drivers that are downloaded from print servers.If this setting is disabled
is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connec
uters that are members of a domain. If you enable this policy setting: -Windows XP and later clients will only download print driv
Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. Also, u
rs explaining that a setting prevents the action. This setting does not prevent users from running other programs to delete a printer.
ms and Features in Classic View and the "Install a program from the netowrk" task. The "Get Programs" page lists published programs and
The updates are often downloaded directly from Windows Update or from various program publishers.If this setting is disabled or not confi
rams and Features" will be available to all users.This setting does not prevent users from using other tools and methods to view or uninsta
page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify th
users cannot view, enable, or disable various Windows features and services.If this setting is disabled or is not configured, the "Turn Wind
Windows Marketplace allows users to purchase and/or download various programs to their computer for installation.Enabling this feature
ms, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplac
olicy setting does not, however, prevent an administrator or another application from changing these values programmatically.This policy
you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from
ns control panel.If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the
olicy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user
he language selection defaults to English.If you enable this policy setting, the dialog box controls in the Regional and Language Options co
dows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specifie
tion controls whether or not errors in typed text will be automatically corrected. If the policy is Enabled, then the option will be locked
ntrols whether or next spelling errors in typed text will be highlighted. If the policy is Enabled, then the option will be locked to not hig
er selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when
tion controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. If the policy is Enabl
help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing message
d folder, the system adds a connection to the shared folder to Network Locations.If you enable this setting, shared folders are not added t
bar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
ser from using another method to start the programs or opening the items they represent.Also, see "Items displayed in Places Bar" in User
ote: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon.
ers have added or removed toolbars, this setting prevents them from restoring the default configuration.Tip: To view the toolbars that can
esktop.Note: If users have adjusted their toolbars, this setting prevents them from restoring the default configuration.Also, see the "Preven
f the folder's Properties dialog box.If you enable this setting, users are unable to type a new location in the Target box.
he user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows
dard Open dialog box.This setting does not prevent the user from using other methods to gain access to the contents of the My Document
the File menu. Likewise, Alt-Enter does nothing when Computer is selected.If you disable or do not configure this setting, the Properties
oes any of the following:Right-clicks the My Documents icon.Clicks the My Documents icon, and then opens the File menu.Clicks the My D
icks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.If you disable or do not configure this setting, the Properties option
en dialog box.This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.Not
access the Desktop Cleanup Wizard.If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard run
the active window is shaken back and forth with the mouse.If you disable or do not configure this policy, this window minimizing and rest
ctive Directory Find dialog box opens, but users can hide it.If you disable this setting or do not configure it, the filter bar does not appear, b
the Network Locations folder.If you disable this setting or do not configure it, the Active Directory folder appears in the Network Location
hose in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects
, but the items are added again each time the setting is refreshed.You can also use this setting to delete particular Web-based items from
gh the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, a
he wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file.To use this setting, type the fully qualified path and name o
Active Desktop is disabled by default, but users can enable it.Note: If both the "Enable Active Desktop" setting and the "Disable Active Des
Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop.Note: This setting does not disa
Active Desktop is disabled by default, but users can enable it.Note: If both the "Enable Active Desktop" setting and the "Disable Active Des
Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from
s in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop.
e desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Displ
lete, Web content from their Active Desktop.This setting does not prevent users from adding Web content to their Active Desktop.Also, se
s item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchron
Availability page in the New Connection Wizard, click the "For all users" option.This setting determines whether the Properties menu item
sers" option.If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users
able/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.If you
ers" option.If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user
an icon representing the connection or by using the File menu.If you disable this setting, the Rename option is disabled for nonadministra
senting a connection or by using the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Admin
ndows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Adm
box is available to users.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the
ponents of a LAN connection is enabled.If you enable this setting (and enable the "Enable Network Connections settings for Administrators
ed by a private or all-user remote access connection is enabled.If you enable this setting (and enable the "Enable Network Connections se
ange the order in which the computer accesses connections, network providers, and print providers.If you enable this setting (and enable
tting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (includin
ore logon and configure automatic dialing and callback features.If you enable this setting (and enable the "Enable Network Connections se
"Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are di
he Connection Availability page in the New Connection Wizard, click the "Only for myself" option.This setting determines whether the Pro
the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators).Important: If the "
annot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connec
ng), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the compone
page in the New Connection Wizard, click the "Only for myself" option.If you enable this setting (and enable the "Enable Network Connec
ernet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advance
mation about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.If yo
ssignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be r
Offline Files tab. This prevents users from trying to change the option while a setting controls it.If you enable this setting, you can use the "
y when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to
eriodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displaye
ction on server disconnect" setting.To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type th
omputer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.This setting do
ffline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the
oons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first rem
e first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can
ndows will still cache local copies of files that reside on network shares designated for automatic caching.If you disable or do not configur
not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Val
ork offline" command is not displayed in File Explorer.If you disable or do not configure this policy setting, the "Work offline" command is
tting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents
rying to change the option while a setting controls it.If you enable this setting, offline files are fully synchronized. Full synchronization ensu
ying to change the option while a setting controls it.If you enable this setting, offline files are fully synchronized at logon. Full synchronizati
on to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files
tion to a networked file and are working on a local copy of the file. Users can then decide how to proceed.If you enable this setting, the sys
n related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. If you disable or do not config
tory" option to publish DFS roots as shared folders in AD DS .If you disable this policy setting, users cannot publish DFS roots in AD DS and
Directory" option in the Shared Folders snap-in to publish shared folders in AD DS.If you disable this policy setting, users cannot publish sha
Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16
enable this setting, the Log Off <username> item appears in the Start menu. This setting also removes the Display Logoff item from Start M
policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. If you do not con
he Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu p
on to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down.If you disable o
art menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the St
versions of these notifications will be cleared when the user logs off.If you disable or do not configure this setting, the system retains noti
d with programs for each new user.
ers also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.If yo
to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Task
isplay section is not enabled in the taskbar properties dialog.If you disable or do not configure this policy setting, users can show taskbars
inks, Desktop, and other custom toolbars created by the user or by an application.If this setting is enabled, the taskbar does not display an
ites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.If yo
uts to documents opened while the setting is in effect. Also, they retain but do not display existing document shortcuts. The system emptie
to in the start menu control panel.
irectly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user perform
less the user chooses not to in the start menu control panel.
grams and Control Panel items, unless the user chooses not to do so directly in Control Panel.
ust displays a message explaining that the file is not found.If you disable or do not configure this policy setting, by default, when the system
begins a comprehensive search of the drive specified in the target path.If you disable or do not configure this policy setting, by default, wh
ne menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and
Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured
tifications and the system clock.If this setting is enabled, the userΓÇÖs entire notification area, including the notification icons, is hidden. Th
askbar.If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by anothe
cated at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized.If you e
-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action.If you disable or do not confi
full.If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is alw
to add toolbars either.If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskb
you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by
etting, users are able to rearrange the toolbars on the taskbar.
re able to resize their taskbar unless prevented by another setting.
n, such as the Start button, the clock, and the taskbar buttons.If you disable or do not configure this policy setting, the context menus for
he All Apps view, but it will only contain items that are pinned to start.If you disable or do not configure this policy setting, the "All Program
ers from running Windows-based programs that perform these functions.If you enable this policy setting, the Power button and the Shut D
mation about the object.If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includ
default behavior of the clock appearing in the notification area will occur.
setting, only items in the user's profile appear in the Programs menu.Tip: To see the Program menu items in the All Users profile, on the sy
link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs fo
abling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of th
e this policy setting, the Downloads link is available from the Start Menu.
ble or do not configure this setting, the Display Favorite item is available.Note:The Favorities menu does not appear on the Start menu by
move it in the start menu control panel.

cy setting, the Help command is available from the Start menu.This policy setting only affects the Start menu. It does not remove the Help
nu. If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the St
blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also, the policy setting removes the Windo
r in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the
ng, the Music icon is available from Start Menu.
s the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu.Ne
y setting, the Network icon is available from Start Menu.
setting, the Pictures icon is available from Start Menu.
e Taskbar.If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
emoved from the 'Customize Start Menu' dialog. If you disable this setting or do not configure it, the "Pinned Programs" list remains on th
enu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.
y opened. It appears so that users can easily reopen their documents.If you enable this setting, the system saves document shortcuts but
gure this policy setting, the Recorded TV link is available from the Start Menu.
u.(2) The New Task (Run) command is removed from Task Manager.(3) The user will be blocked from entering the following into the Inter
hown when the user performs a search in the start menu search box.
you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-c
ore results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a
the simple Start menu, and your PC can be undocked.
do not configure this policy setting, the Action Center icon is displayed in the system notification area.
ot configure this policy setting, the battery meter is displayed in the system notification area.
do not configure this policy setting, the networking icon is displayed in the system notification area.
able or do not configure this policy setting, the volume control icon is displayed in the system notification area.
e start menu control panel.
u in Windows XP and Windows Server 2003.To remove the user name folder on Windows Vista, set the "Remove user folder link from Sta
bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start me
icy setting, the Videos link is available from the Start Menu.
which support this functionality.If you disable this setting or do not configure it, users cannot access the "Run as different user" command
g, the QuickLaunch bar will be hidden and cannot be turned on.If you do not configure this policy setting, then users will be able to turn the
balloons are shown to the user.
Users can still configure icons to be shown or hidden in the Notification Control Panel.If you disable or do not configure this policy setting, n
u disable do not configure this policy setting, feature advertisement balloons are shown.
is setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification
y clicking an arrow to extend the menu.If you enable this setting, the system does not personalize menus. All menu items appear and rema
configure this policy setting, the taskbar thumbnails are displayed.
enu.If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this informati
Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update
do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. No re
tification balloons. Note that Windows system features are not affected by this policy. You must enable/disable system features indi
figure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. No rebo
wo-digit years correctly, consult the documentation or manufacturer of the program.If you enable this policy setting, the system specifies t
ng, the system starts the interface you specify instead of Explorer.exe.To use this setting, copy your interface program to a network share
to a computer where this policy is applied.Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welc
olicy setting or do not configure it, users can run any programs.This policy setting only prevents users from running programs that are star
interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registere
s policy setting or do not configure it, users can run Regedit.exe normally.To prevent users from using other administrative tools, use the "
olicy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.If
s policy setting, enter the file names names of the programs you want to restrict, separated by commas. If you disable or do not c
policy setting or do not configure it, users can run all applications.This policy setting only prevents users from running programs that are s
tically downloads them. This happens in the background, and the user is prompted when downloaded components are ready to be installe
you press Ctrl+Alt+Del.However, users are still able to change their password when prompted by the system. The system prompts users fo
you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del.If you disable or do not configure this
ill prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu.Also, see the 'Rem
ing on their computers, including system services; find the executable names of programs; and change the priority of the process in which
. Users can use System in Control Panel to select a more secure setting, but when this setting is enabled, the system does not implement a
ROM drives, Windows Update.Using this setting, you may remove the floppy and CD-ROM drives from the search algorithm.If you enable
r searching" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled or
by default.If you enable this policy setting, users must manually select the files they wish to make available offline. If you disable or do not
available offline.If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. A
on.If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Red
here the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.To desig
he parent Start Menu and legacy My Documents folder respectively.If you enable this policy setting, Windows Vista, Windows 7, Windows
ry Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated
n this group is slower than the rate specified by this setting, the system considers the connection to be slow.The system's response to a slo
nfigure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Comp
policy setting, interactive users cannot generate RSoP data.If you disable or do not configure this policy setting, interactive users can gener
y supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies re
Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser.The display name can contain env
Configuration folder.In addition to background updates, Group Policy for users is always updated when users log on.By default, user Group
he amount of space used on the system volume of a DC.By default, when you start the Group Policy Object Editor, a timestamp compariso
cation settings" section are set such that their respective features cannot access the Internet.If you disable this policy setting, all of the the
ociated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an a
s not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are n
s and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in futu
elp so that Microsoft can improve it.If you enable this policy setting, users cannot participate in the Help Experience Improvement program
ng, ratings controls are added to Help topics.Users can use the control to provide feedback on the quality and usefulness of the Help and S
ervices such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in
iated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an app
client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared prin
rder prints online.If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.If yo
olders.The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.If you enable this p
users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the prod
policy setting, users are prevented from accessing online assistance content from Windows Online.If you disable or do not configure this po
sers may select any GeoID.If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you d
e selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization
first reset the user(s) values to the defaults and then apply this policy.When this policy setting is enabled, users can still choose alternate lo
ngs; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.To set this poli
essional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system sta
These programs are added to the standard list of programs and services that the system starts.If you enable this policy setting, the system
the time the user logs on to this computer that has this policy applied.To specify values for this policy setting, click Show. In the Show Con
and prompted for a password when it is resumed from a suspend or hibernate state.If you disable or do not configure this policy setting, u
ach class.If you enable this policy setting, no access is allowed to any removable storage class.If you disable or do not configure this policy
icy setting, read access is allowed to this removable storage class.
olicy setting, write access is allowed to this removable storage class.
y setting, read access is allowed to these removable storage classes.
cy setting, write access is allowed to these removable storage classes.
ble or do not configure this policy setting, read access is allowed to this removable storage class.
able or do not configure this policy setting, write access is allowed to this removable storage class.
s allowed to this removable storage class.
s is allowed to this removable storage class.Note: To require that users write data to BitLocker-protected storage, enable the policy setting
ng, you can set the number of seconds you want the system to wait until a reboot.If you disable or do not configure this setting, the opera
cy setting, read access is allowed to this removable storage class.
icy setting, write access is allowed to this removable storage class.
vable storage class.If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
ovable storage class.If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
logoff script.If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in
on scripts.If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a co
he instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display log
start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user star
ws PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before
e home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote
w users to other computers.Note: When excluding content from the profile you should try to exclude the narrowest set of data that will ad
you disable this policy setting or do not configure it, the system does not limit the size of user profiles.If you enable this policy setting, you
help resolve issues with applications that do not work well with Offline Files while the user is online.If you enable this policy setting, the n
e is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.If you enable
he attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file
on correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments
x in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Window
If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the med
ne information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk
fore accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence ove
ms on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. If you enable this pol
. For example, trust notepad.exe, but don't trust .txt files.Preferring the file type instructs Windows to use the file type data over the file h
t configure this policy setting, AutoPlay is enabled for non-volume devices.
o do when a device is connected. If you disable or do not configure this policy setting, AutoPlay remembers user's choice of what to d
Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without use
media start immediately. Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive
a user types a password in the password entry text box.If you disable or do not configure this policy setting, the password reveal button wi
ave not been digitally signed will not be extracted.If you disable or do not configure this setting, both signed and unsigned gadgets will be e
le or do not configure this setting, desktop gadgets will be turned on.The default is for desktop gadgets to be turned on.
etting, Windows will run user-installed gadgets.The default is for Windows to run user installed gadgets.
able this policy setting, Flip 3D is inaccessible. If you disable or do not configure this policy setting, Flip 3D is accessible, if desktop composi
. If you disable or do not configure this policy setting, window animations are turned on. Changing this policy setting requires a logoff for it
e this policy setting, you allow users to change the default window frame color. Note: This policy setting can be used in conjunction with th
he user does not specify a color. If you disable or do not configure this policy setting, the default internal color is used, if the user does not
acquired and stored in the user's Windows Marketplace Digital Locker.If you enable this setting, Digital Locker will not run.If you disable or
users will be allowed to switch between recent apps.
e Search and Share panes - the drop-down app list in the Picker If you disable or don't configure this policy setting, Windows will kee
dministrator or that will not impact other users of the machine.A shell extension only runs if there is an entry in at least one of the followi
y System. This behavior is consistent with Windows Vista's behavior in this scenario.This disables access to user-defined properties, and p
folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder.You ca
d to the Recycle Bin by the user.If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog o
Explorer.If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer.Note: When the menu bar
pears in the navigation pane, and other advanced view settings.If you enable this policy setting, users will receive an error message if they
the Control Panel or Start menu.If you disable or do not configure this policy setting, the Welcome Center is displayed at user logon.
d using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted.If you disable or do not configure this
prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to insta
file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default,
drive letters representing the selected drives do not appear in the standard Open dialog box.If you enable this policy setting, select a drive
sc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk
definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy setti
kstation.If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin.Note: This
he user has most recently opened.If you enable this policy setting, the system displays the number of shortcuts specified by the policy setti
oves the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also remo
k option and the icons representing networked computers from Network Locations and from the browser associated with the Map Netwo
of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with t
user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .sea
er, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to
be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.If you disable or do not configure thi
nds from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Ex
ures in the File Explorer that allow you to use your CD writer are removed.If you disable or do not configure this policy setting, users are ab
e File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares ava
u right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the sh
all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or cha
xplorer and other programs that use the File Explorer window, such as My Computer and Network Locations.Enabling this policy setting do
he Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the reso
her Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these ite
hen the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.If you
haracter (hot key) does not appear on menus until you press ALT.Effects, such as transitory underlines, are designed to enhance the user's
nsition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users.Effects, such as anima
work computer across a local area network connection.If you disable this setting or do not configure it, this dialog box appears only when u
rst time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting, users can ch
cached.Note: For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to tu
the Search Box. These suggestions are based on their past entries into the Search Box.Note: If you enable this policy, File Explorer will not
a file name (for example, 111 < 22 < 3).If you disable or do not configure this policy setting, File Explorer will sort file names by increasing
ected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able
nable this policy setting, File Explorer does not create, read from, or write to thumbs.db files.If you disable or do not configure this policy s
ure this policy setting, File Explorer shows snippets in Content view mode by default.
y setting, File Explorer displays only icons and never displays thumbnail images on network folders.If you disable or do not configure this p
plorer displays only icons and never displays thumbnail images.If you disable or do not configure this policy setting, File Explorer displays o
handle included folders that have been redirected to non-indexed network locations.Setting this policy will: * Disable all Arrangement v
ing Windows+E starts File Explorer. By using this setting, you can disable these Windows+X shortcut keys.If you enable this setting, the Win
Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore
arlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs.If you
ndows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows p
tting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box.This setting, a
in the Places Bar are:1) Shortcuts to a local folders -- (ex. C:\Windows)2) Shortcuts to remote folders -- (\\server\share)3) FTP folders 4) w
ew Pane is hidden by default and can be displayed by the user.
er.If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user. N
ng, users cannot list or restore previous versions of files on local disks.If you disable this policy setting, users cannot list and restore previou
nnot list or restore previous versions of files on file shares.If you disable this policy setting, users can list and restore previous versions of fi
up media.If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previo
disabled when the user selects a previous version corresponding to a local file.If you disable this policy setting, the Restore button remain
f you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup.If you d
n is disabled when the user selects a previous version corresponding to a file on a file share.If you disable this policy setting, the Restore bu
yph is not included in the candidate list when Publishing Standard Glyph for the word exists.If you disable or do not configure this policy se
d for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values:0x0001 // JIS2
ord registered in the custom dictionary before enabling this policy setting is not used for conversion.If you disable or do not configure this
based predictive input is on by default.This policy setting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take
installed before enabling this policy setting is not used.If you disable or do not configure this policy setting, the search integration function
osoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion.For Simplified Chinese M
uning data is saved to file by default.This policy setting applies to Japanese Microsoft IME only.
etting, misconversion logging is turned off. This policy setting applies to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
g, the default Internet search provider will be used.
formation from the location feature. If you disable or do not configure this policy setting, all programs on this computer will not be pre
scripts will run.
u disable or do not configure this policy setting, all programs on this computer can use the sensor feature.
ny console files that open in author mode by default.As a result, users cannot create console files or add or remove snap-ins. Also, because
g if you plan to prohibit use of most snap-ins. To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and en
e as a standalone console. If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management
the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.-- If "Restrict users to the expli
is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Acti
or deployers who have their own location or calling schemes such as a Web site or an address book."
er any conflicting settings set by downloading them from this URL.
ng NetMeeting to run always.
r Wizard to connect to a projector. If you disable or do not configure this policy setting, users can run the Connect to a Network Projector
mputer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.If you enable this policy se
n be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configur
mpt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway
overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users can
y setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setti
his policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an R
ecognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also
be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that pr
ny certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.2. Full Control with user's p
rver first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy P
default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the
s, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Rem
policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect ac
lect the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the sp
mains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session witho
tion to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with R
ed list in the Favorites Center.If you disable or do not configure this policy setting, the user can access the feed list in the Favorites Center.
eive a notification on the toolbar that a feed or Web Slice is available.If you disable or do not configure this policy setting, the user receive
wnload an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.If you disabl
re disabled, and access to Web Slices is turned off. A developer cannot add a feed or Web Slice or delete a feed or Web Slice by using the F
ff.If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background.
thenticates feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.If you disable or
ed as an audio file.If you enable this policy setting, Sound Recorder will not run.If you disable or do not configure this policy setting, Sound
to it will fail.If you disable this policy, you will be able to use this feature to print to a Journal Note.If you do not configure this policy, users
nipping Tool will run.
Windows Journal accessory will run.
re shown instead of the pen cursors.If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless th
disable this policy, Back->ESC mapping will occur.If you do not configure this policy, Back->ESC mapping will occur.
rom the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab).If you disable this policy, applications
play the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator."If you
and OEM defined button actions will occur when the buttons are pressed.If you do not configure this policy, user and OEM defined button
oard and the handwriting tab when the feature is available for the current input area and input language.Touch Keyboard and Handwriting
Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or key
el is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard sho
nal), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input lang
s, numbers, or keyboard shortcuts.If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will
writing or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.If you enable this policy, application auto compl
eventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when
estures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. Tablet PC Input Panel is a
ed to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks no
rs in Internet Explorer, the pen flicks notification and the pen flicks tray icon.If you disable or do not configure this policy, pen flicks and rel
y will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.If y
ging up or down directly on the scrolling content.If you enable this setting, the user will not be able to pan windows by touch. If you disab
ng users.The checkbox, when checked, instructs Task Scheduler to automatically open the newly created task's property sheet upon comp
right-click a task. As a result, users cannot change any properties of a task. They can only see the properties that appear in Detail view and
manually or force tasks to end before they are finished.Note: This setting appears in the Computer Configuration and User Configuration f
d and from the Task tab of the properties dialog box for a task. Also, users cannot edit the "Run" box or the "Start in" box that determine t
it menu in Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.As a result, users cannot add new sc
or documents into the Scheduled Tasks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If
t-click a task. Also, the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.Note: This setting ap
ws Calendar will be turned off.If you disable or do not configure this setting, Windows Calendar will be turned on.The default is for Window
e or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previou
ed in the system event log.If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to th
s.If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution info
o a Windows Error Reporting report are automatically declined, without notification to the user.If you disable or do not configure this polic
he server.If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data abou
tions, but does not upload additional report data until the computer is connected to a more permanent power source.If you enable this p
es not check for network cost policy restrictions, and transmits data even if network cost is restricted.If you disable or do not configure thi
re all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only
hen the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be pla
at are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, a
he Consent level settings that are available in the pull-down menu in this policy setting:- Always ask before sending data: Windows promp
vent types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no respo
g always override any other consent policy setting.If you disable or do not configure this policy setting, custom consent policy settings for
e usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automati
and DVDs, a message appears stating that the feature cannot be found.This policy setting applies even when the installation is running in t
from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer fr
then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).If you enable this policy setting, you can change the
ogon hours expire.If you enable this setting, warnings are not displayed to the user before the logon hours expire.If you disable or do not
notification popup will be displayed to the user when the user logs on with cached credentials.If disabled or not configured, no popup will
lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours.If you choose to log off
pplication is allowed.
d record live television.If you enable this policy setting, Windows Media Center will not run.If you disable or do not configure this policy se
a information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the
formation for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (W
from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated,
cally detected.- Custom: unique proxy settings are used.- Use browser proxy settings: browser's proxy settings are used.If the Custom prox
cally detected.- Custom: unique proxy settings are used.If the Custom proxy type is selected, the rest of the options on the Setting tab mu
of seconds streaming media is buffered before it is played.- Custom: the number of seconds, up to 60, that streaming media is buffered.- D
cally detected.- Custom: unique proxy settings are used.If the Custom proxy type is selected, the rest of the options on the Setting tab mus
defined network settings for the Player.If you disable or do not configure this policy setting, the Network tab appears and users can use it
licy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTS
tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player
addition, the Download codecs automatically check box on the Player tab in the Player is not available.If you disable this policy setting, co
n the Player that enables users to choose whether the anchor window displays is not available.When this policy is not configured or disable
he Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media in
d the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidde
box on the Setting tab.You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in t
essenger can be used.Note: If you enable this policy setting, Remote Assistance also cannot use Windows Messenger.Note: This policy setti
not configure this policy setting, Windows Messenger will be loaded automatically at logon.Note: This policy setting simply prevents Wind
nts and the .exe file does not launch it.If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe fil
t value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter
Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails
low only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.The "Allow local scripts and re
t shut down choice (Hibernate, Restart, etc.) is the default option in the Shut Down Windows dialog box, regardless of whether the 'Install
will not appear as a choice in the Shut Down Windows dialog box, even if updates are available for installation when the user selects the
dowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Wind
s of Windows Server with the Desktop Experience installed.If you enable this policy setting, users will always go to the desktop when they
other sorting options would continue to be available and the user could choose to change their default sorting options.If you disable or don
dary tile, entering the customize mode and rearranging tiles within Start and Apps.If you disable or do not configure this setting, you will al
default view for Start.If you enable this policy setting, searching from the Apps view will only search the list of installed apps.If you disable
olicy setting, the Start screen will appear on the display the user is using when they press the Windows logo key.If you disable or don't con
o switch between the Apps view and the Start screen.If you disable or donΓÇÖt configure this policy setting, the Start screen will appear b
an XML file that was generated by the Export-StartLayout PowerShell cmdlet.To use this setting, you must first manually configure a devic
e to customize any Quiet Hours settings. If you disable this policy setting, a default value will be used, and users will not be able to cha
to customize any Quiet Hours settings. If you disable this policy setting, a default value will be used, and users will not be able to chan
will not be able to customize any other Quiet Hours settings. If you disable this policy setting, voice and video calls will be allowed dur
Quiet Hours time window each day. If you disable this policy setting, toast notifications will be suppressed and some background t
this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise ac
help tips to the user.
o longer be able to switch to recent apps using the mouse. The user will still be able to switch apps using touch gestures, keyboard shortc
+ X.If you enable this policy setting, the Command Prompt will always be listed in that menu, and users won't be able to replace it with Win
hare, Start, Devices, and Settings will no longer appear when the mouse is pointing to the upper-right corner. They'll still be available if the
all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise ide
figure this setting the Store application will offer updates to the latest version of Windows.
setting, access to the Store application is allowed.
s, or additional data other than memory dumps.If you enable or do not configure this policy setting, any memory dumps generated for err
this policy setting, affected users user receive Work Folders settings when they sign in to a domain-joined PC. The "Work Folders URL" can
g style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition
here is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.If you enable
as a standalone console. If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management
a new Application preference item, and you are unable to do so. This policy setting does not affect existing Application preference items.If
of the GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restr
figuration\Preferences\Control Panel Settings. When the Control Panel Settings item or a preference extension is prohibited, it does not a
ation\Preferences\Control Panel Settings. When the Control Panel Settings item or a preference extension is prohibited, it does not appear
w of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Control
he GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Control Panel
of the GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restric
w of the GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restr
GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restrict users
ow of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Contro
e GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restrict us
e GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restrict us
dow of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Cont
or window of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use o
dow of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Con
ow of the GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Re
ow of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Contro
ditor window of the GPMC. The Extended and Standard tabs are unaffected, and you can still create and manage preference items.If you e
he GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Control Panel
he GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restrict u
he GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Control Pane
the GPMC.If you enable this policy setting, you permit use of the preference extension. Enabling this policy setting overrides the "Restrict
of the GPMC.If you enable this policy setting, you permit use of the preference extension unless restricted by the "Permit use of Control Pa
e redirection send their time zone information to the server. The server base time is then used to calculate the current session time (curre
use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Re
irected in Remote Desktop Services sessions.If you disable or do not configure this policy setting, all client printers are redirected in Remo
d after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop C
uring a Remote Desktop Services session. If you enable this policy setting, wallpaper is not displayed in a Remote Desktop Services session
t server.By default, if a user closes a RemoteApp program, the session is disconnected from the RD Session Host server, but it is not logged
ly if a protocol handler referencing a SID-based user scope, such as MAPI, is specified. File system paths that do not reference a specific SID
l handler referencing a SID-based user scope, such as MAPI, is specified. File system paths that do not reference a specific SID will not be i
l not be removed.When this policy is disabled or not configured, users will be able to add UNC locations to the index.This policy has no eff
ork only if a protocol handler referencing a SID-based user scope, such as MAPI, is specified. File system paths that do not reference a spec
s provided by apps or by Windows based on local content will still appear.If you disable or do not configure this policy setting, users will ge
ed in the last Control Panel session.Note: Icon size is dependent upon what the user has set it to in the previous session.
pport or command lines that use control.exe. This policy has no effect on items displayed in PC settings.If you enable this setting, you can s
art screenFile ExplorerThis setting removes PC settings from:The Start screenSettings charmAccount pictureSearch resultsIf users try to sele
s to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on it
ols.If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you ena
ms button is available to all users.This setting does not prevent users from using other tools and methods to install programs.
re components of Windows from the installation files.If you disable this setting or do not configure it, the Add/Remove Windows Compon
Change or Remove Programs page is available to all users.This setting does not prevent users from using other tools and methods to dele
ble to all users.This setting does not prevent users from using other tools and methods to add or remove program components.Note: If th
nt users from using other tools and methods to connect to Windows Update.Note: If the "Hide Add New Programs page" setting is enabled
rams that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system admin
as which programs are accessible from the Start menu, desktop, and other locations.If you disable this setting or do not configure it, the Se
and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.If you disable th
uding a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the
n other categories.To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is alr
Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
on the system.If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is s
be used. Also, a user may not apply a different visual style when changing themes.If you disable or do not configure this setting, the users
he screen saver.If you disable this setting or do not configure it, users can select any screen saver.If you enable this setting, type the name
und, color, sounds, or screen saver after the first logon.If you disable or do not configure this setting, the default theme will be applied at t
alog in the Personalization or Display Control Panel, preventing users from changing the password protection setting.If you do not configu
glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.If this setting is disabled or no
e "Prevent changing color and appearance" setting.
anged by the user.To specify wallpaper for a group, use the "Desktop Wallpaper" setting.Note: You must also enable the "Desktop Wallpap
s setting also hides the Desktop tab in the Display Control Panel.
gure this setting, there is no effect.Note: If you enable this setting but do not specify a theme using the "load a specific theme" setting, the
ng prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual
drop-down list on the Appearance tab.
ces: - The setting is disabled or not configured. - The wait time is set to zero. - The "Enable Screen Saver" setting is disabled. - Neithe
page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office netwo
ck the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, a
earches begin at the root of Active Directory. This setting only provides a starting point for Active Directory searches for printers. It do
rvers.If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.
ackage point and print connections.Windows Vista and later clients will attempt to make a non-package point and print connection anytim
s will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a
r in Control Panel. Also, users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears ex
programs to delete a printer. If this policy is disabled, or not configured, users can delete printers using the methods described above
e lists published programs and provides an easy way to install them.Published programs are those programs that the system administrator
setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users.This
nd methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including
ng e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.If this setting is disabled o
not configured, the "Turn Windows features on or off" task will be available to all users.This setting does not prevent users from using othe
stallation.Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. If this feature is disa
are from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Con
s programmatically.This policy setting is used only to simplify the Regional Options control panel.If you enable this policy setting, the user c
he user or an application from changing the GeoID programmatically.If you disable or do not configure this policy setting, the user sees the
age. This does not prevent the user or an application from changing the UI language programmatically.If you disable or do not configure th
ation from changing their user locale or user overrides programmatically.If you disable or do not configure this policy setting, the user sees
onal and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different
he selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection d
then the option will be locked to not autocorrect misspelled words. If the policy is Disabled or Not Configured, then the user will be fre
option will be locked to not highlight misspelled words. If the policy is Disabled or Not Configured, then the user will be free to change
ext prediction candidate when using the on-screen keyboard. If the policy is Enabled, then the option will be locked to not insert a spa
oard. If the policy is Enabled, then the option will be locked to not offer text predictions. If the policy is Disabled or Not Configured
includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser hist
hared folders are not added to Network Locations automatically when you open a document in the shared folder.
displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the D
: To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and poi
guration.Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting.
uter folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to prese
contents of the My Documents folder.This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remo
re this setting, the Properties option is displayed as usual.
the File menu.Clicks the My Documents icon, and then presses ALT+ENTER.If you disable or do not configure this policy setting, the Prope
s setting, the Properties option is displayed as usual.
s of the Recycle Bin folder.Note: To make changes to this setting effective, you must log off and then log back on.
the Desktop Clean Wizard running every 60 days occurs.Note: When this setting is not enabled, users can run the Desktop Cleanup Wizard
is window minimizing and restoring gesture will apply.
he filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu.To see the filter bar, open Network Location
pears in the Network Locations folder.This setting is designed to let users search Active Directory but not tempt them to casually browse A
sions for user or group objects in Active Directory.If you enable this setting, you can use the "Number of objects returned" box to limit retu
ticular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting
mp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".Also, see the "D
ully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\ho
ng and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" settin
ote: This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
ng and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setti
Desktop, or prevent users from removing existing Web content.Also, see the "Disable all items" setting.
ble or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or sync
items on the Web tab in Display in Control Panel.Note: This setting does not prevent users from deleting items from their Active Desktop.
o their Active Desktop.Also, see the "Prohibit closing items" and "Disable all items" settings.
f an item, such as its synchronization schedule, password, or display characteristics.
ther the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users.If y
our file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Conne
by using the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), doub
Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu.If you disable this setti
n is disabled for nonadministrators only.If you do not configure this setting, only Administrators and Network Configuration Operators can
onnections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users
e of certain features from Administrators.By default, Network Connections group settings in Windows XP Professional do not have the abil
Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Propertie
ons settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibi
nable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators).Im
nable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disable
der. As a result, users (including administrators) cannot start the New Connection Wizard.Important: If the "Enable Network Connections s
nable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including ad
ponents of connections are disabled, and administrators are not permitted to access network components in the Windows Components W
g determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a
inistrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not a
nu for a remote access connection and on the File menu in the Network Connections folder.Important: If the "Enable Network Connection
enable or disable the components that a connection uses.Important: If the "Enable Network Connections settings for Administrators" is dis
the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrato
sers cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information.Importa
perties of the connection.If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (inc
t a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By def
this setting, you can use the "Action" box to specify how computers in the group respond.-- "Work offline" indicates that the computer ca
ents you want Offline Files to record.To use this setting, in the "Enter" box, select the number corresponding to the events you want the s
y 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.This setting appears in
ue Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are d
ype, or location.This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does n
sers cannot view or change the options on the Offline Files tab or Offline Files dialog box.This is a comprehensive setting that locks down th
dically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed fo
played for 15 seconds. You can use this setting to change the duration of the update reminder.This setting appears in the Computer Config
you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline.Not
Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field bla
he "Work offline" command is displayed in File Explorer.
k Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value
zed. Full synchronization ensures that offline files are complete and current.If you disable this setting, the system only performs a quick sy
zed at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon syn
" ensures that all cached files and folders are up-to-date with the most current version.If you disable or do not configuring this setting, file
you enable this setting, the system hides the reminder balloons, and prevents users from displaying them.If you disable the setting, the sys
If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point"
ublish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note: The default is to allow shared folders to be publish
tting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled. Note: The default is to allow s
bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocat
splay Logoff item from Start Menu Options. As a result, users cannot remove the Log Off <username> item from the Start Menu.If you disa
ch box. If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu.
command to the Start menu policy has no effect.
to Shut Down.If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the us
Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off.If you disable or do not configure this setting, th
etting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the hi
sts will continue to show.If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a pr
ams already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.If you disable or do not configure this policy setting,
tting, users can show taskbars on more than one display.
he taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" m
cuments and other tasks.If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on thi
shortcuts. The system empties the Recent Items menu on the Start menu, and Windows programs do not display shortcuts at the bottom
shown when the user performs a search in the start menu search box.
ng, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the targ
s policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortc
ctures, Music, Computer, and Network. The new Start menu starts them directly.If you enable this setting, the Start menu displays the clas
ose that users have configured for full installation upon first use.If you disable this setting or do not configure it, all Start menu shortcuts a
notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock.If th
at is not prevented by another policy setting.
t be moved or resized.If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto
n.If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.
me. By default, this setting is always enabled.If you disable or do not configure it, items on the taskbar that share the same program are gro
le to add toolbars to the taskbar.
monitor unless prevented by another policy setting.
etting, the context menus for the taskbar are available.This policy setting does not prevent users from using other methods to issue the co
policy setting, the "All Programs" item remains on the simple Start menu.
e Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also
t affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "W
the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.

to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from t
n access to the contents of the Documents folder.Note: To make changes to this policy setting effective, you must log off and then log on.
appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are
. It does not remove the Help menu from File Explorer and does not prevent users from running Help.
he homegroup link from the Start Menu.
cy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.Windows Update, th
esult, users cannot restore the Log Off <username> item to the Start Menu.If you disable or do not configure this policy setting, users can
Settings on the Start menu.Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message ap
hortcuts stay on the Taskbar.

d Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
as Control.exe) from running.However, users can still start Control Panel items by using other methods, such as right-clicking the desktop
aves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.If you later d
ng the following into the Internet Explorer Address Bar:--- A UNC path: \\<server>\<share> ---Accessing local drives: e.g., C:--- Accessing lo
hat appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with th
protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
move user folder link from Start Menu" policy setting.If you disable or do not configure this policy setting, the user name label appears on
the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this settin
n as different user" command from Start for any applications.Note: This setting does not prevent users from using other methods, such as
n users will be able to turn the QuickLaunch bar on and off.
configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
are collapsed. The notification cleanup << icon can be referred to as the "notification chevron."If you enable this setting, the system notific
menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to c
he system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu.Also, see th
application services to update tiles. If you enable this policy setting, applications and system features will not be able receive notifica
ministrator or user. No reboots or service restarts are required for this policy setting to take effect.
e/disable system features individually to stop their ability to raise toast notifications. If you disable or do not configure this policy setti
inistrator or user. No reboots or service restarts are required for this policy setting to take effect.
setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified
e program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the
tart menu or by typing ""Welcome"" in the Run dialog box.If you disable or do not configure this policy, the welcome screen is displayed e
unning programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, w
ndows has internally registered the required components.If you enable this policy setting and a component registration is missing, the syst
administrative tools, use the "Run only specified Windows applications" policy setting.
setting prevents the action.If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally.Note: D
If you disable or do not configure this policy setting, users can run all applications from online Help. Note: You can also restri
m running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager,
onents are ready to be installed, or prior to downloading, depending on their configuration.If you enable this setting, it prohibits Windows
. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
isable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.Tip:To lock a com
Start menu.Also, see the 'Remove Logoff on the Start Menu' policy setting.If you disable or do not configure this policy setting, users can s
priority of the process in which programs run.If you enable this policy setting, users will not be able to access Task Manager. If users try to s
system does not implement any setting less secure than the one the setting established.When you enable this setting, use the drop-down
earch algorithm.If you enable this setting, you can remove the locations by selecting the associated check box beside the location name.If
nication settings" is disabled or not configured.If you enable this setting, administrators will not be prompted to search Windows Update.If
ffline. If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders
tically made available offline. All subfolders within the redirected folders are also made available offline.Note: This policy setting does not p
on to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new loc
ter in a remote office.To designate a user's primary computers, an administrator must use management software or a script to add prima
ws Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start
domain controller designated as the PDC Operations Master for the domain."Inherit from Active Directory Snap-ins" indicates that the Gr
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response t
tive Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system.If you disa
ng, interactive users can generate RSoP.Note: This policy setting does not affect administrators. If you enable or disable this policy setting,
ows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys.If you enab
display name can contain environment variables and can be a maximum of 255 characters long.If this setting is Disabled or Not Configured
s log on.By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.If you enab
Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in th
his policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective feat
e the Store service to find an application.If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is
downloading drivers that are not already installed locally.If you enable this policy setting, print drivers cannot be downloaded over HTTP.I
andwriting recognition in future versions of Windows.If you enable this policy, users cannot start the handwriting recognition error reporti
perience Improvement program.If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement p
d usefulness of the Help and Support content.
ed from a Windows website in addition to providers specified in the registry.If you enable this policy setting, Windows does not download
the Web service to find an application.If you enable this policy setting, the link and the dialog for using the Web service to open an unhand
ver and making its shared printers available via HTTP.If you enable this policy setting, it prevents this client from printing to Internet printe
sks in File Explorer folders.If you disable or do not configure this policy setting, the task is displayed.
to the web.If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders.If you disable or do
n is used to improve the product in future releases.If you enable this policy setting, Windows Messenger does not collect usage informatio
ble or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabl
per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this po
of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.The policy setting "Restrict user locales
rs can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize
cales in this list.To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.The loca
nd services that the system starts.If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professio
this policy setting, the system ignores the run-once list.If you disable or do not configure this policy setting, the system runs the programs
g, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. T
configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation.
or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
rage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Adm
nfigure this setting, the operating system does not force a reboot.Note: If no reboot is forced, the access right does not take effect until th
able storage class.

ovable storage class.
ns. The instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not configure this
The instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not configure this po
though it does not display logon scripts written for Windows 2000.If you enable this setting, Windows 2000 does not display logon scripts
complete before the user starts working, but it can delay the appearance of the desktop.If you disable or do not configure this policy settin
werShell scripts are run before non-PowerShell scripts during user logon and logoff. For example, assume the following scenario: There are
omputer to a local or remote directory.If you enable this policy setting, the system uses the Windows NT 4.0 definitions. %HOMESHARE%
rrowest set of data that will address your needs. For example, if there is one application with data that should not be roamed then add on
enable this policy setting, you can:-- Set a maximum permitted user profile size.-- Determine whether the registry files are included in the
nable this policy setting, the network paths specified in this policy setting will be synchronized only by Offline Files during user logon and l
pp for a file type.If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can
om accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.Moderate Risk: If the attach
make proper risk assessments.If you enable this policy setting, Windows does not mark file attachments with their zone information.If you
file attachments that Windows has blocked users from opening.If you enable this policy setting, Windows hides the check box and Unbloc
kes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).If you enable
precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).If you enable this
s and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension i
dundant. If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachme
he file type data over the file handler data. For example, trust .txt files, regardless of the file handler.Using both the file handler and type d
bers user's choice of what to do when a device is connected.

cute the program without user intervention. This creates a major security concern as code may be executed without user's knowledg
, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. Starting with Windows XP SP2, Autoplay is enabled
he password reveal button will be displayed after a user types a password in the password entry text box.By default, the password reveal
and unsigned gadgets will be extracted.The default is for Windows to extract both signed and unsigned gadgets.
e turned on.
accessible, if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab keys, a visual version of the des
setting requires a logoff for it to be applied.
be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames th
or is used, if the user does not specify a color. Note: This policy setting can be used in conjunction with the "Prevent color changes of windo
er will not run.If you disable or do not configure this setting, Digital Locker can be run.
olicy setting, Windows will keep track of the apps that are used and searched most frequently. Most frequently used apps will appear at th
y in at least one of the following locations in registry.For shell extensions that have been approved by the administrator and are available
user-defined properties, and properties stored in NTFS secondary streams.
e creation of the folder.You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Vid
playing a confirmation dialog occurs.
rer.Note: When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key.
eive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not
displayed at user logon.
sable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recyele Bin.
not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular use
target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the or
is policy setting, select a drive or combination of drives in the drop-down list.Note: This policy setting removes the drive icons. Users can s
wer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools.This setting does no
On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined.If you disab
by the Recycle Bin.Note: This setting is applied to all volumes.
uts specified by the policy setting.If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 m
s. This policy setting also removes these icons from the Map Network Drive browser.If you disable or do not configure this policy setting, co
sociated with the Map Network Drive option.This setting does not prevent users from viewing or connecting to computers in their workgr
rch site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch fo
path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Docume
ap Network Drive dialog box to view the directories on these drives.To use this setting, select a drive or combination of drives from the dro
disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files fold
when you right-click the File Explorer or Network Locations icons.This setting does not prevent users from connecting to another computer
this policy setting, users are able to use the File Explorer CD burning features.Note: This policy setting does not prevent users from using t
operties of the DFS shares available from their computer.This policy setting does not prevent users from using other methods to configure
commands available on the shortcut menus.
e Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device
.Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Int
rs that have access to the resource in question.If you disable or do not configure this setting, users will be able to access the security tab.
n choose not to have these items displayed.If you enable this policy setting, the Shared Documents folder is not displayed in the Web view
r with the search terms.If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the
esigned to enhance the user's experience but might be confusing or distracting to some users.
by users.Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users.If y
alog box appears only when users are installing programs from local media.The "Install Program as Other User" dialog box prompts the cu
his policy setting, users can choose how the ribbon appears when they open new windows.
enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone.
his policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the
l sort file names by increasing number value (for example, 3 < 22 < 111).
ders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in
r do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files.
able or do not configure this policy setting, File Explorer displays only thumbnail images on network folders.
setting, File Explorer displays only thumbnail images.
* Disable all Arrangement views except for "By Folder" * Disable all Search filter suggestions other than "Date Modified" and "Size" *
ou enable this setting, the Windows+X shortcut keys are unavailable.If you disable or do not configure this setting, the Windows+X shortc
4.0, and users cannot restore the new features. Enabling this policy will also turn off the preview pane and set the folder options for File E
s of Windows programs.If you enable this policy setting, the Back button is removed from the standard Open dialog box.If you disable or d
ed to developers of Windows programs.To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Op
in the text box.This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Ope
rver\share)3) FTP folders 4) web folders 5) Common Shell folders.The list of Common Shell Folders that may be specified:Desktop, Recent
annot be hidden by the user. Note: This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed
cannot list and restore previous versions of files on local disks.If you do not configure this policy setting, it defaults to disabled.
restore previous versions of files on file shares.If you do not configure this policy setting, it is disabled by default.
opies, and can see only previous versions corresponding to on-disk restore points.If you disable this policy setting, users can see previous v
ng, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows att
sponding to a backup.If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup
s policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restor
do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list.
ollowing values:0x0001 // JIS208 area0x0002 // NEC special char code0x0004 // NEC selected IBM extended code0x0008 // IBM extended
isable or do not configure this policy setting, the custom dictionary can be used by default.For Japanese Microsoft IME, [Clear auto-tuning
ges to this setting will not take effect until the user logs off.
he search integration function can be used by default.This policy setting applies to Japanese Microsoft IME, Simplified Chinese Microsoft P
ersion.For Simplified Chinese Microsoft Pinyin, an Open Extended Dictionary that is added before enabling this policy setting is still used fo
ed Chinese Microsoft Pinyin.
n this computer will not be prevented from using location information from the location feature.
emove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain.This setting pe
snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or
o the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that p
If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. T
Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in th
nnect to a Network Projector Wizard to connect to a projector.

file.If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot c
uick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speak
to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.You can enforce this policy se
setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.Note: It is highly rec
uter. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.If yo
store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user
settings, any password that previously existed in the RDP file will be deleted.If you disable this setting or leave it not configured, the user w
an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the t
on.2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.3. Full Control with
on the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client prin
ecified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the
s are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits.Time limits are set locally by the serve
ll automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the
ect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services sessi
Desktop Services session without logging off and ending the session.When a session is in a disconnected state, running programs are kept
types to be associated with RemoteApp programs.The default connection URL must be configured in the form of http://contoso.com/rdw
ed list in the Favorites Center.
policy setting, the user receives a notification when a feed or Web Slice is available and can click the feed discovery button.
ugh the Feed APIs.If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure thr
eed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders.If you disable or do not configure this policy setti
background.
P connection.If you disable or do not configure this policy setting, the Windows RSS Platform does not authenticate feeds to servers by usi
gure this policy setting, Sound Recorder can be run.
not configure this policy, users will be able to use this feature to print to a Journal Note.
ursors will be shown unless the user disables them in Control Panel.
isable this policy, applications can be launched from a hardware button.If you do not configure this policy, applications can be launched fr
ur system administrator."If you disable this policy, press and hold actions for buttons will be available.If you do not configure this policy, pr
, user and OEM defined button actions will occur when the buttons are pressed.
ch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboa
ext, symbols, numbers, or keyboard shortcuts.If you enable this policy, Input Panel will never appear next to text entry areas when using a
ols, numbers, or keyboard shortcuts.If you enable this policy, Input Panel will never appear next to any text entry area when a user is using
ly) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Wi
e Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy, Input Pan
policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Pan
ng what keys are tapped when entering a password.Touch Keyboard and Handwriting panel enables you to use handwriting or an on-scree
Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, nu
bled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that ca
e this policy, pen flicks and related features are available.
her touch-specific features.If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and othe
windows by touch. If you disable this setting, the user can pan windows by touch.If you do not configure this setting, Touch Panning is on b
sk's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task characteri
that appear in Detail view and in the task preview.This setting prevents users from viewing and changing characteristics such as the progr
Start in" box that determine the program and path for a task.As a result, when users create a task, they must select a program from the lis
esult, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into the Scheduled tasks folder.This s
d User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in Us
sks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setti
d on.The default is for Windows Calendar to be turned on.
olor profiles that they previously installed. Administrators will be able to uninstall all color profiles.
nts and errors are logged to the system event log, as with other Windows-based programs.
soft. Additionally, solution information is not available in the Action Center in Control Panel.If you disable or do not configure this policy se
e or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Comp
les that can contain data about the same event types as an earlier uploaded report.If you disable or do not configure this policy setting, W
wer source.If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for so
disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile i
o Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of repo
ether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavio
er reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box
ending data: Windows prompts users for consent to send reports.- Send parameters: Only the minimum data that is required to check for
n-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.- 0 (D
om consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determ
e computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install p
n the installation is running in the user's security context.If you disable or do not configure this policy setting, users can install from remova
prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to it
y setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Inst
expire.If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occu
not configured, no popup will be displayed to the user.
hours.If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the
do not configure this policy setting, Windows Media Center can be run.
on for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player
the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialo
nfigured are not be updated, and presets a user adds are not be displayed.If you disable or do not configure this policy setting, the Player
gs are used.If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified because no default settings ar
options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected.Th
treaming media is buffered.- Default: default network buffering is used and the number of seconds that is specified is ignored.The "Use de
options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected.The
b appears and users can use it to configure network settings.
tiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in
on the Player tab in the Player is selected and is not available.If you disable this policy setting, a screen saver does not interrupt playback e
u disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available.If you
icy is not configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the
e "Prevent music file media information retrieval" policy setting is enabled.The default privacy settings are used for the options on the Priv
hese settings have been hidden or disabled by Internet Explorer policies.If you disable or do not configure this policy setting, users can con
the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on
essenger.Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present, the Comput
setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows Messenger from that point on,
Mobility Center and the .exe file launches it.If you do not configure this policy setting, Windows Mobility Center is on by default.
ith the SourcePath parameter on the Update-Help cmdlet.If this policy setting is disabled or not configured, this policy setting does not set
e LogPipelineExecutionDetails property of the module to True. If you disable this policy setting, logging of execution events is disabled
The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet mu
ardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.If you disabl
tion when the user selects the Shut Down option in the Start menu.If you disable or do not configure this policy setting, the 'Install Updates
enu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical upda
go to the desktop when they sign in, or when all the apps on a screen are closed.If you disable or donΓÇÖt configure this policy setting, us
ng options.If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category,
nfigure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and r
of installed apps.If you disable or donΓÇÖt configure this policy setting, the user can configure this setting.
key.If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the
the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and th
rst manually configure a device's Start screen layout to the desired look and feel. Once you are done, run the Export-StartLayout PowerSh
d users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting, a default value will be
users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting, a default value will be u
video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. If you do
essed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any o
o sign in with an enterprise account instead.If you disable or do not configure this policy setting, users will need to sign in with a Microsoft
uch gestures, keyboard shortcuts, and the Start screen.If you disable or don't configure this policy setting, the recent apps will be available
be able to replace it with Windows PowerShell. Users will still be able to access Windows PowerShell, but not from that menu.If you disab
r. They'll still be available if the mouse is pointing to the lower-right corner.If you disable or don't configure this policy setting, Search, Shar
hat contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an interne
mory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.If you disable
C. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file se
prove handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure co
ng a desktop app.If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; the
pplication preference items.If you enable or do not configure this policy setting, you permit use of Application snap-ins. Enabling this polic
cy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohib
ion is prohibited, it does not appear in the Group Policy Management Editor window.If you enable this policy setting, you permit use of th
prohibited, it does not appear in the Group Policy Management Editor window.If you enable this policy setting, you permit use of the Con
by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this po
e "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this policy s
y setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibi
cy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohib
g overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit use o
d by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this p
tting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit use
tting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit us
ed by the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Restrict users to the expli
restricted by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enab
ted by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling th
policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you pro
d by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this p
nage preference items.If you enable this policy setting, you permit use of the Preferences tab. Enabling this policy setting does not overrid
e "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this policy s
ted by the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Restrict users to the expl
tting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit us
ed by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling thi
e "Permit use of Control Panel Settings (Computers)" policy setting. Enabling this policy setting overrides the "Restrict users to the explicitl
setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit u
y the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Restrict users to the explicitly p
he current session time (current session time = server base time + client time zone).If you disable or do not configure this policy setting, th
ocal computer. By default, Remote Desktop Services allows Clipboard redirection.If you enable this policy setting, users cannot redirect Cl
inters are redirected in Remote Desktop Services sessions.
ser profile, Remote Desktop Connection, or through Group Policy.If you enable this policy setting, the desktop is always displayed when a
mote Desktop Services session. If you disable this policy setting, wallpaper is displayed in a Remote Desktop Services session, depending o
Host server, but it is not logged off.If you enable this policy setting, when a user closes the last running RemoteApp program associated wit
do not reference a specific SID will not be excluded from indexing if these are only specified in the Group Policy under "User Configuration
ence a specific SID will not be included for indexing if these are only specified in the Group Policy under "User Configuration." To include a
he index.This policy has no effect if the Files on Microsoft Networks add-in is not installed.Disabled by default.
s that do not reference a specific SID will not be excluded from indexing if these are only specified in the Group Policy under "User Configu
his policy setting, users will get search suggestions based on previous searches in the search pane.
ous session.
u enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.To hide a Control Panel
earch resultsIf users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a se
. This policy has no effect on items displayed in PC settings.To display a Control Panel item, enable this policy setting and click Show to acce
ed system services. If you enable this setting, "Set up services" never appears.This setting does not prevent users from using other method
install programs.
d/Remove Windows Components button is available to all users.This setting does not prevent users from using other tools and methods t
her tools and methods to delete or uninstall programs.
ogram components.Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable m
grams page" setting is enabled, this setting is ignored.
taller. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to en
g or do not configure it, the Set Program Access and Defaults button is available to all users.This setting does not prevent users from using
ove Programs.If you disable this setting or do not configure it, Add or Remove Programs is available to all users.When enabled, this setting
ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Micros
ust enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.If you disable this
screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client compute
onfigure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is
ble this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is no
ault theme will be applied at the first logon.
n setting.If you do not configure this setting, users can choose whether or not to set password protection on each screen saver.To ensure
If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or D
o enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more inf
d a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
ay not apply a different visual style when changing themes.
" setting is disabled. - Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personali
t or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified U
Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list o
tory searches for printers. It does not restrict user searches through Active Directory.
nt and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrat
ver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection wi
hey try, a message appears explaining that the setting prevents the action. However, this setting does not prevent users from using t
the methods described above.
that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administra
l be available to all users.This setting does not prevent users from using other tools and methods to install or uninstall programs.
ontrol Panel Features including Windows Features, Get Programs, or Windows Marketplace.
ons.If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.This setting does not pr
prevent users from using other tools and methods to configure services or enable or disable program components.
methods. If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to
o appear in the Programs Control Panel.If this setting is disabled or not configured, the Programs Control Panel in Category View and Prog
e this policy setting, the user cannot see the Administrative options.If you disable or do not configure this policy setting, the user can see t
policy setting, the user sees the option for changing the user location (GeoID).Note: Even if a user can see the GeoID option, the "Disallow
disable or do not configure this policy setting, the user sees the option for changing the UI language.Note: Even if a user can see the optio
his policy setting, the user sees the regional formats options for changing and customizing the user locale.
specifying a language different than the one used.To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windo
etting, the language selection defaults to the language selected by the user.If you disable or do not configure this policy setting, there is no
ured, then the user will be free to change the setting according to their preference. Note that the availability and function of this setti
he user will be free to change the setting according to their preference. Note that the availability and function of this setting is depend
ll be locked to not insert a space after selecting a text prediction. If the policy is Disabled or Not Configured, then the user will be free
y is Disabled or Not Configured, then the user will be free to change the setting according to their preference. Note that the availability
nternet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handw
pen File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
side the Start button), and point to "Toolbars."Also, see the "Prohibit adjusting desktop toolbars" setting.
space, allowing them to present their users with a simpler desktop environment.If you enable this setting, Computer is hidden on the desk
menu. To do so, use the "Remove My Documents icon from Start Menu" setting.Note: To make changes to this setting effective, you must l
e this policy setting, the Properties menu command is displayed.
n the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Cu
er bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. T
mpt them to casually browse Active Directory.
ects returned" box to limit returns from an Active Directory search.If you disable this setting or do not configure it, the system displays up
s deleted each time the setting is refreshed.Note: Removing an item from the "Add" list for this setting is not the same as deleting it. Items
as Wallpaper".Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\
\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user log
he "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, A
or their desktop wallpaper.
he "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled,
ontent or disable, lock, or synchronize Active Desktop components.

ms from their Active Desktop.
og box is available to users.If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote acce
ata\Microsoft\Network\Connections\Pbk to delete a shared remote access connection.If you disable this setting (and enable the "Enable N
Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including
e menu.If you disable this setting, the Rename option is disabled for nonadministrators only.If you do not configure the setting, only Admi
k Configuration Operators can rename LAN connectionsNote: This setting does not apply to Administrators.Note: When the "Ability to rena
ections is disabled for all users (including Administrators and Network Configuration Operators).Important: If the "Enable Network Connec
ofessional do not have the ability to prohibit the use of features from Administrators.If you enable this setting, the Windows XP settings th
cal Area Connection Properties dialog box.Important: If the "Enable Network Connections settings for Administrators" is disabled or not co
guration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Adm
rs (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this
vanced Settings item is disabled for administrators.Important: If the "Enable Network Connections settings for Administrators" is disabled
Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post
abled for all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not
n the Windows Components Wizard.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configu
on Properties dialog box for a private connection is available to users.If you enable this setting (and enable the "Enable Network Connectio
nfigured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it, th
e "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on po
ttings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If yo
l users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured
NS server information.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting
are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File
with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved.If yo
ndicates that the computer can use local copies of network files while the server is inaccessible.-- "Never go offline" indicates that networ
g to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels."0" reco
minder.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in C
n work offline when they are disconnected from this server, or type "1" if they cannot.This setting appears in the Computer Configuration a
vailable offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files.This setting
sive setting that locks down the configuration you establish by using other settings in this folder.This setting appears in the Computer Con
0 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.This setting appears in the Computer Co
ppears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuratio
t to make available offline.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy se
ave the Value column field blank.If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lo
file or folder. Leave the Value column field blank.If you disable this policy setting, the list of files or folders made always available offline (i
stem only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are curr
tomatically enables logon synchronization in Synchronization Manager.If this setting is disabled and Synchronization Manager is configure
not configuring this setting, files are not synchronized when the computer is suspended.Note: If the computer is suspended by closing the d
you disable the setting, the system displays the reminder balloons and prevents users from hiding them.If this setting is not configured, rem
ireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
w shared folders to be published when this setting is not configured.
Note: The default is to allow shared folders to be published when this setting is not configured.
are the memory space allocated to the VDM process and cannot run simultaneously.Enabling this setting adds a check box to the Run dial
om the Start Menu.If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off it
start menu.
t Down by default, and the user can change this setting to another action.
o not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists a
ser logged off, including the history of previous notifications for each tile.This setting does not prevent new notifications from appearing. S
bsites, and other items to a program's Jump List so that the items is always present in this menu.
t configure this policy setting, users can change the programs currently pinned to the Taskbar.
ar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start butto
t the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in
isplay shortcuts at the bottom of the File menu. In addition, the Jump Lists off of programs in the Start Menu and Taskbar do not show list
d with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting
ths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If
he Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.If you disable this setting
e it, all Start menu shortcuts appear as black text.Note: Enabling this setting can make the Start menu slow to open.
any), and the system clock.If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.Note: Enabling
hile the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties.If you disable this setting or do not co
Settings on the Start menu.
are the same program are grouped together. The users have the option to disable grouping if they choose.
other methods to issue the commands that appear on these menus.
enu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE.If you disable
ne" on the Start menu, and "Where have my icons gone" in the notification area.If you disable this setting or do not configure it, all pop-up
rograms are accessible from the Start menu, desktop, and other locations.If you disable or do not configure this policy setting, the Default
must log off and then log on.If you disable or do not configure this policy setting, he Documents icon is available from the Start menu.Also
hen click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If yo
Explorer.Windows Update, the online extension of Windows, offers software updates to keep a userΓÇÖs system up-to-date. The Window
e this policy setting, users can use the Display Logoff item to add and remove the Log Off item.This policy setting affects the Start menu on
ers try to start it, a message appears explaining that a setting prevents the action.If you disable or do not configure this policy setting, Netw
h as right-clicking the desktop to start Display or right-clicking Computer to start System.If you disable or do not configure this policy settin
urn the menu on.If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved
drives: e.g., C:--- Accessing local folders: e.g., \temp>Also, users with extended keyboards will no longer be able to display the Run dialog
pplication key (the key with the Windows logo)+ F.Note: Enabling this policy setting also prevents the user from using the F3 key.In File Ex
e user name label appears on the Start Menu in Windows XP and Windows Server 2003.
e users, you can use this setting to hide user-specific folders.Note that this setting hides all user-specific folders, not just those associated
using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" comma
this setting, the system notification area expands to show all of the notifications that use this area.If you disable this setting, the system no
option so users do not try to change the setting while a setting is in effect.Note: Personalized menus require user tracking. If you enable th
in the Start Menu.Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalize
ill not be able receive notifications from the network from WNS or via notification polling APIs. If you enable this policy setting, notifi
o not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. No reboots or se
s than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted
terface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specifi
welcome screen is displayed each time a user logs on to the computer.This setting applies only to Windows 2000 Professional. It does not a
ams, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command pro
registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make som
d batch files normally.Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown
Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Co
ograms such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command p
s setting, it prohibits Windows from searching for updates.If you disable or do not configure it, Windows searches for updates and automa
ssword is expiring.
g Ctrl+Alt+Del.Tip:To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer.
this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action.If you disable or do not c
his setting, use the drop-down box to specify the desired response.-- "Ignore" directs the system to proceed with the installation even if i
ox beside the location name.If you disable or do not configure this setting, Windows searches the installation location, floppy drives, and C
to search Windows Update.If you disable or do not configure this setting, and "Turn off Windows Update device driver searching" is disab
vailable offline. All subfolders within the redirected folders are also made available offline. Note: This policy setting does not prevent files
: This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", no
ing the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this poli
ftware or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting
ers when redirecting the Start Menu or legacy My Documents folder.If you disable or not configure this policy setting, Windows Vista, Win
nap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Use
licy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified resp
r use on the system.If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you d
e or disable this policy setting, by default administrators can view RSoP data.Note: To view RSoP data on a client computer, use the RSoP sn
s in other subkeys.If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. A
g is Disabled or Not Configured, the default display name of New Group Policy object is used.
of 0 to 30 minutes.If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, th
nd the source files stored in the GPO. If the local files are newer, they are copied into the GPO.Changing the status of this setting to Enabl
such that their respective features can access the Internet.If you do not configure this policy setting, all of the the policy settings in the "In
tem in the Open With dialog is removed.If you disable or do not configure this policy setting, the user is allowed to use the Store service an
ot be downloaded over HTTP.If you disable or do not configure this policy setting, users can download print drivers over HTTP.
riting recognition error reporting tool or send error reports to Microsoft.If you disable this policy, Tablet PC users can report handwriting r
elp Experience Improvement program feature from the Help and Support settings page.
Windows does not download providers, and only the service providers that are cached in the local registry are displayed.If you disable or d
Web service to open an unhandled file association are removed.If you disable or do not configure this policy setting, the user is allowed to u
om printing to Internet printers over HTTP.If you disable or do not configure this policy setting, users can choose to print to Internet print
ws folders.If you disable or do not configure this policy setting, the tasks are shown.
es not collect usage information, and the user settings to enable the collection of usage information are not shown.If you disable this polic
e Internet and have not disabled Windows Online from the Help and Support Options page.
If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.To set this policy setting
cy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.If y
y will be unable to customize those choices. The user cannot customize their user locale with user overrides.If this policy setting is disable
mputer policy setting.The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United Sta
s Vista, Windows XP Professional, and Windows 2000 Professional.If you disable or do not configure this policy setting, Windows Vista add
he system runs the programs in the run-once list.This policy setting appears in the Computer Configuration and User Configuration folders
m (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% di
resume operation.
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."
ht does not take effect until the operating system is restarted.
isable or do not configure this policy setting, the instructions are suppressed.
ble or do not configure this policy setting, the instructions are suppressed.
does not display logon scripts written for Windows NT 4.0 and earlier.If you disable or do not configure this policy setting, Windows 2000 d
not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.This policy setting ap
e following scenario: There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include th
0 definitions. %HOMESHARE% stores only the network share (such as \\server\share). %HOMEPATH% stores the remainder of the fully qua
ld not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\Roam
gistry files are included in the calculation of the profile size.-- Determine whether users are notified when the profile exceeds the permitte
e Files during user logon and logoff, and will be taken offline while the user is logged on.If you disable or do not configure this policy settin
op app for a file type; they can open files only in other Windows Store apps.If you disable or do not configure this policy setting, Windows S
e.Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts t
h their zone information.If you disable this policy setting, Windows marks file attachments with their zone information.If you do not config
des the check box and Unblock button.If you disable this policy setting, Windows shows the check box and Unblock button.If you do not co
one inclusion list).If you enable this policy setting, you can create a custom list of high-risk file types.If you disable this policy setting, Windo
nclusion list).If you enable this policy setting, you can specify file types that pose a low risk.If you disable this policy setting, Windows uses i
sion list (where an extension is listed in more than one inclusion list).If you enable this policy setting, you can specify file types which pose
en a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.If you disable this policy setti
oth the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause
uted without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to b
ws XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. If you enable th
default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, cl
eys, a visual version of the desktop is presented and items can be flipped through to select. Changing this policy setting requires a logoff fo
ific color for window frames that cannot be changed by users.

Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users.
tly used apps will appear at the top.

ministrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Window
. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos.
s command, and they will not be able to open Folder Options.If you disable or do not configure this policy setting, users can open Folder O
have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.Many pr
o a different computer, the original path might lead to a network computer, including external resources, such as an Internet server.If you
es the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the driv
hese tools.This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Com
o the path defined.If you disable or do not configure this policy setting, no changes are made to the location of the default Library definitio
m displays shortcuts to the 10 most recently opened documents.

configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Netw
to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly use
e search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searc
ry.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link w
bination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives"
he root of their Users Files folder in File Explorer.Note: Enabling this policy setting does not prevent the user from being able to add new it
nnecting to another computer by typing the name of a shared folder in the Run dialog box.Note:This setting was documented incorrectly o
not prevent users from using third-party applications to create or modify CDs using a CD writer.
ng other methods to configure DFS.If you disable or do not configure this policy setting, the DFS tab is available.
olve problems with the device.

wser windows, such as the Internet Explorer window.If you disable or do not configure this policy setting, the Search button is available fro
ble to access the security tab.
not displayed in the Web view or in My Computer.If you disable or do not configure this policy setting, the Shared Documents folder is dis
user performs a search in the Explorer window.
r distracting to some users.If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system anim
er" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have
re Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown bu
ended to leave this protocol in the protected mode to increase the security of Windows.If you enable this policy setting the protocol is full
"Date Modified" and "Size" * Disable view of file content snippets in Content mode when search results are returned * Disable ability t
etting, the Windows+X shortcut keys are available.
set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options.If you disable or not
n dialog box.If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box.To see an e
and, on the File menu, click Open.Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP co
Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the
be specified:Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches.If you disable or do
e the two cannot be displayed at the same time.If you disable, or do not configure this policy setting, the Details Pane is hidden by default
efaults to disabled.
tting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points
e Restore button, Windows attempts to restore the file from the local disk.If you do not configure this policy setting, it is disabled by defau
ion corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media.If you do not
re. If the user clicks the Restore button, Windows attempts to restore the file from the file share.If you do not configure this policy setting,
included in the candidate list.This policy setting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take effect u
code0x0008 // IBM extended code0x0010 // Half width katakana code0x0100 // EUDC(GAIJI)0x0200 // S-JIS unmapped area0x0400 // Uni
rosoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dic
Simplified Chinese Microsoft Pinyin, and Traditional Chinese New Phonetic.

his policy setting is still used for conversion.If you disable or do not configure this policy setting, Open Extended Dictionary can be added an
he files contain.This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Wind
tting in the folder is disabled or not configured, the snap-in is prohibited.-- If you disable this setting or do not configure it, all snap-ins are p
sage is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured, the setting of the "Restrict u
those explicitly permitted. To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this s
Policy tab is not displayed in those snap-ins.If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list
o, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders.If you disable or don't
screen blanking, adjust speaker volume, and apply a custom background image.Note: Users will be able to customize their system setting
You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enf
settings" option on the client.To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. Whe
the client.Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication m
her they want to connect.If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on
gs (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).If you enable or d
ve it not configured, the user will be able to save passwords using Remote Desktop Connection
y start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.If you disable or do not configure
's consent.3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.4. Vie
er that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the c
bling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are
mits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Ser
arning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If
Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, a
e, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are mai
rm of http://contoso.com/rdweb/Feed/webfeed.aspx. If you enable this policy setting, the specified URL is configured as the default co
covery button.
to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
not configure this policy setting, the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and dele
nticate feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.A developer cannot
pplications can be launched from a hardware button.

do not configure this policy, press and hold actions will be available.
symbols, numbers, or keyboard shortcuts.If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not
o text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dial
entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disa
a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbo
u disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the
re this setting in the Input Panel Options dialog box.If you disable this policy, application auto complete lists will appear next to Input Pane
se handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.If you enable this policy and choose ΓÇ£
oard to enter text, symbols, numbers, or keyboard shortcuts. If you enable this policy and choose ΓÇ£AllΓÇ¥ from the drop-down menu
and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks po
es, the touch pointer, and other-touch specific features.If you do not configure this setting, touch input is on by default.Note: Changes to t
setting, Touch Panning is on by default.Note: Changes to this setting will not take effect until the user logs off.
sers to change task characteristics such as: the program the task runs, details of its schedule, idle time and power management settings, a
aracteristics such as the program the task runs, its schedule details, idle time and power management settings, and its security context.No
akes precedence over the setting in User Configuration.
t select a program from the list in the Scheduled Task Wizard, which displays only the tasks that appear on the Start menu and its submen
e Scheduled tasks folder.This setting does not prevent users from using other methods to create new tasks, and it does not prevent users
cedence over the setting in User Configuration.Important: This setting does not prevent administrators of a computer from using At.exe to
ettings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Important: This setti
do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templ
tive Templates/Windows Components/Windows Error Reporting/Consent take precedence.
configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains
ttery power, but checks for solutions and uploads report data normally.If you disable or do not configure this policy setting, WER checks fo
y again if the network profile is changed.
The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted
ately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, o
he Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an applica
a that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional da
nt level of 0, 1, 2, 3, or 4.- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.- 1 (Always ask before send
default consent setting determines only the consent level of any other error reports.
ofile setting lets users install programs that require access to directories that the user might not have permission to view or change, includ
users can install from removable media when the installation is running in their own security context, but only system administrators can
not restore the computer to its original state if the installation does not complete.This policy setting is designed to reduce the amount of te
r that you want Windows Installer to search:-- "n" represents the network;-- "m" represents media;-- "u" represents URL, or the Intern
actions have been set to occur when the logon hours expire.Note: If you configure this setting, you might want to examine and appropriat
ou choose to log off a user, the user might lose unsaved data.If you enable this setting, the system will perform the action you specify whe
n the Privacy tab in the Player are not selected and are not available.If you disable or do not configure this policy setting, users can change
check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available.If you d
this policy setting, the Player automatically retrieves radio station presets from the Internet.
because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected.The Configure button on t
ed if Autodetect is selected.The Configure button on the Network tab in the Player is not available and the protocol cannot be configured.
pecified is ignored.The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available.If you disable or
d if Autodetect is selected.The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. I
user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using th
does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is
heck box is not available.If you do not configure this policy setting, users can change the setting for the Download codecs automatically ch
by using the Player tab in the Player.When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the an
sed for the options on the Privacy tab unless the user changed the settings previously.If you disable or do not configure this policy setting,
s policy setting, users can configure the security settings on the Security tab.
. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to s
both are present, the Computer Configuration version of this policy setting takes precedence.
Messenger from that point on, Windows Messenger will be loaded.The user can also configure this behavior on the Preferences tab on the
ter is on by default.
this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.Note: This policy setting exists und
of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the L
riginate from the Internet must be signed by a trusted publisher.The "Allow all scripts" policy setting allows all scripts to run.If you disable
mputer to do?' list.If you disable or do not configure this policy setting, the 'Install Updates and Shut Down' option will be the default optio
cy setting, the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available whe
r will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver up
onfigure this policy setting, users will go to the Start screen by default when they sign in, and the user can configure this setting.
e apps are sorted by category, and the user can configure this setting.
ter the customize mode and rearrange tiles within Start and Apps.
ay when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that
between the Apps view and the Start screen. Also, the user will be able to configure this setting.
e Export-StartLayout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured
setting, a default value will be used, which administrators and users will be able to modify.
tting, a default value will be used, which administrators and users will be able to modify.
t Hours settings. If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Admins
e able to change this or any other Quiet Hours settings. If you do not configure this policy setting, Quiet Hours are enabled by def
eed to sign in with a Microsoft account.
he recent apps will be available by default, and the user can configure this setting.
ot from that menu.If you disable or don't configure this policy setting, Command Prompt will be listed in the menu by default, and users ca
his policy setting, Search, Share, Start, Devices, and Settings will be available by default, and the user can configure this setting.
on. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: Conto
tion to the user.If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification se
r the specific URL of the file server that stores the affected users' data.The "Force automatic setup" option specifies that Work Folders sho
m to Microsoft over a secure connection.If you enable this policy, Tablet PC users cannot choose to share writing samples from the handwr
top app for a URI scheme; they can open URIs only in other Windows Store apps.If you disable or do not configure this policy setting, Wind
age is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured, the setting of the "Restrict u
n snap-ins. Enabling this policy setting does not override policy settings that restrict the use of preference extensions.If you disable this po
this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preferenc
y setting, you permit use of the Control Panel Settings item and all preference extensions under Control Panel Settings for Computer Confi
ng, you permit use of the Control Panel Settings item and all preference extensions under Control Panel Settings for User Configuration. E
policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disab
settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable thi
this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preferenc
e this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preferen
icy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference exten
policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disa
policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference ex
the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit use of the prefere
(Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.I
s)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you d
able this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the prefe
policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disa
policy setting does not override policy settings that restrict the use of preference extensions.If you disable this policy setting, you prohibit
settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable thi
the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit use of the prefere
)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you d
"Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit use of the preferenc
is policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference
Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting, you prohibit use of the preference e
configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the s
tting, users cannot redirect Clipboard data.If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
op is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.If you d
p Services session, depending on the client configuration. If you do not configure this policy setting, Windows Vista displays wallpaper to r
teApp program associated with a session, the RemoteApp session will remain in a disconnected state until the time limit that you specify i
olicy under "User Configuration." To restrict a file system path from indexing, please specify the file system path to be indexed under the "C
r Configuration." To include a file system path for indexing, please specify the file system path to be indexed under the "Computer Configu
oup Policy under "User Configuration." To restrict a file system path from indexing, please specify the file system path to be indexed under
creen.To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Sho
ge appears explaining that a setting prevents the action.
setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the C
users from using other methods to configure services.Note: When "Set up services" does not appear, clicking the Add/Remove Windows C
ing other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the
o, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Comp
ecommend their use, or to enable users to install them without having to search for installation files.If you enable this setting, users canno
s not prevent users from using other tools and methods to change program access or defaults.This setting does not prevent the Set Progra
ers.When enabled, this setting takes precedence over the other settings in this folder.This setting does not prevent users from using other
he Internet, such as the Microsoft Product Support Services Web page.If you disable this setting or do not configure it, the Support Info hyp
Installation.If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page
ol Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel.Also, see
ersonalization Control Panel is available).Note: If this setting is enabled and the file is not available at user logon, the default visual style is l
on. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.If the specified screen sa
each screen saver.To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout
able in the Personalization or Display Control Panel.For systems prior to Windows Vista, this setting hides the Appearance and Themes tab
article: Q327998 for more information.Also, see the "Allow only bitmapped wallpaper" setting.
he client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client.When not configu
nd navigates to the specified URL address to display the available printers. This setting makes it easy for users to find the printers you
rinter Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list.If you disable this settin
ked by this policy. Administrators may need to set both policies to block all print connections to a specific print server.If this setting is enab
n the client, no connection will be made. -You can configure Windows Vista clients so that security warnings and elevated command
not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add pri
r. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to inst
r uninstall programs.
users.This setting does not prevent users from using other tools and methods to change program access or defaults.This setting does not
" task link will be available to all users.Note: If the "Hide Programs control Panel" setting is enabled, this setting is ignored.
nel in Category View and Programs and Features in Classic View will be available to all users.When enabled, this setting takes precedence
olicy setting, the user can see the Administrative options.Note: Even if a user can see the Administrative options, other policies may preven
e GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographic
ven if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language.
stricts the UI languages Windows should use for the selected user" policy setting.If you disable or do not configure this policy setting, the l
this policy setting, there is no restriction on which language users should use.To enable this policy setting in Windows Server 2003, Windo
bility and function of this setting is dependent on supported languages being enabled.
nction of this setting is dependent on supported languages being enabled.
ed, then the user will be free to change the setting according to their preference. Note that the availability and function of this setting
. Note that the availability and function of this setting is dependent on supported languages being enabled.
ot already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browse
to the Desktop.
omputer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to
is setting effective, you must log off from and log back on to Windows 2000 Professional.
op tab and then clicking the Customize Desktop button.
dows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above
ure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space.This setting is designed to pr
the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again.N
on\Administrative Templates\Control Panel\Display) settings.
ot available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to s
indows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
cks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu.If you disabl
tting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-
disabled for all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or n
nfigure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections.Note: This s
ote: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either
f the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators o
g, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain fe
nistrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this s
k Connections settings for Administrators" setting.Important: If the "Enable Network Connections settings for Administrators" is disabled o
sabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers.If you disable this setting or do n
or Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disa
pply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it, the Make New Connection icon
inistrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this
ors" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting
he "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including adm
tting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connec
t apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it, all users can delete their priva
Windows 2000 computers.If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box b
" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or
or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting, the Advanced
he connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar fr
e problem can be resolved.If you enable this policy setting, this condition will not be reported as an error to the user.If you disable or do no
o offline" indicates that network files are not available while the server is inaccessible.If you disable this setting or select the "Work offline"
n all preceding levels."0" records an error when the offline storage cache is corrupted."1" also records an event when the server hosting t
are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Compute
w their offline files.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the
appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configurati
ng appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configur
tting in Computer Configuration takes precedence over the setting in User Configuration.
ration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence.The "Make Available O
ding any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders.If you
made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available
not ensure that they are current.If you do not configure this setting, the system performs a quick synchronization by default, but users ca
nization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensure
r is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer a
is setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting.To p
access all WCN wizards.
ds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additio
add and remove the Log Off item.This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialo
ms menu and the Jump Lists appear just as it did when the user logged off.Note: The system saves document shortcuts in the user profile
notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications.
ar displays only the Start button, taskbar buttons, the notification area, and the system clock.If this setting is disabled or is not configured,
rs are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.If you
u and Taskbar do not show lists of recently or frequently used files, folders, or websites.If you disable or do not configure this setting, the s
to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.Note
arget's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find
cons.If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.If you d
user's taskbar.Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidde
disable this setting or do not configure it, the user can configure the taskbar position.Note: Enabling this setting also locks the QuickLaunch
TRL+ALT+DELETE.If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate
do not configure it, all pop-up text is displayed on the Start menu and in the notification area.
this policy setting, the Default Programs link is available from the Start menu.Note: This policy setting does not prevent the Set Default Pro
lable from the Start menu.Also, see the "Remove Documents icon on the desktop" policy setting.
click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options.Note:The item
ystem up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users nee
tting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+
nfigure this policy setting, Network Connections is available from the Start Menu.Also, see the "Disable programs on Settings menu" and "D
not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start m
he document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.When the setting
able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.If you disable or do not configure t
om using the F3 key.In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when
ers, not just those associated with redirected folders.If you enable this setting, no folders appear on the top section of the Start menu. If u
"Run as different user" command.
able this setting, the system notification area will always collapse notifications.If you do not configure it, the user can choose if they want n
user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores thi
enu" and "Turn off personalized menus".This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. S
nable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the applicatio
or user. No reboots or service restarts are required for this policy setting to take effect.
specified value are interpreted as being preceded by 19.For example, the default value, 2029, specifies that all two-digit years less than or
s not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.If you disable t
2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server.Note: This s
ve access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window e
ulting searches might make some programs start or run slowly.If you disable or do not configure this policy setting, the program continues
n, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.
ttings available in Computer Configuration\Security Settings. Note: This policy setting is available under Computer Configuration an
have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window
rches for updates and automatically downloads them.Note: Windows Update is an online catalog customized for your computer that cons
k this computer.
ction.If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the perform
d with the installation even if it includes unsigned files.-- "Warn" notifies the user that files are not digitally signed and lets the user decid
location, floppy drives, and CD-ROM drives.Note: To prevent searching Windows Update for drivers also see "Turn off Windows Update d
evice driver searching" is disabled or not configured, the administrator will be prompted for consent before going to Windows Update to s
setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affe
d for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface.Note: The c
new location. To use this policy setting, you must move or restore the server content to the new network location using a method that pr
es (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.If you enable this
y setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders whe
oller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use."Use any available domain controller"
e the programs' specified responses to slow links.If you enable this setting, you can, in the "Connection speed" box, type a decimal numbe
d in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link.
ent computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by t
ministrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear.If you disable or
ys). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere w
e status of this setting to Enabled will keep any source files from copying to the GPO.Changing the status of this setting to Disabled will enf
he the policy settings in the "Internet Communication settings" section are set to not configured.
wed to use the Store service and the Store item is available in the Open With dialog.
drivers over HTTP.
users can report handwriting recognition errors to Microsoft.If you do not configure this policy Tablet PC users can report handwriting reco
re displayed.If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishin
etting, the user is allowed to use the Web service.
oose to print to Internet printers over HTTP.Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative T
shown.If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown.If you do
ttings.To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
cy setting is not configured.If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still se
s.If this policy setting is disabled or not configured, then the user can customize their user locale overrides.If this policy is set to Enabled at
e, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).If you e
icy setting, Windows Vista adds any customized run list configured to its run list.This policy setting appears in the Computer Configuration
and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over t
cated in the %Systemroot% directory, you must specify the fully qualified path to the file.If you disable or do not configure this policy setti
ovable Data Drives."
policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.Also, see the "Run Logon Scripts Visible" setting
aneously.This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Con
A. GPO B and GPO C include the following user logon scripts:GPO B: B.cmd, B.ps1GPO C: C.cmd, C.ps1Assume also that there are two users
the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result, users can access any directory on
han all of the AppData\Roaming folder to the exclusion list.By default, the Appdata\Local and Appdata\LocalLow folders and all their subf
e profile exceeds the permitted maximum size.-- Specify a customized message notifying users of the oversized profile.-- Determine how o
not configure this policy setting, the paths specified in this policy setting will behave like any other cached data via Offline Files and continu
this policy setting, Windows Store apps can open files in the default desktop app for a file type.
net zone, Windows prompts the user before accessing the file.Low Risk: If the attachment is in the list of low-risk file types, Windows will n
formation.If you do not configure this policy setting, Windows marks file attachments with their zone information.
Unblock button.If you do not configure this policy setting, Windows hides the check box and Unblock button.
sable this policy setting, Windows uses its built-in list of file types that pose a high risk.If you do not configure this policy setting, Windows
policy setting, Windows uses its default trust logic.If you do not configure this policy setting, Windows uses its default trust logic.
n specify file types which pose a moderate risk.If you disable this policy setting, Windows uses its default trust logic.If you do not configure
d.If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.If you do no
mmendation which will cause users to see more trust prompts than choosing the other options.If you enable this policy setting, you can ch
ther autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this polic
devices. If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
ox. To display the password, click the password reveal button.The policy applies to all Windows components and applications that use the
olicy setting requires a logoff for it to be applied.
be changed by users.
E\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.For shell extensions to run on a per-user basis, there must be
a54907c53f} or SampleVideos.Note: Disabling a known folder can introduce application compatibility issues in applications that depend on
tting, users can open Folder Options from the View tab on the ribbon.
inistrator credentials.Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficie
ch as an Internet server.If you enable this policy setting, Windows only searches the current target path. It does not search for the origina
path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window.Also, this policy setti
ms, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management.T
of the default Library definition files.
rces in File Explorer and Network Locations.This policy setting does not prevent users from connecting to computers in their workgroup or
puters by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.To
ple.com/results.aspx?q={searchTerms}).You can add up to five additional links to the "Search again" links at the bottom of results returned
Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms fi
ct the "Do not restrict drives" option from the drop-down list.Note: The icons representing the specified drives still appear in My Compute
from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prev
e Search button is available from the File Explorer toolbar.This policy setting does not affect the Search items on the File Explorer context m
hared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup.Note: The ability to rem
or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel.
ows administrators who have logged on as regular users to install programs without logging off and logging on again using their administr
this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box.
olicy setting the protocol is fully enabled, allowing the opening of folders and files.If you disable this policy setting the protocol is in the pro
e returned * Disable ability to stack in the Context menu and Column headers * Exclude Libraries from the scope of Start searchThis po
e options.If you disable or not configure this policy, the default File Explorer behavior is applied to the user.Note: In operating systems ear
d Open dialog box.To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open.Note: In Window
t are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box styl
affect programs that use the standard Open dialog box provided to developers of Windows programs.To see an example of the standard
d Searches.If you disable or do not configure this setting the default list of items will be displayed in the Places Bar.Note: In Windows Vista
tails Pane is hidden by default and can be displayed by the user. This is the default policy setting.
nding to on-disk restore points.If you do not configure this policy setting, it is disabled by default.
setting, it is disabled by default. The Restore button is active when the previous version is of a local file.
e backup media.If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version
ot configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
is setting will not take effect until the user logs off.
unmapped area0x0400 // Unicode char0x0800 // surrogate char0x1000 // IVS char0xFFFF // no definition.If you disable or do not configur
ed words from the custom dictionary.This policy setting is applied to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
ed Dictionary can be added and used by default.This policy setting is applied to Japanese Microsoft IME and Simplified Chinese Microsoft
nistrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console w
t configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-in
d, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or proh
configured (or disabled), this snap-in is prohibited.-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configur
to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed.-- If "Restrict users to the explicitly permitted l
olders.If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in
customize their system settings for presentations in Windows Mobility Center.If you do not configure this policy setting, Windows presenta
ble this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use th
ge this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, us
RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM p
from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher
an .rdp file).If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can a
you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.Note:You can define this policy setting
thout the user's consent.4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the u
matches the client printer, the client printer is not available for the Remote Desktop session.If you disable this policy setting, the RD Session
nu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off.To use this setting
for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.If you e
to keep the session active. If you have a console session, idle session time limits do not apply.If you disable or do not configure this policy
f you have a console session, active session time limits do not apply.If you disable or do not configure this policy setting, this policy setting
disconnected sessions are maintained for an unlimited time on the server.If you enable this policy setting, disconnected sessions are delet
s configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default con
hrough the Feed APIs.

n in Internet Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice by usi
nnection.A developer cannot change this policy setting through the Feed APIs.
on suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy, Input Panel w
n the Input Panel Options dialog box.If you disable this policy, Input Panel will appear next to any text entry area in applications where thi
Options dialog box.If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is availabl
keyboard to enter text, symbols, numbers, or keyboard shortcuts.If you enable this policy, rarely used Chinese, Kanji, and Hanja characters
o configure this setting in the Input Panel Options dialog box.If you do not configure this policy, Input Panel tab will appear on the edge of
will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Inp
ble this policy and choose ΓÇ£LowΓÇ¥ from the drop-down box, password security is set to ΓÇ£Low.ΓÇ¥ At this setting, all password securit
ΓÇ¥ from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in th
set of the Disable pen flicks policy.If you disable or do not configure this policy, all the features described above will be available.
by default.Note: Changes to this setting will not take effect until the user logs off.
power management settings, and its security context. Beginning users will often not be interested or confused by having the property shee
gs, and its security context.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are co
he Start menu and its submenus. Once a task is created, users cannot change the program a task runs.Important: This setting does not pre
and it does not prevent users from deleting tasks.Note: This setting appears in the Computer Configuration and User Configuration folders
omputer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers.
figuration.Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks.
uration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If T
file for a report that contains data about the same event types.
s policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the comput
orts are automatically deleted.If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
ompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel.The Maximu
ension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors f
sent to send any additional data that is requested by Microsoft.- Send parameters and safe additional data: the minimum data that is requ
pe.- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.- 2 (Send parameters): Windows Error Rep
ssion to view or change, including directories on highly restricted computers.If you disable or do not configure this policy setting, the syste
nly system administrators can use removable media when an installation is running with elevated system privileges, such as installations o
ned to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an insta
represents URL, or the Internet.To exclude a file source, omit or delete the letter representing that source type.
ant to examine and appropriately configure the ΓÇ£Set action to take when logon hours expireΓÇ¥ setting. If ΓÇ£Set action to take when lo
rm the action you specify when the userΓÇÖs logon hours expire.If you disable or do not configure this setting, the system takes no action
olicy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
and are not available.If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WM
ted.The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured. If th
rotocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.This policy setting is
not available.If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab.
otocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.If you disable this p
es default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Play
ack check box is cleared and is not available.If you do not configure this policy setting, users can change the setting for the Allow screen sa
nload codecs automatically check box.
nabled, some options in the anchor window are not available.
t configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices.
rporate skin. The only way to specify the Corporate skin is to leave the Skin box blank.A user has access only to the Player features that are
on the Preferences tab on the Tools menu in the Windows Messenger user interface.Note: If you do not want users to use Windows Messe
e: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configur
e is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured, the Lo
all scripts to run.If you disable this policy setting, no scripts are allowed to run.Note: This policy setting exists under both "Computer Config
ption will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects t
x if updates are available when the user selects the Shut Down option in the Start menu.
tomatically installing driver updates from the Windows Update Web site.If enabled you can configure one of the following notification op
onfigure this setting.
essing the Start button on that display. Also, the user will be able to configure this setting.
ting the layout you configured.Once the XML file is generated and moved to the desired file path, type the fully qualified path and name o
uiet Hours by default. Adminstrators and users will be able to modify this setting.
uiet Hours are enabled by default but can be turned off or by the administrator or user.
menu by default, and users can configure this setting.

nfigure this setting.
format. Example value: Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy If you enable this policy setting, the application ide
ult consent and notification settings.

pecifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Fo
ting samples from the handwriting recognition personalization tool with Microsoft.If you disable this policy, Tablet PC user writing samples
figure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.Note: Enabling this policy setting
xtensions.If you disable this policy setting, you prohibit use of Applications snap-ins, and new Application preference items cannot be crea
ou permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
el Settings for Computer Configuration. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins"
ttings for User Configuration. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setti
-ins" policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting,
policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you p
u permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting
mit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
p-ins" policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy settin
ermit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference extension unless
ist of snap-ins" policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this pol
nap-ins" policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy setti
g, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setti
p-ins" policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy settin
his policy setting, you prohibit use of the Preferences tab.If you do not configure this policy setting, you permit use of the Preferences tab.
policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy setting, you p
you prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference extension unless
nap-ins" policy setting.If you disable this policy setting, you prohibit use of the preference extension.If you do not configure this policy setti
prohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference extension unless res
permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
rohibit use of the preference extension.If you do not configure this policy setting, you permit use of the preference extension unless restri
time zone is the same as the server time zone.Note: Time zone redirection is possible only when connecting to at least a Microsoft Windo
s allows Clipboard redirection.If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
program policy settings.If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote co
s Vista displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experien
he time limit that you specify is reached. When the time limit specified is reached, the RemoteApp session will be logged off from the RD S
ath to be indexed under the "Computer Configuration" Group Policy.
under the "Computer Configuration" Group Policy.
tem path to be indexed under the "Computer Configuration" Group Policy.If you enable and then disable this policy setting, users can inde
Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, en
the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Pe
g the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option
tting blocks user access to the Windows Component Wizard.
tive Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this
nable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remov
oes not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and De
revent users from using other tools and methods to install or uninstall programs.
nfigure it, the Support Info hyperlink appears.Note: Not all programs provide a support information hyperlink.
he "Add New Programs" page opens.You can use this setting to direct users to the programs they are most likely to need.Note: This settin
tting or Control Panel.Also, see the "Prevent changing Screen Saver" setting.
gon, the default visual style is loaded.Note: When running Windows XP, you can select the Luna visual style by typing %windir%\resources
e file.If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.Note: This setting can b
setting and specify a timeout via the "Screen Saver timeout" setting.Note: To remove the Screen Saver dialog, use the "Prevent changing
e Appearance and Themes tabs in the in Display in Control Panel.
on the client.When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Displa
users to find the printers you want them to add. Also, see the "Custom support URL in the Printers folder's left pane" and "Activate I
wn list.If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot searc
nt server.If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrato
nings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
ing other programs to add printers. This setting does not delete printers that users have already added. However, if users have not a
use, or to enable users to install them without having to search for installation files.If this setting is enabled, users cannot view the progra
defaults.This setting does not prevent the Default Programs icon from appearing on the Start menu.
tting is ignored.
this setting takes precedence over the other settings in this folder.This setting does not prevent users from using other tools and methods
ons, other policies may prevent them from modifying the values.
nging their current geographical location.
nging their UI language.
nfigure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to sele
Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setti
ity and function of this setting is dependent on supported languages being enabled.
g email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and s
views. If the user manages to navigate to Computer, the folder will be empty.If you disable this setting, Computer is displayed as usual, ap
er bar does not appear above the resulting display, on the View menu, click Filter.
e.This setting is designed to protect the network and the domain controller from the effect of expansive searches.
y are simply not added again.Note: For this setting to take affect, you must log off and log on to the system.
u can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.If yo
on the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Proper
ministrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can cha
dministrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you do not c
ccess connections.Note: This setting does not apply to AdministratorsNote: When the "Ability to rename LAN connections or remote acces
ng is configured (set to either enabled or disabled), this setting does not apply.
l not apply to administrators on post-Windows 2000 computers.If this setting is not configured, only Administrators and Network Configur
nistrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all
computers.If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a
r Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers.If you disa
you disable this setting or do not configure it, the Properties button is enabled for all users.The Networking tab of the Remote Access Conn
ws 2000 computers.If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators.Note: Nonadm
e Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Conne
computers.If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users.
ters.If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Conn
d, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection.Importa
to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by righ
all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default
nection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the compone
s.If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can
ble this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box.Note: This setting is supers
nnection icon in the taskbar from the Connection Properties dialog box.Important: If the "Enable Network Connections settings for Admin
he user.If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will b
ng or select the "Work offline" option, users can work offline if disconnected.If you do not configure this setting, users can work offline by
ent when the server hosting the offline file is disconnected from the network."2" also records events when the local computer is connecte
server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configura
h settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To view the O
etting in Computer Configuration takes precedence over the setting in User Configuration.Tip: This setting provides a quick method for loc
e setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To set reminder balloon frequency withou
edence.The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows
d for all files and folders.If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folde
or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).If you
zation by default, but users can change this option.This setting appears in the Computer Configuration and User Configuration folders. If b
. Quick synchronization ensures that files are complete but does not ensure that they are current.If you do not configure this setting and S
e logged on to the computer at the time the computer is suspended, a synchronization is not performed.
rs can change the setting.To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders
d NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box.
on the Windows Security dialog box that appears when you press Ctrl+Alt+Del.Note: To add or remove the Log Off item on a computer, cl
t shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Also, see the "Remove Recent Items menu from Start M
disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command ap
w network connections.If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including file
ot configure this setting, the system will store and display shortcuts to recently and frequently used files, folders, and websites.Note: The
an attempt to find the file.Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking
rget drive in an attempt to find the file.Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have th
now on the Start page.If you do not configure this setting, the default is the new style, and the user can change the view.
if the notification area is hidden, there is no need to clean up the icons.
ng also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user
Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also availa
not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
t menu options.Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to
rosoft updates that users need and shows the newest versions available for download.If you disable or do not configure this policy setting
appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off.Tip: To add or remove the Log Off
ams on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Co
ngs are available on the Start menu, and from Computer and File Explorer.Also, see the "Disable Control Panel," "Disable Display in Control
Items menu.When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it.If the setting is n
u disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use th
ystem does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon repr
section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not
user can choose if they want notifications collapsed.

nalized menus and ignores this setting.Tip: To Turn off personalized menus without specifying a setting, click Start, click Settings, click Task
o the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Task
calls from within the application. If you disable or do not configure this policy setting, the client computer will connect to WNS at use
all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-dig
path to the file.If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface.Tip: To
dows 2000 Server.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured
ms in the command window even though they would be prevented from doing so using File Explorer.Note: Non-Microsoft applications wi
etting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop.This se
er Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot la
grams in the command window even though they would be prevented from doing so using File Explorer.Note: Non-Microsoft applications
d for your computer that consists of items such as drivers, critical updates, Help files, and Internet products that you can download to kee
rograms, monitor the performance of their computers, view and monitor all programs running on their computers, including system servi
signed and lets the user decide whether to stop or to proceed with the installation and whether to permit unsigned files to be installed. "W
e "Turn off Windows Update device driver searching" in Administrative Templates/System/Internet Communication Management/Interne
going to Windows Update to search for device drivers.
matic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. Note: Do not enable t
the user interface.Note: The configuration of this policy for any folder will override the configured value of "Do not automatically make all
cation using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location.If y
to function.If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders a
ames for these subfolders when redirecting the Start Menu or legacy My Documents folder.Note: This policy is valid only on Windows Vist
available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain co
d" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than
st disable the object link.
in from the command line by typing RSOP.mscNote: This policy setting exists as both a User Configuration and Computer Configuration setti
do not appear.If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but adminis
use updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installa
his setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp.NOTE: If the
rs can report handwriting recognition errors to Microsoft.
e user uses the web publishing or online ordering wizards.See the documentation for the web publishing and online ordering wizards for m
onfiguration/Administrative Templates/Printers.
e setting is not shown.If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
ser locale, but they can still select a replacement locale if one is installed.If you disable or do not configure this policy setting, the user can
this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the com
a) and French (Canada).If you enable this policy setting, only locales in the specified locale list can be selected by users.If you disable or do
n the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configu
ration takes precedence over the policy setting in User Configuration.Note: Customized run-once lists are stored in the registry in HKEY_LO
not configure this policy setting, the user will have to start the appropriate programs after logon.Note: This setting appears in the Comput
Logon Scripts Visible" setting.
y setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
e also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B an
ers can access any directory on the home share by using the home directory drive letter.If you disable or do not configure this policy settin
alLow folders and all their subfolders such as the History, Temp, and Temporary Internet Files folders are excluded from the user's roaming
ed profile.-- Determine how often the customized message is displayed.Note: In operating systems earlier than Microsoft Windows Vista,
ta via Offline Files and continue to remain online while the user is logged on, if the network paths are accessible. Note: You should not us
w-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information.If you enable this poli
e this policy setting, Windows uses its built-in list of high-risk file types.
ts default trust logic.
st logic.If you do not configure this policy setting, Windows uses its default trust logic.
ments are opened.If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachmen
this policy setting, you can choose the order in which Windows processes risk assessment data.If you disable this policy setting, Windows
og. If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: a) C
, or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Aut
and applications that use the Windows system controls, including Internet Explorer.
per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
n applications that depend on the existence of the known folder.
d a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a
oes not search for the original path even when it cannot find the target file in the current target path.If you disable or do not configure th
d window.Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not pr
tart Computer Management.Tip: To hide all context menus, use the "Remove File Explorer's default context menu" setting.
mputers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map
p Network Drive dialog box.To remove computers in the user's workgroup or domain from lists of network resources, use the "No Comput
the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Sea
-ms or .searchConnector-ms file.You can add up to five additional links to the "Search again" links at the bottom of results returned in File
es still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. Also, th
correctly that this setting prevents users from connecting and disconnecting drives.Note: It is a requirement for third-party applications wi
s on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Sta
group.Note: The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional.
play in Control Panel.

on again using their administrator credentials.If the dialog box does not appear, the installation proceeds with the current user's permissio
search box.
tting the protocol is in the protected mode, allowing applications to only open a limited set of folders.If you do not configure this policy se
e scope of Start searchThis policy will not enable users to add unsupported locations to Libraries.If you enable this policy, Windows Librar
Note: In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting
u, click Open.Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box sty
Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this s
e an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open.Note: In Windows Vista, this policy settin
es Bar.Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. Th
ve when the previous version is of a local file and stored on the backup.
on is of a file on a file share.
you disable or do not configure this policy setting, no range of characters are filtered by default.This policy setting applies to Japanese Mic
Chinese Microsoft Pinyin.
Simplified Chinese Microsoft Pinyin.
t open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open
to permit use of most snap-ins. To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable th
is snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can
ns" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, di
rs to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab. To explicitly permit use of the
an administrator has opted in the computer.

licy setting, Windows presentation settings can be invoked.
even if they select the "Use these RD Gateway server settings" option on the client.Note: To enforce this policy setting, you must also spec
uring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the auth
this setting, either the NTLM protocol that is enabled on the client or a smart card can be used.To allow users to overwrite the "Set RD Ga
a message that the publisher has been blocked.
a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an
u can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting fo
on of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a
s policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server do
y logged off.To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run w
essions policy settings.If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.If you disa
or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows
olicy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain acti
sconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected se
cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.If you
lete a feed or Web Slice by using the Feed APIs.
sable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Opti
area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If
where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configur
e, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to
tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.C
configure this setting in the Input Panel Options dialog box.If you do not configure this policy, application auto complete lists will appear n
is setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box
e to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose ΓÇ£Tolerant," users will be able to
ove will be available.
ed by having the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled o
folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip
tant: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To
nd User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in
e computers.
settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for W
d report data until the computer is connected to a more permanent power source.
ting information is stored.

e in Control Panel.The Maximum number of reports to queue setting determines how many reports can be queued before older reports ar
s enabled, the Exclude errors for applications on this list setting takes precedence.If you disable or do not configure this policy setting, erro
the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probab
ameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prom
re this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not dist
vileges, such as installations offered on the desktop or in Add or Remove Programs.Also, see the "Enable user to use media source while e
sers from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, be
ΓÇ£Set action to take when logon hours expireΓÇ¥ is disabled or not configured, the ΓÇ£Remove logon hours expiration warningsΓÇ¥ settin
g, the system takes no action when the userΓÇÖs logon hours expire. The user can continue the existing session, but cannot log on to a ne
ernet check box.

e Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box.
oxy cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden.This policy is ignored if
is hidden.This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected.If you disa
the Performance tab.
is hidden.If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings.If you d
received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.If you enable this policy setting, t
etting for the Allow screen saver during playback check box.
configured by other polices.
to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different
t users to use Windows Messenger, enable the "Do not allow Windows Messenger to run" policy setting.Note: This policy setting is availab
ditor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
etting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a m
under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has prece
n at the time the user selects the Shut Down option in the Start menu.Note that this policy setting has no impact if the User Configuration\
f the following notification options:0 = Do not show any notificationsThis setting will remove all access to Windows Update features and n
ully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Ser
licy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the sp
choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folder
Tablet PC user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.If you do
ote: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto U
s snap-in is permitted or prohibited.-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cann
eference items cannot be created.
list of snap-ins" policy setting.
tly permitted list of snap-ins" policy setting for the Control Panel Settings item, but not for its children. Enabling this policy setting does no
ed list of snap-ins" policy setting for the Control Panel Settings item, but not for its children. Enabling this policy setting does not override a
ot configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitte
figure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list
ist of snap-ins" policy setting.
list of snap-ins" policy setting.
nap-ins" policy setting.
not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitt
f snap-ins" policy setting.
f snap-ins" policy setting.
preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Se
you do not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicit
o not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly perm
tted list of snap-ins" policy setting.
not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitt
it use of the Preferences tab.
figure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list
e preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel S
of snap-ins" policy setting.
o not configure this policy setting, you permit use of the preference extension unless restricted by the "Restrict users to the explicitly perm
eference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settin
t of snap-ins" policy setting.
erence extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Setting
to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later.
d at the Group Policy level.
ed that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is
onfiguration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2
ill be logged off from the RD Session Host server. If the user starts a RemoteApp program before the time limit is reached, the user will rec
s policy setting, users can index any path not restricted by other policies, but their original list of paths to index is not restored.
nonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.Note: For Windows Vista, Windows Se
rosoft.System, or Microsoft.Personalization.Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module
use the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, an
vable media, regardless of this setting.
hey cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, a
ove Set Program Access and Defaults from Start menu" setting.
ikely to need.Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" s
by typing %windir%\resources\Themes\Luna\Luna.msstylesNote: To select the Windows Classic visual style, leave the box blank beside "Pa
nored.Note: This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setti
og, use the "Prevent changing Screen Saver" setting.
n the Personalization or Display Control Panel is used. The default is 15 minutes.

der's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers."
Wizard, and users cannot search the network but must type a printer name.Note: This setting affects the Add Printer Wizard only. It does no
d by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that ar
n drivers need to be updated. If you do not configure this policy setting: -Windows Vista client computers can point and print to
. However, if users have not added a printer when this setting is applied, they cannot print. Note: You can use printer permissions to
users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to
sing other tools and methods to install or uninstall programs.
e Options control panel to select any available UI language.

d dialogs language" policy setting.
Input Panel is collected and stored. Note: Automatic learning of both text and ink might not be available for all languages, even when ha
mputer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by anothe
change this specification.If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpap
nistrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connectio
connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.)Important: If the "Ena
000 computers.If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN conn
N connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting doe
strators and Network Configuration Operators have the right to rename LAN or all user remote access connections.Note: When configured
ss connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of
-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu.Note: This se
ws 2000 computers.If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Confi
ab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or
r administrators.Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this settin
Clicking the Make New Connection icon starts the New Connection Wizard.Note: Changing this setting from Enabled to Not Configured do
for all users.
nections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Com
r a private connection.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this settin
enting the connection, by right-clicking it, or by using the File menu.
e only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but
eck box enables the component, and clearing the check box disables the component.Note: When the "Prohibit access to properties of a LA
access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu.N
box.Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When these p
onnections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 c
n assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved.
tting, users can work offline by default, but they can change this option.This setting appears in the Computer Configuration and User Config
the local computer is connected and disconnected from the network."3" also records an event when the server hosting the offline file is re
Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions
onfiguration.Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, a
rovides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not ha
nder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offl
ndows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.
available for all files and folders.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both p
d folders for offline use).If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy.Not
User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User
ot configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronizatio
disables the "Enable reminders" option on the Offline Files tabThis setting appears in the Computer Configuration and User Configuration f
dialog box.
Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start
cent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses
d the "Toolbars" command appears in the context menu.

ear in the menus, including files located remotely on another computer.Note: This setting does not prevent Windows from displaying remo
ders, and websites.Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Als
ns do not have this ID tracking and search capability.Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tr
. FAT partitions do not have this ID tracking and search capability.Also, see the "Do not track Shell shortcuts during roaming" and the "Do n
nge the view.
osition is locked, and the user cannot show and hide various toolbars using the taskbar context menu.
ws Security screen is also available.Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Win
red by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can crea
ot configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explo
To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options ta
nnections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections).
el," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings.
not remove it.If the setting is not configured, users can turn the Recent Items menu on and off.Note: This setting does not prevent Window
d in Task Manager and use the Internet Explorer Address Bar.Note:This setting affects the specified interface only. It does not prevent use
hen you right-click an icon representing a drive or a folder.This policy setting affects the specified user interface elements only. It does not
appear in the directory but not on the Start menu.If you disable this setting or do not configured it, Windows 2000 Professional and Windo
Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option.
pinning programs to the Taskbar" policy settings.

er will connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. No reboo
o 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999.If you disab
the Explorer interface.Tip: To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click t
If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To disp
Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.Note: To create a list of
ctions, or it might stop.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured,
er of these locations cannot launched from Help

e: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.Note: To create a list
that you can download to keep your computer up to date.Also, see the "Remove links and access to Windows Update" setting. If the "Rem
puters, including system services, find the executable names of programs, and change the priority of the process in which programs run.
nsigned files to be installed. "Warn" is the default.-- "Block" directs the system to refuse to install unsigned files. As a result, the installatio
nication Management/Internet Communication settings.
erface. Note: Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirec
Do not automatically make all redirected folders available offline".
Folder Redirection location.If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folde
Pictures folders, the folders are redirected on the user's primary computer only.If you disable or do not configure this policy setting and th
is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already d
es to any available domain controller.If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the dom
d. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.If you disable this s
nd Computer Configuration setting.Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Adminis
ned on by default, but administrators can view preferences by turning off the "Show Policies Only" command.Note: To find the "Show Poli
t appropriate for most installations.If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that
a later timestamp.NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is en
d online ordering wizards for more information, including details on specifying service providers in the registry.
ormation to be collected.
his policy setting, the user can select a custom locale as their user locale.If this policy setting is enabled at the machine level, it cannot be d
cy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer l
d by users.If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by th
y setting in Computer Configuration takes precedence over the policy setting in User Configuration.Note: To create a customized run list b
red in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.Also, see the ""Do not process the
setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the progra
fore, the scripts for GPOs B and C run in the following order for Qin:Within GPO B: B.ps1, B.cmdWithin GPO C: C.ps1, C.cmd For Tamara, G
not configure this policy setting, the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully qualified
luded from the user's roaming profile.In operating systems earlier than Microsoft Windows Vista, only the History, Local Settings, Temp, a
han Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. I
sible. Note: You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming, Start Menu, an
rmation.If you enable this policy setting, you can specify the default risk level for file types.If you disable this policy setting, Windows sets t
programs when file attachments are opened.

e this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.If you do not configure this policy
avior for autorun to: a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatical
t use this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting, A
on\Shell Extensions\Approved.
user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to com
disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current targ
r contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.If you disable
menu" setting.
the Run dialog box or the Map Network Drive dialog box.To remove network computers from lists of network resources, use the "No Entir
esources, use the "No Computers Near Me in Network Locations" setting.Note: It is a requirement for third-party applications with Window
n Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.The firs
ttom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Con
ng prevents the action. Also, this setting does not prevent users from using programs to access local and network drives. And, it does not p
for third-party applications with Windows 2000 or later certification to adhere to this setting.
Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide a
ws XP Professional.
th the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all
do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
le this policy, Windows Libraries features that rely on indexed file data will be disabled.If you disable or do not configure this policy, all de
op and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Deskt
ows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party a
certification to adhere to this setting.
ndows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting do
P common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
etting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take effect until the user logs off.
mmc.) Users also cannot open a blank MMC console window from a command prompt.If you disable this setting or do not configure it, use
tting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not c
nap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this poli
prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.When a snap-in is pro
To explicitly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Group Policy tab is in
icy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or clie
thentication method, the authentication method that you specify in this policy setting is used by default.If you disable or do not configure
rs to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow
client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.If you disable this policy setting, use
configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for t
ator to watch the session of a remote user without the user's consent.If you disable this policy setting, administrators can interact with a u
the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy
the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directo
es its time-out limit.If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified ot
mote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to
allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a ses
behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected sessio
e default connection URL.If you disable or do not configure this policy setting, the user has no default connection URL.Note: RemoteApp pr
setting in the Input Panel Options dialog box.If you do not configure this policy, Input Panel will provide text prediction suggestions. Users
put Panel Options dialog box.If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this b
log box.If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available.
d text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy, rarely used Chinese, Ka
ng tab in Input Panel Options.Caution: If you enable both the ΓÇ£Prevent Input Panel from appearing next to text entry areasΓÇ¥ policy and
to complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setti
nput Panel Options dialog box. If you enable this policy and choose ΓÇ£Medium-LowΓÇ¥ from the drop-down box, password security is se
Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users w
ven if this setting is Disabled or Not Configured.Note: This setting appears in the Computer Configuration and User Configuration folders. I
tting in User Configuration.Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created task
he Scheduled Tasks folder. To prevent this action, use the "Prohibit Drag-and-Drop" setting.Note: This setting appears in the Computer Con
recedence over the setting in User Configuration.
r settings in Control Panel for Windows Error Reporting are applied.
ueued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the i
nfigure this policy setting, errors are reported on all Microsoft and Windows applications by default.
ermined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the u
solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.- 3 (Send parameters and safe a
m administrator does not distribute or offer.Note: This policy setting appears both in the Computer Configuration and User Configuration
er to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
cure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setti
s expiration warningsΓÇ¥ setting will have no effect, and users receive no warnings about logon hour expiration
sion, but cannot log on to a new session.Note: If you configure this setting, you might want to examine and appropriately configure the ΓÇ
hidden.This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected.If you disable this policy
ticast is not selected.If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy setti
he RTSP proxy settings.If you do not configure this policy setting, users can configure the RTSP proxy settings.
ou enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the admin
and cannot choose a different skin.If you disable or do not configure this policy setting, users can display the Player in full or skin mode an
te: This policy setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configura
er the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-in
puter Configuration" has precedence over "User Configuration."If you disable or do not configure this policy setting, it reverts to a per-mac
pact if the User Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut
ndows Update features and no notifications will be shown.1 = Show restart required notificationsThis setting will show notifications about
ml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file is not available when the user logs on, the layout won't be change
ontent protected using the specified EID on the device. If you disable or do not configure this policy setting, the only Windows Runtime ap
al folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option
hared with Microsoft.If you do not configure this policy, Tablet PC users can choose whether or not they want to share their writing sample
r the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrus
ap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this polic
ing this policy setting does not override any "Permit use of <extension name> preference extension" policy settings that are disabled.If yo
licy setting does not override any "Permit use of <extension name> preference extension" policy settings that are disabled.If you disable th
users to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel Settin
to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel Settings (U
t users to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel Setti
Permit use of Control Panel Settings (Users)" policy settings.

"Restrict users to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control P
rict users to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel S
t users to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel Setti
to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel Settings (U
"Permit use of Control Panel Settings (Users)" policy settings.
ict users to the explicitly permitted list of snap-ins," "Permit use of Control Panel Settings (Computers)," or "Permit use of Control Panel Se
rmit use of Control Panel Settings (Computers)" policy settings.
it use of Control Panel Settings (Users)" policy settings.
is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.Note: If this po
ers running Windows Server 2008 do not display wallpaper by default to Remote Desktop Services sessions.
mit is reached, the user will reconnect to the disconnected session on the RD Session Host server.If you disable or do not configure this pol
dex is not restored.

r Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl
ions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CP
n is selected automatically, and the page is bypassed.To remove "Set up services" and prevent the Windows Component Wizard from star
ams by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the
de Add New Programs page" setting is enabled.
leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the
r" setting is disabled, this setting is ignored, and screen savers do not run.
es\Printers."
Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers.
signature of all drivers that are downloaded from print servers.If this setting is disabled, or not configured, package point and print will no
mputers can point and print to any server. -Windows Vista computers will show a warning and an elevated command prompt when us
an use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Prope
e the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using o
r all languages, even when handwriting personalization is available. See Tablet PC Help for more information.If you enable this policy setti
ws, unless restricted by another setting.If you do not configure this setting, the default is to display Computer as usual.Note: In operating s
r, users can select the wallpaper of their choice.Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent cha
n the remote access connection properties dialog box.Important: If the "Enable Network Connections settings for Administrators" is disabl
setting.)Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not appl
s can enable/disable LAN connections.Note: Administrators can still enable/disable LAN connections from Device Manager when this setti
d or Disabled), this setting does not apply.Note: This setting does not prevent users from using other programs, such as Internet Explorer, t
ctions.Note: When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename
rohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit ac
on the File menu.Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Conne
inistrators and Network Configuration Operators.The Local Area Connection Properties dialog box includes a list of the network compone
he connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties butt
g box, regardless of this setting.
Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setti
mponents in the Windows Components Wizard.The Install button opens the dialog boxes used to add network components. Clicking the U
d or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not confi
tions available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.)Impo
bit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabli
on or by using the File menu.Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass thi
on components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection co
tors on post-Windows 2000 computers.If you disable this setting or do not configure it, the connection status taskbar icon and Status dial
e problem can be resolved.
Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence ove
ver hosting the offline file is reconnected to the network.Note: This setting appears in the Computer Configuration and User Configuration
s from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this se
ns, click the Offline Files tab, and then click "View Files."
able this setting. You do not have to disable any other settings in this folder.
Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
onfiguration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is
offline use by Group Policy.Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings
dence over the setting in User Configuration.Tip: To change the synchronization method without changing a setting, in Windows Explorer,
erforms a quick synchronization by default, but users can change this option.This setting appears in the Computer Configuration and User
ons tab, and then, in the Start Menu Settings box, click Display Logoff.Also, see "Remove Logoff" in User Configuration\Administrative Tem
folder. The system only uses this setting when neither of these related settings are selected.This setting does not clear the list of recent fi
Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump Lis
\User-name\Recent folder.Also, see the "Remove Recent Items menu from Start Menu" and "Clear history of recently opened documents
ng" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings.
during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings.
ws Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
ystem administrators can create a customized Favorites menu for a user group.Note:This setting only affects the Start menu. The Favorite
e Tools menu in Internet Explorer.Also, see the "Hide the "Add programs from Microsoft" option" policy setting.
ick the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff.See also: "Remove Logoff" policy setting in User Co
ork Connections).
tting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recen
e only. It does not prevent users from using other methods to run programs.Note: It is a requirement for third-party applications with Win
ace elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.If you disable or
2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
Menus" option.
he background. No reboots or service restarts are required for this policy setting to take effect.
at is, 1930 to 1999.If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this schem
perties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path.
ser Configuration.Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then
setting.Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the applicatio
both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
y setting.Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the applica
ws Update" setting. If the "Remove links and access to Windows Update" setting is enabled, the links to Windows Update on the Start men
cess in which programs run.
files. As a result, the installation stops, and none of the files in the driver package are installed.To change driver file security without speci
k or server holding the redirected files becomes unavailable.Note: If one or more valid folder GUIDs are specified in the policy setting "Do
ed folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the loc
figure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to.Note: If
cy redirection policy already deployed for these folders in your existing localized environment.
ct Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.Note: To change the PDC Operation
d to be fast.If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.This setting appea
mputer Configuration\Administrative Templates\System\GroupPolicy.

d.Note: To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), rig
(the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off backgroun
oup Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
e machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy
t Configured at the computer level, then restrictions will be based on per-User policies.To set this policy on a per-user basis, make sure tha
mputer, unless restricted by the "Disallow selection of Custom Locales" policy setting.If this policy setting is enabled at the computer level
create a customized run list by using a policy setting, use the ""Run these applications at startup"" policy setting.Also, see the ""Do not pr
see the ""Do not process the legacy run list"" policy setting.
d, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User C
C: C.ps1, C.cmd For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order fo
ARE% stores the fully qualified path to the home directory (such as \\server\share\dir1\dir2\homedir). Users can access the home director
istory, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile by default.If you enable thi
to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming
data\Roaming, Start Menu, and Documents. You should suspend only the subfolders of these parent folders.
policy setting, Windows sets the default risk level to moderate.If you do not configure this policy setting, Windows sets the default risk lev
ou do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting, Windows Vista or
configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Con
res. Or, it might appear to complete successfully, but the installed program might not operate correctly.If you disable this setting or do no
e target file in the current target path.
e characteristics.If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in
k resources, use the "No Entire Network in Network Locations" policy setting.
party applications with Windows 2000 or later certification to adhere to this setting.
er Internet search links.The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu.
et search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.The first sever
work drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics.Also, see the
Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting.
ht complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctl
a limited set of folders.

ot configure this policy, all default Windows Libraries features will be enabled.
cies are enabled, Active Desktop is disabled.Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates
g box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting.
ox style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applicati
tting or do not configure it, users can enter author mode and open author-mode console files.
n the folder is enabled or not configured, the snap-in is permitted.When a snap-in is prohibited, it does not appear in the Add/Remove Sna
of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting
ermitted.When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console
ed), the Group Policy tab is inaccessible.-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users
address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote
ou disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an au
er, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server.
disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP sessio
ination of the list defined for the computer and the list defined for the user.This policy setting overrides the behavior of the "Allow .rdp file
nistrators can interact with a user's Remote Desktop Services session, with the user's consent.
use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver canno
ed path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory
ut session, even if specified otherwise by the server administrator.If you do not configure this policy setting, Remote Desktop Services disc
t Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Com
nd instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administr
e session, disconnected session time limits do not apply.If you disable or do not configure this policy setting, this policy setting is not speci
tion URL.Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can comp
prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and W
as in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.Ca
here this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed
text entry areasΓÇ¥ policy and the ΓÇ£Prevent Input Panel tab from appearingΓÇ¥ policy, and disable the ΓÇ£Show Input Panel taskbar ico
l be able to configure this setting on the Text completion tab in Input Panel Options.
n box, password security is set to ΓÇ£Medium-Low.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-scree
s XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy an
d User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in U
operties of newly created tasks, use the "Remove Advanced Menu" setting.
g appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configura
ck reminders determines the interval time between the display of system notifications that remind the user to check for solutions to prob
y, and Windows prompts the user for consent to send any additional data that is requested by Microsoft.- Send all data: any error reportin
3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an ex
ation and User Configuration folders. To make this policy setting effective, you must enable it in both folders.Caution: Skilled users can tak
olicy settings.
ble, do not use this policy setting unless it is essential.This policy setting appears in the Computer Configuration and User Configuration fol
appropriately configure the ΓÇ£Remove logon hours expiration warningsΓÇ¥ setting
cted.If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy.If you do not co
t configure the MMS proxy settings.If you do not configure this policy setting, users can configure the MMS proxy settings.
the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Med
e Player in full or skin mode and have access to all available features of the Player.
sent, the Computer Configuration version of this policy setting takes precedence.
erty of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and then type the mo
setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
splay 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
g will show notifications about restarts that are required to complete an installation.On Windows 8 and Windows RT, if this policy is Enable
n, the layout won't be changed. Users cannot customize their Start screen while this setting is enabled.If you disable this setting or do not
the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and th
Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Fold
t to share their writing samples from the handwriting recognition personalization tool with Microsoft.
ed vulnerabilities from untrusted sources, reducing the associated risk.
f this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited.-- If the policy setting "
settings that are disabled.If you disable this policy setting, you prohibit use of preference extensions under Control Panel Settings for Comp
t are disabled.If you disable this policy setting, you prohibit use of preference extensions under Control Panel Settings for User Configurati
mit use of Control Panel Settings (Users)," policy settings.
se of Control Panel Settings (Users)," policy settings.
ermit use of Control Panel Settings (Users)," policy settings.
)," or "Permit use of Control Panel Settings (Users)," policy settings.

"Permit use of Control Panel Settings (Users)," policy settings.
ermit use of Control Panel Settings (Users)," policy settings.
se of Control Panel Settings (Users)," policy settings.
Permit use of Control Panel Settings (Users)," policy settings.
mote computer.Note: If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored.
ble or do not configure this policy setting, when a user closes the last RemoteApp program, the session will be disconnected from the RD Se
ed, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then
Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification num
Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows
ffered on the desktop or on the Start menu.If you disable this setting or do not configure it, "Add programs from your network" is available
ows RT, you cannot apply the Windows Classic visual style.
connect to network printers.
package point and print will not be restricted to specific print servers.
ed command prompt when users create a printer connection to any server using Point and Print. -Windows Vista computers will show
ight-click a printer, click Properties, and then click the Security tab. If this policy is disabled, or not configured, users can add printers
installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are off
n.If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Pa
r as usual.Note: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer
location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.Note: This setting do
s for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.If you do
ured, this setting will not apply to administrators on post-Windows 2000 computers.If you do not configure this setting, only Administrato
evice Manager when this setting is disabled.
ms, such as Internet Explorer, to bypass this setting.
tions" and "Ability to rename all user remote access connections" settings.Note: This setting does not prevent users from using other prog
ed configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components fo
es inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN con
a list of the network components that the connection uses. To view or change the properties of a component, click the name of the compo
d then click the Properties button beneath the component list.Note: Not all network components have configurable properties. For compo
hen other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is re
rk components. Clicking the Uninstall button removes the selected component in the components list (above the button).The Install and U
able this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote a
ess connections" setting.)Important: When enabled, this setting takes precedence over the "Ability to delete all user remote access connec
boxes for enabling and disabling the components of a LAN connection.Note: Nonadministrators are already prohibited from enabling or di
nternet Explorer, to bypass this setting.
erties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration.Note: Nonadministrat
us taskbar icon and Status dialog box are available to all users.
uration takes precedence over the setting in User Configuration.Tip: To configure this setting without establishing a setting, in Windows Ex
ration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the se
m actions established via this setting.Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, c
y ... minutes" option.
Available Offline" command is unavailable for all specified files and folders.The "Make Available Offline" command is called "Always availa
folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use.
setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offlin
puter Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes preceden
akes precedence over the setting in User Configuration.Tip: To display or hide reminder balloons without establishing a setting, in Window
figuration\Administrative Templates\System\Logon/Logoff.
es not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently
allow pinning items in Jump Lists"" policy setting.

of recently opened documents on exit" policies in this folder.If you enable this setting but do not enable the "Remove Recent Items menu
port this policy setting.
s the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer.
ogoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff.

"Do not keep history of recently opened documents" setting.This setting also does not hide document shortcuts displayed in the Open dia
d-party applications with Windows 2000 or later certification to adhere to this setting.
ods to search.If you disable or do not configure this policy setting, the Search link is available from the Start menu.
t year formats using this scheme for the program.

em variables box, click Path.
oint to System Tools, and then click ""Getting Started."" To suppress the welcome screen without specifying a setting, clear the ""Show this
ue column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
er Configuration.
Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
ows Update on the Start menu are also removed.Note: If you have installed Windows XP Service Pack 1 or the update to Automatic Updat
ver file security without specifying a setting, use System in Control Panel. Right-click My Computer, click Properties, click the Hardware tab
ified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured
copies the contents of the local cache to the new network location, then deleted the content from the old network location.
at the user logs on to.Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuratio
To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operati
per second.This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defi
mplates folder (either one), right-click the same folder, and then point to "View."In Group Policy Object Editor, preferences have a red ico
elect the "Turn off background refresh of Group Policy" setting.This setting also lets you specify how much the actual update interval varie
hine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based o
per-user basis, make sure that the per-computer policy is set to Not Configured.
enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-use
tting.Also, see the ""Do not process the run once list"" policy setting.
ograms specified in the User Configuration setting.Also, see the ""Do not process the legacy run list"" and the ""Do not process the run on
C run in the following order for Tamara:Within GPO B: B.cmd, B.ps1Within GPO C: C.cmd, C.ps1Note: This policy setting determines the or
can access the home directory and any of its subdirectories from the home drive letter, but they cannot see or access its parent directorie
file by default.If you enable this policy setting, you can exclude additional folders.If you disable this policy setting or do not configure it, onl
tead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum
ndows sets the default risk level to moderate.
er the file type.
olicy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
er Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes preceden
u disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locall
Do not restrict drives" option in the drop-down list.Also, see the "Prevent access to drives from My Computer" policy setting.
e pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search
net search links.The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "S
ve characteristics.Also, see the "Hide these specified drives in My Computer" setting.
am might not operate correctly.Note: If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting.
tion\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on th
to this policy setting.
ement for third-party applications with Windows 2000 or later certification to adhere to this setting.
ppear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console
hibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any sn
when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
abled or not configured, users will have access to the Group Policy tab. To explicitly prohibit use of the Group Policy tab, disable this setti
onnect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method b
sed, if one is specified. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be
alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, o
ers cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an
behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.If the list contains a string that is not a
Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.Note: If the "Do not allo
h its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD S
Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.Note: This policy setting only applie
nfigure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote D
puter Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Tim
this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained f
an untrusted server can compromise the security of a user's account.
l Options in Windows 7 and Windows Vista.

g tab in Input Panel Options.Caution: If you enable both the ΓÇ£Prevent Input Panel from appearing next to text entry areasΓÇ¥ policy and
dwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not confi
£Show Input Panel taskbar iconΓÇ¥ policy, the user will then have no way to access Input Panel.
ut Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tap
If you enable this policy and choose ΓÇ£None,ΓÇ¥ users will be able to use both the tolerant scratch-out gestures and the Z-shaped scr
ecedence over the setting in User Configuration.
setting in Computer Configuration takes precedence over the setting in User Configuration.
to check for solutions to problems. A value of 0 disables the reminder.If you disable or do not configure this policy setting, Windows Error
nd all data: any error reporting data requested by Microsoft is sent automatically.If this policy setting is disabled or not configured, then t
ata required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain p
s.Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent acce
on and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled
he HTTP proxy.If you do not configure this policy setting, users can configure the HTTP proxy settings.
proxy settings.
TSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden.If you do not
k Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. Note: Thi
dows RT, if this policy is Enabled, then only notifications related to restarts and the inability to detect updates will be shown. The notificati
u disable this setting or do not configure it, the Start screen layout won't be changed and users will be able to customize it.
evice are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to r
omputers to set up Work Folders. If this policy setting is disabled or not configured, no Work Folders settings are specified for the affecte
ibited.-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap
ontrol Panel Settings for Computer Configuration. Disabling this policy setting overrides any "Permit use of <extension name> preference
el Settings for User Configuration. Disabling this policy setting overrides any "Permit use of <extension name> preference extension" policy
g is ignored.
e disconnected from the RD Session Host server but it is not logged off.Note: This policy setting appears in both Computer Configuration a
ontains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-
ng resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personaliza
e "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
om your network" is available to all users.Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
dows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be upda
gured, users can add printers using the methods described above.
nstalled) programs that are offered on the desktop or on the Start menu.If this setting is disabled or is not configured, the "Install a progra
figure this setting in Control Panel.If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setti
mputer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navig
trol Panel.Note: This setting does not apply to remote desktop server sessions.
dows 2000 computers.If you do not configure this setting, only Administrators and Network Configuration Operators can change propertie
this setting, only Administrators and Network Configuration Operators can delete all user remote access connections.Important: When en
nt users from using other programs, such as Internet Explorer, to rename remote access connections.
and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enablin
rties dialog box for a LAN connection is available to users.Note: Nonadministrators have the right to view the properties dialog box for a c
t, click the name of the component, and then click the Properties button beneath the component list.Note: Not all network components h
gurable properties. For components that are not configurable, the Properties button is always disabled.Note: When the "Ability to change
ons folder until the folder is refreshed.Note: This setting does not prevent users from using other programs, such as Internet Explorer, to b
e the button).The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab f
presenting a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu.Note: Th
all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remot
prohibited from enabling or disabling components for a LAN connection, regardless of this setting.
uration.Note: Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configu
ishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an
takes precedence over the setting in User Configuration.
Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settin
mmand is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, W
be available for offline use.

lect the "Synchronize all offline files before logging off" option.
Configuration takes precedence over the setting in User Configuration.Tip: To change the synchronization method without setting a settin
ablishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting correspo
o not keep history of recently opened documents" setting.This policy setting also does not hide document shortcuts displayed in the Open
"Remove Recent Items menu from Start Menu" setting, the Recent Items menu appears on the Start menu, but it is empty.If you enable th
cuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
a setting, clear the ""Show this screen at startup"" check box on the welcome screen.
he update to Automatic Updates that was released after Windows XP was originally shipped, then you should use the new Automatic Upd
perties, click the Hardware tab, and then click the Driver Signing button.
ng will override the configured value of "Do not automatically make all redirected folders available offline".
network location.
on, the Computer Configuration policy setting takes precedence.
omain, and then click "Operations Masters."

n Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a
or, preferences have a red icon to distinguish them from true settings, which have a blue icon.
he actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system var
vel, restrictions will be based on per-user policy settings.To set this policy setting on a per-user basis, make sure that you do not configure
he computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per
e ""Do not process the run once list"" settings.

olicy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setti
e or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems.
tting or do not configure it, only the default folders are excluded.Note: You cannot use this policy setting to include the default folders in a
profile server if the maximum profile size limit specified here is exceeded.
Configuration takes precedence over the policy setting in User Configuration.

er users install programs locally on the computer.By default, users are not prompted for alternate logon credentials when installing progra
r" policy setting.
via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If
ded on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the In
s precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation.
from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\Fi
ohibited snap-in, the console file opens, but the prohibited snap-in does not appear.Note: If you enable this setting, and you do not enabl
nfigured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If
ed snap-in does not appear.
up Policy tab, disable this setting. If this setting is not configured (or enabled), the Group Policy tab is accessible.When the Group Policy tab
y the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication
e client or a smart card can be used for authentication.
the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in
e. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.Note: You can define this po
t contains a string that is not a certificate thumbprint, it is ignored.

ession.Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver firs
e of a valid directory, the RD Session Host server connection fails with an error message.If the status is set to Enabled, Remote Desktop Se
This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out
e Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting a
sktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting appears in both Computer Confi
cted sessions are maintained for an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User
ext entry areasΓÇ¥ policy and the ΓÇ£Prevent Input Panel tab from appearingΓÇ¥ policy, and disable the ΓÇ£Show Input Panel taskbar icon
dialog box.If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results w
cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this p
gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If
policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
bled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Micr
eges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaran
d, even if it is explicitly disabled in the other folder.
rk tab is hidden.If you do not configure this policy setting, users can select the protocols to use on the Network tab.If you disable this polic
n the computer. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor.
es will be shown. The notification options are not supported. Notifications on the login screen will always show up.
o customize it.
plication will only be able to revoke access to content it protected. Note: File revocation applies to all content protected under the same s
gs are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item.
figured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If t
extension name> preference extension" policy settings.If you do not configure this policy setting, you permit use of preference extensions
> preference extension" policy settings.If you do not configure this policy setting, you permit use of preference extensions under Control P
oth Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting take
for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be
hemecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by search
s setting is ignored.
ection driver needs to be updated. -Windows Server 2003 and Windows XP client computers can create a printer connection to any se
onfigured, the "Install a program from the network" task to the "Get Programs" page will be available to all users.Note: If the "Hide Progra
nnot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is
For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
perators can change properties of all-user remote access connections.Note: This setting takes precedence over settings that manipulate th
nections.Important: When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users
connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access con
e properties dialog box for a connection but not to make changes, regardless of this setting.
Not all network components have configurable properties. For components that are not configurable, the Properties button is always disab
: When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote acc
such as Internet Explorer, to bypass this setting.
ttons are on the General tab for LAN connections and on the Networking tab for remote access connections.Note: When the "Prohibit acc
ars on the File menu.Note: This setting takes precedence over settings that manipulate the availability of features in the Remote Access C
Ability to delete all user remote access connections" setting is ignored.Note: LAN connections are created and deleted automatically when
cess TCP/IP advanced configuration for a LAN connection, regardless of this setting.Tip: To open the Advanced TCP/IP Setting dialog box, i
k Advanced, and then select an option in the "When a network connection is lost" section.Also, see the "Non-default server disconnect acti
tting corresponds to the settings in the "Exception list" section.
08 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista.This policy setting does not prevent files from being automatically
ethod without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select th
Files tab. This setting corresponds to the "Enable reminders" check box.
hortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.This policy also does not clear items that
but it is empty.If you enable this setting, but then later disable it or set it to Not Configured, the document shortcuts saved before the setti
d use the new Automatic Updates settings located at: 'Computer Configuration / Administrative Templates / Windows Update'
User Configuration defines a slow link for settings in the User Configuration folder.Also, see the "Do not detect slow network connections
imultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random
ure that you do not configure the per-machine policy setting.
, restrictions are based on per-user policies.

ou can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: Us
h earlier systems.
nclude the default folders in a roaming user profile.
entials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations
link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link w
oup Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a cust
dentials on any installation.

tes\Windows Components\File Explorer.
setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.
n, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it do
ble.When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets.
not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card ca
, the server that you specify in this policy setting is used by default.Note: If you disable or do not configure this policy setting, but enable t
d.Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this polic
op Easy Print printer driver first" policy setting is ignored.
Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the prog
ng does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configu
ched.Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the C
ppears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy s
puter Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes preced
Show Input Panel taskbar iconΓÇ¥ policy, the user will then have no way to access Input Panel.
cluded in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text con
dialog box. If you enable this policy and choose ΓÇ£MediumΓÇ¥ from the drop-down box, password security is set to ΓÇ£Medium.ΓÇ¥ At th
anel Options dialog box. If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scra
that a problem occurs.
ding data.
tional data requested by Microsoft.- 4 (Send all data): Any data requested by Microsoft is sent automatically.If you disable or do not config
his policy setting is not guaranteed to be secure.
ork tab.If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and
tion in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
nt protected under the same second level domain as the provided enterprise identifier. So, revoking an enterprise ID of mail.contoso.com
ders Control Panel item.
disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted.When a snap-in is prohibited, it does
t use of preference extensions under Control Panel Settings for Computer Configuration unless restricted by the "Restrict users to the expl
ce extensions under Control Panel Settings for User Configuration unless restricted by the "Restrict users to the explicitly permitted list of
nfiguration policy setting takes precedence.
nical and module names can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setting
n be found in MSDN by searching "Control Panel items".If both the "Hide specified Control Panel items" setting and the "Show only specifi
a printer connection to any server in their forest using Point and Print. If you disable this policy setting: -Windows Vista client co
sers.Note: If the "Hide Programs Control Panel" setting is enabled, this setting is ignored.
handwriting personalization is turned on.If you do not configure this policy, users can choose to enable or disable automatic learning eithe
ven if this setting is enabled.

er settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled
edence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored.Note: L
an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote
operties button is always disabled.Note: When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocke
perties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the
.Note: When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection
atures in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a rem
d deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a
ed TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access conn
-default server disconnect actions" setting.
files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make A
ne Files tab, and then select the "Synchronize all offline files before logging on" option.
also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See t
hortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus, and Jump Lists.This setting do
Windows Update'
ect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the
umber you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system sele
policy settings for the GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogonUser Configuration\Policies\Windo
ntials for network installations" setting.
vider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intrane
disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be
y MMC snap-ins.
n a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that inclu
property sheets.
on the client or a smart card can be used.To allow users to overwrite this policy setting, select the "Allow users to change this setting" chec
his policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote comp
ode. If you configure this policy setting for the computer, all users on the computer are affected.
Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program.If the s
ears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes pre
settings are configured, the Computer Configuration policy setting takes precedence.
mputer Configuration policy setting takes precedence.
on policy setting takes precedence.
s setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
is set to ΓÇ£Medium.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin sw
gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If y
.If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in C
work tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server.
onfiguration policy setting.

rprise ID of mail.contoso.com will revoke the userΓÇÖs access to all content protected under the contoso.com hierarchy.
a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that include
the "Restrict users to the explicitly permitted list of snap-ins" policy setting or any "Permit use of <extension name> preference extension
the explicitly permitted list of snap-ins" policy setting or any "Permit use of <extension name> preference extension" policy settings.
d Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Pan
tting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored
-Windows Vista client computers can create a printer connection to any server using Point and Print. -Windows Vista computer
sable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.This policy settin
g box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users.Note: Th
this setting is ignored.Note: LAN connections are created and deleted automatically by the system when a LAN adapter is installed or rem
", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disco
g is enabled, users are blocked from accessing the Properties button for LAN connection components.Note: Network Configuration Opera
on Properties dialog box, the Properties button for remote access connection components is blocked.Note: This setting does not prevent
user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to
roperties dialog box for a remote access connection will be available to users.Note: This setting does not prevent users from using other p
ns folder to create or delete a LAN connection.Note: This setting does not prevent users from using other programs, such as Internet Explo
erties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Inter
cts the display of the "Make Available Offline" command in File Explorer.If the "Remove 'Make Available Offline' command" policy setting
provided for their menu. See the "Do not allow pinning items in Jump Lists" setting.
and Jump Lists.This setting does not hide or prevent the user from pinning files, folders, or websites to the Jump Lists. See the "Do not allo
stem\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP
pe 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely th
Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogoffThis policy setting appears in the Computer Configuration and Use
ween pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Intern
Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Lib
opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
rs to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by se
attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specifi
ectory for the program.If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unle
onfiguration setting takes precedence.
en keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able
nel Options dialog box. If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-sh
hose specified by the user in Control Panel, or in the Configure Default Consent policy setting.
m hierarchy.
ens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
name> preference extension" policy settings.

tension" policy settings.
how only specified Control Panel items" setting is ignored.Note: The Display Control Panel item cannot be hidden in the Desktop context m
Panel items" setting is ignored.Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. T
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any se
opt-in dialog.This policy setting is related to the "Turn off handwriting personalization" policy setting.Note: The amount of stored ink is lim
be available to users.Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting
AN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.Note: This settin
Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the
Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable
This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
ttings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked.Note: No
vent users from using other programs, such as Internet Explorer, to bypass this setting.
ograms, such as Internet Explorer, to bypass this setting.
his connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button.Note: Changing this se
ffline' command" policy setting is enabled, this setting has no effect.

ump Lists. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide Tasks that the application has provided
profile server does not have IP connectivity, the SMB timing is used.
ange and makes it less likely that client requests overlap. However, updates might be delayed significantly.Important: If the "Turn off back
mputer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting s
s take precedence over Internet/intranet search links.If you enable this policy setting, the specified Internet sites will appear in the "Search
pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Inter
es not appear.
es not appear.
h the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configurin
n RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
tart with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templa
tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose to ΓÇ£M
atch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Opti
dden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the com
xt menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use
a printer connection to any server using Point and Print. -Windows Vista computers will not show a warning or an elevated comman
he amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached an
Explorer, to bypass this setting.
N connection.Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
ction", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Re
components are unavailable to these users.Note: Nonadministrators are already prohibited from accessing properties of components for
nections are blocked.Note: Nonadministrators are already prohibited from adding and removing connection components, regardless of th
d button.Note: Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off.
t the application has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the
mportant: If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored.Note: This setting establishes the u
precedence over the setting set in User Configuration.
sites will appear in the "Search again" links and the Start menu links.If you disable or do not configure this policy setting, no custom Intern
ks take precedence over Internet/intranet search links.If you enable this policy setting, the specified Libraries or Search Connectors will ap
nnection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection meth
eway server.
uration\Administrative Templates\System\Logon\Run these programs at user logon" setting.)Note: This setting appears in both Computer
his policy and choose to ΓÇ£Medium-HighΓÇ¥ from the drop-down box, password security is set to ΓÇ£Medium-High.ΓÇ¥ At this setting, w
estures tab in Input Panel Options.
users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
omputer's display settings use the "Disable Display Control Panel" setting instead.
rning or an elevated command prompt when an existing printer connection driver needs to be updated. -Windows Server 2003 and W
en these limits are reached and new data is collected, old data is deleted to make room for more recent data.Note: Handwriting personali
r, to bypass this setting.
ns", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection
properties of components for a LAN connection, regardless of this setting.
components, regardless of this setting.
ntil the user logs off.

n the Open dialog box. See the "Hide the dropdown list of recent files" setting.Note: It is a requirement for third-party applications with Wi
This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy
olicy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links.
s or Search Connectors will appear in the "Search again" links and the Start menu links.If you disable or do not configure this policy setting
not specify a connection method, the connection method that you specify in this policy setting is used by default.If you disable or do not c
ng appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting ov
um-High.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is al
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "
a.Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
tatus for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Profe
hird-party applications with Windows 2000 or later certification to adhere to this setting.
Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System
ot configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links.
ault.If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD
puter Configuration setting overrides.
by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to config
ng Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and
ssional and Windows XP Professional behave the same for administrators.If you disable this setting or do not configure it, Windows XP setti
ministrative Templates\System\Group Policy).Tip: Consider notifying users that their policy is updated periodically so that they recognize
that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection
Users will not be able to configure this setting in the Input Panel Options dialog box.If you enable this policy and choose ΓÇ£HighΓÇ¥ from t
y to Windows Server 2003 and Windows XP SP1 (and later service packs).
t configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators.Note: This setting is intended to be used
dically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers brie
y the user, a client connection attempt will be made through that RD Gateway server.
and choose ΓÇ£HighΓÇ¥ from the drop-down box, password security is set to ΓÇ£High.ΓÇ¥ At this setting, when users enter passwords from
setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Window
top is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the program
en users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel doe
plied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy be
as those that limit the programs a user can run, might interfere with tasks in progress.
allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input
etwork Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers.
figure this setting in the Input Panel Options dialog box. If you disable this policy, password security is set to ΓÇ£Medium-High.ΓÇ¥ At this
ofessional computers.
ΓÇ£Medium-High.ΓÇ¥ At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switc
keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able
tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not configure this policy, password
onfigure this policy, password security is set to ΓÇ£Medium-HighΓÇ¥ by default. At this setting, when users enter passwords from Input Pa
enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display
Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input
g on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista.Caution: If you lower password security settings, people wh
rd security settings, people who can see the userΓÇÖs screen might be able to see their passwords.
Policy Path
Windows Components\Internet Explorer
Windows Components\Internet Explorer\Accelerators
Windows Components\Internet Explorer\Application C
Windows Components\Internet Explorer\Browser me
Windows Components\Internet Explorer\Compatibilit
Windows Components\Internet Explorer\Corporate S
Windows Components\Internet Explorer\Delete Brows
Windows Components\Internet Explorer\Internet Cont
Windows Components\Internet Explorer\Internet Con
Windows Components\Internet Explorer\Internet Contr
Windows Components\Internet Explorer\Internet Sett
Windows Components\Internet Explorer\Internet Set
Windows Components\Internet Explorer\Internet Setti
Windows Components\Internet Explorer\Internet Setti
Windows Components\Internet Explorer\Privacy
Windows Components\Internet Explorer\Security Fea
Windows Components\Internet Explorer\Security Fe
Windows Components\Internet Explorer\Security Featu
Windows Components\Internet Explorer\Security Feat
Windows Components\Internet Explorer\Security Featur
Windows Components\Internet Explorer\Toolbars
Policy Setting Name
Add a specific list of search providers to the user's list of search providers
Allow Internet Explorer 8 shutdown behavior
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Automatically activate newly installed add-ons
Customize user agent string
Disable Automatic Install of Internet Explorer components
Disable changing Automatic Configuration settings
Disable changing connection settings
Disable changing secondary home page settings
Disable Import/Export Settings wizard
Disable Periodic Check for Internet Explorer software updates
Disable showing the splash screen
Disable software update shell notifications on program launch
Do not allow users to enable or disable add-ons
Enforce full-screen mode
Install new versions of Internet Explorer automatically
Make proxy settings per-machine (rather than per-user)
Pop-up allow list
Prevent "Fix settings" functionality
Prevent access to Internet Explorer Help
Prevent bypassing SmartScreen Filter warnings
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from t
Prevent changing pop-up filter level
Prevent changing proxy settings
Prevent changing the default search provider
Prevent configuration of how windows open
Prevent configuration of new tab creation
Prevent Internet Explorer Search box from appearing
Prevent managing pop-up exception list
Prevent managing SmartScreen Filter
Prevent managing the phishing filter
Prevent participation in the Customer Experience Improvement Program
Prevent per-user installation of ActiveX controls
Prevent running First Run wizard
Restrict search providers to a specific list
Security Zones: Do not allow users to add/delete sites
Security Zones: Do not allow users to change policies
Security Zones: Use only machine settings
Set tab process growth
Specify default behavior for a new tab
Specify use of ActiveX Installer Service for installation of ActiveX controls
Turn off ability to pin sites in Internet Explorer on the desktop
Turn off ActiveX Opt-In prompt
Turn off add-on performance notifications
Turn off Automatic Crash Recovery
Turn off browser geolocation
Turn off configuration of pop-up windows in tabbed browsing
Turn off Crash Detection
Turn off Favorites bar
Turn off Managing SmartScreen Filter for Internet Explorer 8
Turn off page-zooming functionality
Turn off pop-up management
Turn off Quick Tabs functionality
Turn off Reopen Last Browsing Session
Turn off suggestions for all user-installed providers
Turn off tabbed browsing
Turn off the auto-complete feature for web addresses
Turn off the quick pick menu
Turn off the Security Settings Check feature
Turn on ActiveX Filtering
Turn on compatibility logging
Turn on menu bar by default
Turn on Suggested Sites
Add default Accelerators
Add non-default Accelerators
Restrict Accelerators to those deployed through Group Policy
Turn off Accelerators
Bypass prompting for Clipboard access for scripts running in any process
Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
Define applications and processes that can access the Clipboard without prompting
Turn off Print Menu
Include updated website lists from Microsoft
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for local intranet
Use Policy List of Internet Explorer 7 sites
Use Policy List of Quirks Mode sites
Prevent specifying the code download path for each computer
Allow deleting browsing history on exit
Disable "Configuring History"
Prevent access to Delete Browsing History
Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track data
Prevent deleting cookies
Prevent deleting download history
Prevent deleting favorites site data
Prevent deleting form data
Prevent deleting InPrivate Filtering data
Prevent deleting passwords
Prevent deleting temporary Internet files
Prevent deleting websites that the user has visited
Prevent the deletion of temporary Internet files and cookies
Disable the Advanced page
Disable the Connections page
Disable the Content page
Disable the General page
Disable the Privacy page
Disable the Programs page
Disable the Security page
Prevent ignoring certificate errors
Send internationalized domain names
Use UTF-8 for mailto links
Allow active content from CDs to run on user machines
Allow Install On Demand (except Internet Explorer)
Allow Install On Demand (Internet Explorer)
Allow Internet Explorer to use the SPDY/3 network protocol
Allow software to run or install even if the signature is invalid
Allow third-party browser extensions
Always send Do Not Track header
Automatically check for Internet Explorer updates
Check for server certificate revocation
Check for signatures on downloaded programs
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Do not allow resetting Internet Explorer settings
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Play animations in web pages
Play sounds in web pages
Play videos in web pages
Turn off ClearType
Turn off encryption support
Turn off loading websites and content in the background to optimize performance
Turn off Profile Assistant
Turn off sending UTF-8 query strings for URLs
Turn off the flip ahead with page prediction feature
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Wind
Turn on Caret Browsing support
Turn on Enhanced Protected Mode
Use HTTP 1.1
Use HTTP 1.1 through proxy connections
Show Content Advisor on Internet Options
Start Internet Explorer with tabs from last browsing session
Allow websites to store application caches on client computers
Allow websites to store indexed databases on client computers
Set application cache storage limits for individual domains
Set application caches expiration time limit for individual domains
Set default storage limits for websites
Set indexed database storage limits for individual domains
Set maximum application cache individual resource size
Set maximum application cache resource list size
Set maximum application caches storage limit for all domains
Set maximum indexed database storage limit for all domains
Internet Zone Template
Intranet Sites: Include all local (intranet) sites not listed in other zones
Intranet Sites: Include all network paths (UNCs)
Intranet Sites: Include all sites that bypass the proxy server
Intranet Zone Template
Local Machine Zone Template
Locked-Down Internet Zone Template
Locked-Down Intranet Zone Template
Locked-Down Local Machine Zone Template
Locked-Down Restricted Sites Zone Template
Locked-Down Trusted Sites Zone Template
Restricted Sites Zone Template
Site to Zone Assignment List
Trusted Sites Zone Template
Turn on automatic detection of intranet
Turn on certificate address mismatch warning
Turn on Notification bar notification for intranet content
Access data sources across domains
Allow active content over restricted protocols to access my computer
Allow active scripting
Allow binary and script behaviors
Allow cut, copy or paste operations from the clipboard via script
Allow drag and drop or copy and paste files
Allow file downloads
Allow font downloads
Allow installation of desktop items
Allow loading of XAML Browser Applications
Allow loading of XAML files
Allow loading of XPS files
Allow META REFRESH
Allow only approved domains to use ActiveX controls without prompt
Allow OpenSearch queries in File Explorer
Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
Allow scripting of Internet Explorer WebBrowser controls
Allow script-initiated windows without size or position constraints
Allow scriptlets
Allow updates to status bar via script
Allow video and animation on a webpage that uses an older media player
Allow websites to open windows without status bar or Address bar
Allow websites to prompt for information by using scripted windows
Automatic prompting for ActiveX controls
Automatic prompting for file downloads
Display mixed content
Do not prompt for client certificate selection when no certificates or only one certificate exists.
Don't run antimalware programs against ActiveX controls
Download signed ActiveX controls
Download unsigned ActiveX controls
Enable dragging of content from different domains across windows
Enable dragging of content from different domains within a window
Enable MIME Sniffing
Include local path when user is uploading files to a server
Initialize and script ActiveX controls not marked as safe
Java permissions
Launching applications and files in an IFRAME
Logon options
Navigate windows and frames across different domains
Render legacy filters
Run .NET Framework-reliant components not signed with Authenticode
Run .NET Framework-reliant components signed with Authenticode
Run ActiveX controls and plugins
Script ActiveX controls marked safe for scripting
Scripting of Java applets
Show security warning for potentially unsafe files
Software channel permissions
Submit non-encrypted form data
Turn off .NET Framework Setup
Turn off first-run prompt
Turn on Cross-Site Scripting Filter
Turn on Protected Mode
Turn on SmartScreen Filter scan
Use Pop-up Blocker
Userdata persistence
Web sites in less privileged Web content zones can navigate into this zone
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Open Internet Explorer tiles on the desktop
Set how links are opened in Internet Explorer
Go to an intranet site for a one-word entry in the Address bar
Turn off phone number detection
Allow Internet Explorer to play media files that use alternative codecs
Prevent configuration of search on Address bar
Prevent configuration of top-result search on Address bar
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Prevent specifying cipher strength update information URLs
Prevent changing the URL for checking updates to Internet Explorer and Internet Tools
Prevent specifying the update check interval (in days)
Establish InPrivate Filtering threshold
Establish Tracking Protection threshold
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
Turn off collection of InPrivate Filtering data
Turn off InPrivate Browsing
Turn off InPrivate Filtering
Turn off Tracking Protection
Do not display the reveal password button
Turn off Data Execution Prevention
Turn off Data URI support
Add-on List
All Processes
Deny all add-ons unless specifically allowed in the Add-on List
Process List
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash
Allow native XMLHTTP support
Change the maximum number of connections per host (HTTP 1.1)
Maximum number of connections per server (HTTP 1.0)
Set the maximum number of WebSocket connections per server
Turn off cross-document messaging
Turn off the WebSocket Object
Turn off the XDomainRequest object
Admin-approved behaviors
All Processes
Install binaries signed by MD2 and MD4 signing technologies
Internet Explorer Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Internet Zone Restricted Protocols
Intranet Zone Restricted Protocols
Local Machine Zone Restricted Protocols
Restricted Sites Zone Restricted Protocols
Trusted Sites Zone Restricted Protocols
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Customize command labels
Display tabs on a separate row
Hide the Command bar
Hide the status bar
Lock all toolbars
Lock location of Stop and Refresh buttons
Turn off Developer Tools
Turn off toolbar upgrade tool
Use large icons for command buttons
MSFT IE 11
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
Enabled: 40 Days
Enabled
Not Defined
Not Defined
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable Java
Enabled: Disable
Enabled: Prompt for usern
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Not Defined
Enabled: Enable
Enabled: Enable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: High Safety
Enabled: Disable

Enabled: Enable
Enabled: Enable
Enabled: Enable
Enabled: Enable
Enabled: Enable
Enabled: Enable

Enabled: Enable

Enabled: Enabled
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Anonymous Logon
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Prompt
Not Defined
Enabled: Enable
Enabled: Enable
Enabled: Enable
Enabled: Enable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: Disable
Enabled: High Safety
Enabled: 30
Browsing starts
plorer technology to instantiate Flash
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!AddPolicySearchProvi
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ShutdownWaitForOnUnload
HKLM\Software\Policies\Microsoft\Internet Explorer!AllowServicePoweredQSA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!IgnoreFrameApprovalCheck
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!Version
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoJITSetup
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Autoconfig
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connection Settings, HKLM\Softw
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
HKLM\Software\Policies\Microsoft\Internet Explorer!DisableImportExportFavorites
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoUpdateCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSplash
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMSAppLogo5ChannelNotif
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus, HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!EnableAutoUpgrade
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxySettingsPerUser
HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows!ListBox_Support_Allow, HKLM\S
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!DisableFixSecuritySettings
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpMenu
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverride
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverrideAppRepUnknow
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!DisablePopupFilterLevel
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Proxy
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChangeDefaultSea
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AllowWindowReuse
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!OpenInForeground
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchBox
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!RestrictPopupExceptionList
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV9
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram
HKLM\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX!BlockNonAdminActiveXInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableFirstRunCustomize
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!UsePolicySearchProvi
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_zones_map_
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_options_edi
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_HKLM_only
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!TabProcGrowth
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!NewTabPageShow
HKLM\Software\Policies\Microsoft\Windows\AxInstaller!OnlyUseAXISForActiveXInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableAddSiteMode
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!NoFirsttimeprompt
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!DisableAddonLoadTimePerformance
HKLM\Software\Policies\Microsoft\Internet Explorer\Recovery!AutoRecover
HKLM\Software\Policies\Microsoft\Internet Explorer\Geolocation!PolicyDisableGeolocation
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!PopupsUseNewWindow
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
HKLM\Software\Policies\Microsoft\Internet Explorer\LinksBar!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV8
HKLM\Software\Policies\Microsoft\Internet Explorer\ZOOM!ZoomDisabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPopupManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!QuickTabsThreshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Recovery!NoReopenLastSession
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!ShowSearchSuggestionsGlobal
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Enabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!AutoSuggest
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!DisplayQuickPick
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!DisableSecuritySettingsCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering!IsEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus
HKLM\Software\Policies\Microsoft\Internet Explorer\Suggested Sites!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesDefaultInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions!UsePolicyActivitiesOnly
HKLM\Software\Policies\Microsoft\Internet Explorer\Activities!NoActivities
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_P
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_Featur
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPrinting
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!MSCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!DisableSiteListEditing
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowCompatibilityViewButton
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!AllSitesCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!IntranetCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CodeBaseSearchPath
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!ClearBrowsingHistoryOnExit
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!History, HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteBrowsingHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTrackingProtection
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanCookies
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanDownloadHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!UseAllowList
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteForms
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanInPrivateBlocking
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeletePasswords
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTIF
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Settings
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!AdvancedTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ConnectionsTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ContentTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!GeneralTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!PrivacyTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ProgramsTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!SecurityTab
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!PreventIgnoreCertErr
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnablePunyCode
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols\Mailto!UT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoWebJITSetup
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableSPDY3_0
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DoNotTrack
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoUpdateCheck
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CertificateRevocation
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!CheckExeSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableEPMCompat
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableRIED
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisableCachingOfSSL
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache!Persistent
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Play_Animations
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Play_Background_Sounds
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Videos
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!UseClearType
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!SecureProtocols
HKLM\Software\Policies\Microsoft\Internet Explorer\PrefetchPrerender!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Security\P3Global!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!UTF8URLQuery
HKLM\Software\Policies\Microsoft\Internet Explorer\FlipAhead!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation64Bit
HKLM\Software\Policies\Microsoft\Internet Explorer\CaretBrowsing!EnableOnStartup
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHttp1_1
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxyHttp1.1
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ShowContentAdvisor
HKLM\Software\Policies\Microsoft\Internet Explorer\ContinuousBrowsing!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!AllowWebsiteCach
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!AllowWebsiteData
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!MaxTrustedDomai
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!GarbageCollection
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage!DefaultDomainCacheLimitInM
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!MaxTrustedDoma
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestSingleRe
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestResource
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!TotalLimitInMB
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!TotalLimitInMB
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies!In
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!IntranetN
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!UNCAsIntr
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!ProxyByPa
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies!Int
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template P
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template P
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Tem
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Templ
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Polic
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_Zo
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policie
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!AutoDetec
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnBadCertRecv
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnIntranet
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1406
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120b
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180E
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180F
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120A
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A04
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270C
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1C00
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270B
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1E05
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ApplicationTileImmersiveActivation
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AssociationActivationMode
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!GotoIntranetSiteForSingleWordEntry
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FormatDetection!PhoneNumberEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!EnableAlternativeCodec
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AutoSearch
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!TopResult
HKLM\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch!EnabledScopes
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion!IEAKUpdateUrl
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Update_Check_Page
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Update_Check_Interval
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!Threshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!TrackingProtectionThreshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableToolbars
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableLogging
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!EnableInPrivateBrowsing
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableInPrivateBlocking
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableTrackingProtection
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisablePasswordReveal
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DEPOff
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI!iexpl
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID, HKLM\Soft
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_
HKLM\Software\Policies\Microsoft\Internet Explorer!DisableFlashInIE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!XMLHTTP
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOC
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET!ie
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQU
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_All
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!*
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!ENABLE_MD2_MD4
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!(Re
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEAT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDL
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMAC
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFIN
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_L
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAN
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND!
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACH
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVAT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_F
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RES
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_REST
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!TextOption
HKLM\Software\Policies\Microsoft\Internet Explorer\MINIE!ShowTabsBelowAddressBar
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!CommandBarEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!StatusBarWeb
HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbar!Locked
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowLeftAddressToolbar
HKLM\Software\Policies\Microsoft\Internet Explorer\IEDevTools!Disabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions!DisableToolbarUpgrader
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!SmallIcons
Supported On
Only Internet Explorer 5.0 and Internet Explo
Only Internet Explorer 5.0
At least Internet Explorer 6.0 in Windows XP
At least Internet Explorer 7.0. Not supporte
Internet Explorer 7.0 to Internet Explorer 10
Only Internet Explorer 5.0 through Internet E
Only Internet Explorer 6.0 in Windows 2003
At least Internet Explorer 6.0 in Windows 20
At least Internet Explorer 10.0 on Windows 8
Only Internet Explorer 6.0 in Windows XP Ser
At least Windows Server 2008 R2 or Window
At least Internet Explorer 7.0 in Windows Vis
Help Text
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, se
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI d
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide e
This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explore
This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Ag
Prevents Internet Explorer from automatically installing components.If you enable this policy, it prevents Internet Explorer fro
This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet
Prevents users from changing dial-up settings.If you enable this policy, the Settings button on the Connections tab in the Intern
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page wheneve
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browse
Prevents Internet Explorer from checking whether a new version of the browser is available.If you enable this policy, it preven
Prevents the Internet Explorer splash screen from appearing when users start the browser.If you enable this policy, the splash
Specifies that programs using the Microsoft Software Distribution Channel will not notify users when they install new compon
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.If y
This policy setting allows you to enforce full-screen mode, which disables the navigation bar, the menu bar, and the Command
This policy setting configures Internet Explorer to automatically install new versions of Internet Explorer when they are availab
Applies proxy settings to all users of the same computer.If you enable this policy, users cannot set user-specific proxy settings.
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Intern
This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check.If you enable
This policy setting prevents the user from accessing Help in Internet Explorer.If you enable this policy setting, the following occ
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the us
This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Bloc
This policy setting specifies if a user can change proxy settings.If you enable this policy setting, the user will not be able to confi
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applic
This policy setting allows you to configure how new tabs are created by default in Internet Explorer.If you enable this policy se
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available, it includes a
You can allow pop-ups from specific websites by adding the sites to the exception list.If you enable this policy setting, the user
This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is kn
This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudu
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).If you enable
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.If you enable this policy setting
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after in
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those define
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same secur
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.If you
Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same sec
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms th
This policy setting allows you to specify what is displayed when the user opens a new tab.If you enable this policy setting, you
This policy setting allows you to specify how ActiveX controls are installed.If you enable this policy setting, ActiveX controls are
This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed, such as the taskbar
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX
This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enable
This policy setting turns off Automatic Crash Recovery.If you enable this policy setting, Automatic Crash Recovery does not pro
This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data
This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Inte
This policy setting allows you to manage the crash detection feature of add-on Management.If you enable this policy setting, a
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer.If you enable this p
This policy setting allows the user to enable the SmartScreen Filter, which warns the user if the website being visited is known
This policy setting prevents the user from zooming in to or out of a page to better see the content.If you enable this policy setti
This policy setting allows you to manage pop-up management functionality in Internet Explorer.If you enable this policy setting
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer.If you enable this policy setting, the e
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Ex
This policy setting allows you to turn off suggestions for all user-installed search providers.If you enable this policy setting, the
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. S
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.If y
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box.If you enabl
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine w
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to
This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information i
This policy setting allows you to turn on or turn off the earlier menus (for example, File, Edit, and View) in Internet Explorer.If y
This policy setting controls the Suggested Sites feature, which recommends websites based on the userΓÇÖs browsing activity
This policy setting allows you to add default Accelerators.If you enable this policy setting, the specified Accelerators are added
This policy setting allows you to add non-default Accelerators.If you enable this policy setting, the specified Accelerators are a
This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy.If yo
This policy setting allows you to manage whether users can access Accelerators.If you enable this policy setting, users cannot a
This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to pe
This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to pe
This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user.N
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8, this policy setting
This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Window
This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she
This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Exp
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage t
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.If you enable
Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rend
This policy setting prevents the user from specifying the code download path for each computer. The Internet Component Dow
This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences sele
This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Tempor
This policy setting prevents the user from performing actions which will delete browsing history. For more information on brow
In Internet Explorer 9 and Internet Explorer 10:This policy setting prevents users from deleting ActiveX Filtering and Tracking P
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing
This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History d
This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog bo
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data du
This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing His
This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history, avai
Removes the Advanced tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevented
Removes the Connections tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevent
If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, AutoComplete, Wallet, and
Removes the General tab from the interface in the Internet Options dialog box.If you enable this policy, users are unable to se
Removes the Privacy tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevented fro
Removes the Programs tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevented
Removes the Security tab from the interface in the Internet Options dialog box.If you enable this policy, it prevents users from
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors th
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized dom
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mai
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to ru
This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Exp
This policy setting allows you to manage whether users can automatically download and install Web components (such as fon
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests
This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.If you enable this policy
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Exp
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certific
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. Wh
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings a
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) info
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder
This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Gene
This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only soun
This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only em
This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the r
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (S
This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speedin
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information.If you enable thi
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query s
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (fo
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using th
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versio
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1.If you enable this policy setting, Internet Exp
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections.If you enable thi
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box.If you enable this p
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default, Internet Expl
This policy setting allows websites to store file resources in application caches on client computers.If you enable this policy setti
This policy setting allows websites to store indexed database cache information on client computers.If you enable this policy s
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage lim
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set t
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage li
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an app
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting, you
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting, y
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for exa
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.If you enable thi
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.If you
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone nu
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain.If you enab
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned o
This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping ru
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Micr
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can r
This policy setting allows you to manage whether script code on pages in the zone is run.If you enable this policy setting, script
This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functiona
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.If y
This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by th
This policy setting allows you to manage whether pages of the zone may download HTML fonts.If you enable this policy setting
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this op
This policy setting allows you to manage the loading of XAML Browser Applications (XBAPs). These are browser-hosted, ClickO
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-
This policy setting allows you to manage the loading of XPS files. These files contain a fixed-layout representation of paginated
This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the w
This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors
This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in t
This policy setting determines whether a page can control embedded WebBrowser controls via script.If you enable this policy
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and
This policy setting allows you to manage whether the user can run scriptlets.If you enable this policy setting, the user can run s
This policy setting allows you to manage whether script is allowed to update the status bar within the zone.If you enable this p
This policy setting allows the playing of video and animation through older media players in specified zones. Video and animati
This policy setting controls whether websites can open new Internet Explorer windows that have no status bar or Address bar
This policy setting determines whether scripted windows are automatically displayed.If you enable this policy setting, scripted
This policy setting manages whether users will be automatically prompted for ActiveX control installations.If you enable this p
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting,
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a secu
This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one ce
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.If you e
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A M
This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If
This policy setting allows you to manage ActiveX controls not marked as safe.If you enable this policy setting, ActiveX controls
This policy setting allows you to manage permissions for Java applets.If you enable this policy setting, you can choose options
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME refer
This policy setting allows you to manage settings for logon options.If you enable this policy setting, you can choose from the fo
This policy setting allows you to manage the opening of windows and frames and access of applications across different doma
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone.If you enable this policy setting,
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be exec
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.If
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.If you
This policy setting allows you to manage whether applets are exposed to scripts within the zone.If you enable this policy settin
This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open ex
This policy setting allows you to manage software channel permissions.If you enable this policy setting, you can choose the fol
This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent wit
This policy setting prevents the user's computer from starting Microsoft .NET Framework Setup when the user is browsing to .
This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When the user encounters a new
This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into w
This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vuln
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.If you enable this policy
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate in
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone. If you enable this policy setting,
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop.If you enable this policy setting, I
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide, always in Inter
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.If you enable this policy se
This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invok
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional
This policy setting specifies whether the user can conduct a search on the Address bar.If you enable this policy setting, you mu
This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on th
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on c
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Addre
This policy setting prevents the user from specifying a URL that contains update information about cipher strength. When the
This policy setting prevents the user from changing the default URL for checking updates to Internet Explorer and Internet Too
This policy setting prevents the user from specifying the update check interval. The default value is 30 days.If you enable this p
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode.The threshold sets the number
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode.The threshold sets the numbe
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default dur
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode.The data consist
This policy setting allows you to turn off the InPrivate Browsing feature.InPrivate Browsing prevents Internet Explorer from sto
This policy setting allows you to turn off InPrivate Filtering.InPrivate Filtering helps users control whether third parties can aut
This policy setting allows you to turn off Tracking Protection.Tracking Protection helps users control whether third parties can
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The re
This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008,
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are
This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Ad
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are deni
This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as enter
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology
This policy setting allows the user to run natively implemented, scriptable XMLHTTP.If you enable this policy setting, the user c
This policy setting allows you to change the default connection limit for HTTP 1.1 from 6 connections per host to a limit of you
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can s
This policy setting allows you to manage whether documents can request data across third-party domains embedded in the pa
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. T
This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest obje
For each zone, the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved
Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elemen
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed wit
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files rece
Internet Explorer places zone restrictions on each Web page it opens, which are dependent upon the location of the Web pag
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more d
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources host
Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsaf
File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from ru
For each zone, the Network Protocol Lockdown security restriction may be configured to prevent active content obtained thro
This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explor
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or
This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code insta
This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or t
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control inst
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.If you enable this po
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that
This policy setting enables blocking of file download prompts that are not user initiated.If you enable this policy setting, file do
Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restr
This policy setting allows you to choose among three different labels for command buttons: show all text labels, show selective
This policy setting allows you to manage where tabs are displayed.If you enable this policy setting, tabs are displayed on a sep
This policy setting allows you to show or hide the Command bar.If you enable this policy setting, the Command bar is hidden a
This policy setting allows you to show or hide the status bar.If you enable this policy setting, the status bar is hidden and the u
This policy setting allows you to lock or unlock the toolbars on the user interface.If you enable this policy setting, the toolbars
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons.If you enable this pol
This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer.If you enable this p
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible
This policy setting allows you increase the size of icons for command buttons.If you enable this policy setting, icons for comma
rch providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from
ipt handlers to display UI during shutdown. This policy setting may be needed to fix compatibility problems with particular web application
Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.If you enable this p
ed in the Internet Explorer 9 browser. Any add-ons that were activated in a previous version of Internet Explorer are considered to be the
ervers in the HTTP User Agent header.If you enable this policy setting, Internet Explorer sends the specified custom string in the version po
vents Internet Explorer from downloading a component when users browse to a Web site that needs that component.If you disable this po
et and customize Internet Explorer. This setting specifies that Internet explorer use the configuration settings provided in a file by the syste
nnections tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it, users can change their se
m the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.If you enable this policy
ngs from another browser, import settings from a file, or export settings to a file. Importing settings from another browser allows the user
nable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if
able this policy, the splash screen, which displays the program name, licensing, and copyright information, is not displayed.If you disable th
n they install new components. The Software Distribution Channel is a means of updating software dynamically on users' computers by usi
ough Add-On Manager.If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. The only excep
nu bar, and the Command bar. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop.The navigation bar in
orer when they are available.If you enable this policy setting, automatic upgrade of Internet Explorer will be turned on.If you disable this p
ser-specific proxy settings. They must use the zones created for all users of the computer.If you disable this policy or do not configure it, u
ws regardless of the Internet Explorer process's Pop-Up Blocker settings.If you enable this policy setting, you can enter a list of sites which
ttings Check.If you enable this policy setting, the user cannot use the "Fix settings" functionality.If you disable or do not configure this poli
y setting, the following occur: ΓÇó The Help menu on the menu bar is not functional. ΓÇó Help is removed from the Command bar. ΓÇ
tScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter
tScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.If you enab
are as follows: High: Block all pop-ups. Medium: Block most automatic pop-ups. Low: Allow pop-ups from secure sites.If you enable t
ser will not be able to configure proxy settings.If you disable or do not configure this policy setting, the user can configure proxy settings.
and the toolbar Search box.If you enable this policy setting, the user cannot change the default search provider.If you disable or do not con
cks links from other applications.If you enable this policy setting, the user cannot configure how windows open in Internet Explorer when h
If you enable this policy setting, the user cannot configure how new tabs are created by default. You must specify whether tabs should ope
ox is available, it includes all installed search providers and a link to search settings.If you enable this policy setting, the Search box does no
his policy setting, the user cannot add websites to or remove websites from the exception list.If you disable or do not configure this policy
website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.If
visited is known for fraudulent attempts to gather personal information through "phishing."If you enable this policy setting, the user is not
ogram (CEIP).If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does
u enable this policy setting, ActiveX controls cannot be installed on a per-user basis.If you disable or do not configure this policy setting, Ac
starts the browser after installing Internet Explorer or Windows.If you enable this policy setting, you must make one of the following choic
et Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Intern
sites with the same security level.If you enable this policy, the site management settings for security zones are disabled. (To see the site m
e same security level.If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options
eb sites with the same security level.If you enable this policy, changes that the user makes to a security zone will apply to all users of that
here are two algorithms that Internet Explorer uses.The default algorithm has four settings: low, medium, high, or default. Low creates ve
ble this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page
etting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of Activ
owed, such as the taskbar, the desktop, or File Explorer.If you enable this policy setting, users cannot pin sites.If you disable or do not con
s from loading any ActiveX control without prior approval. If a website attempts to load an ActiveX control that Internet Explorer has not u
o load all the user's enabled add-ons exceeds the threshold. The notification informs the user that add-ons are slowing his or her browsing
ash Recovery does not prompt the user to recover his or her data after a program stops responding.If you disable or do not configure this
m requesting location data about the user.If you enable this policy setting, browser geolocation support is turned off.If you disable this pol
in tabbed browsing in Internet Explorer.If you enable this policy setting, the user cannot configure pop-up windows in tabbed browsing. Yo
enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, na
xplorer.If you enable this policy setting, the Favorites bar is turned off.If you disable this policy setting, the Favorites bar is turned on.If you
site being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.If you
you enable this policy setting, applications that host MSHTML do not respond to user input that causes the content to be re-rendered at a
u enable this policy setting, the Control Panel information relating to pop-up management will be unavailable (grayed out) and all other p
le this policy setting, the entry points to Quick Tabs are removed from the Internet Explorer user interface.If you disable or do not configu
sion feature in Internet Explorer.If you enable this policy setting, the user cannot use the Reopen Last Browsing Session feature.If you disa
ble this policy setting, the user cannot view suggestions for user-installed search providers.If you disable or do not configure this policy se
Explorer user interface. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop.If you enable this policy setti
e browser address bar.If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user canno
he Search box.If you enable this policy setting, when a user clicks in the Search box, the quick pick menu does not appear until the user sta
rity settings to determine when the settings put Internet Explorer at risk.If you enable this policy setting, the feature is turned off.If you dis
ls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.If you enable this policy
compatibility information is displayed in the Windows Event Viewer.If you enable this policy setting, the user can log information that is bl
ew) in Internet Explorer.If you enable this policy setting, the menu bar appears in Internet Explorer by default, and the user cannot turn it o
serΓÇÖs browsing activity. Suggested Sites reports a userΓÇÖs browsing history to Microsoft to suggest sites that the user might want to v
ed Accelerators are added to the user's browser. The user can append other Accelerators to this list, but the user cannot remove or chang
pecified Accelerators are added to the user's browser. The user can append other Accelerators to this list, but the user cannot remove or c
through Group Policy.If you enable this policy setting, the user can access only Accelerators that are deployed through Group Policy. The u
olicy setting, users cannot access Accelerators.If you disable or do not configure this policy setting, users can access Accelerators and instal
e computer attempts to perform a Clipboard operation (delete, copy, or paste).If you enable this policy setting, the user is not prompted w
rer process attempts to perform a Clipboard operation (delete, copy, or paste) and the URL action for the zone is set to prompt.If you ena
hout prompting the user.Note: Do not enter the Internet Explorer processes in this list. To enable or disable Internet Explorer processes, u
ndows 8, this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers unde
s are available on Windows Update.If you enable this policy setting, the Microsoft-provided website lists are used during browser navigatio
ay problems that he or she may encounter while browsing.If you enable this policy setting, the user cannot use the Compatibility View butt
utton allows the user to fix website display problems that he or she may encounter while browsing.If you enable this policy setting, the use
ermines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Internet Explorer 7 Standar
defined as any webpage that belongs to the local intranet security zone.If you enable this policy setting, Internet Explorer uses the curren
tibility View.If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that y
s whether content is rendered in Quirks Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this
e Internet Component Download service exposes a function that is called by an application to download, verify, and install code for an Ob
oses. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form
List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options,
more information on browsing history Group Policy settings, see "Group Policies Settings in Internet Explorer 10" in the TechNet technica
eX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or T
owsing History dialog box.If you enable this policy setting, cookies are preserved when the user clicks Delete.If you disable this policy settin
ble in the Delete Browsing History dialog box.If you enable this policy setting, download history is preserved when the user clicks Delete.If
Delete Browsing History dialog box.If you enable this policy setting, favorites site data is preserved when the user clicks Delete.If you disab
Browsing History dialog box.If you enable this policy setting, form data is preserved when the user clicks Delete.If you disable this policy se
InPrivate Filtering data during browser sessions other than InPrivate Browsing sessions to determine which third-party items should be bl
owsing History dialog box.If you enable this policy setting, passwords are preserved when the user clicks Delete.If you disable this policy se
in the Delete Browsing History dialog box.If you enable this policy setting, temporary Internet files are preserved when the user clicks Dele
This feature is available in the Delete Browsing History dialog box.If you enable this policy setting, websites that the user has visited are p
net browsing history, available by clicking Tools, Internet Options, and then Delete Browsing History in Internet Explorer.If you enable this
olicy, users are prevented from seeing and changing advanced Internet settings, such as security, multimedia, and printing.If you disable t
s policy, users are prevented from seeing and changing connection and proxy settings.If you disable this policy or do not configure it, users
AutoComplete, Wallet, and Profile Assistant settings.If you disable this policy or do not configure it, users can see and change these setting
icy, users are unable to see and change settings for the home page, the cache, history, Web page appearance, and accessibility.If you disa
cy, users are prevented from seeing and changing default settings for privacy.If you disable this policy or do not configure it, users can see
olicy, users are prevented from seeing and changing default settings for Internet programs.If you disable this policy or do not configure it,
licy, it prevents users from seeing and changing settings for security zones, such as scripting, downloads, and user authentication.If you dis
SL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.If you ena
s to internationalized domain name (IDN) format (Punycode) before sending them to Domain Name System (DNS) servers or to proxy serve
on Format (UTF-8) for mailto links.If you enable this policy setting, Internet Explorer encodes mailto links in UTF-8.If you disable or do not
ctive content on a CD to run.If you enable this policy setting, active content on a CD will run without a prompt.If you disable this policy setti
ram files (non-Internet Explorer components) that are registered with Internet Explorer (such as Macromedia and Java) that are required i
components (such as fonts) that can installed by Internet Explorer Active Setup. For example, if you open a Web page that requires Japan
works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.If you enable
ads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampere
as browser helper objects, such as toolbars. Browser helper objects may contain flaws such as buffer overruns which impact Internet Expl
er.If you enable this policy setting, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to
rsions. When Internet Explorer is set to do this, the checks occur approximately every 30 days, and users are prompted to install new vers
ervers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from
ch identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloadi
cted Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website a
nternet Explorer Settings allows the user to reset all settings changed since installation, delete browsing history, and disable add-ons that a
ontain secure (HTTPS) information such as passwords and credit card numbers to the Internet Explorer cache, which may be insecure.If yo
porary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer, or storing
und in Web content. Generally only animated GIF files are affected by this setting; active Web content such as java applets are not.If you e
ntent. Generally only sound files such as MIDI files are affected by this setting; active Web content such as java applets are not.If you enab
content. Generally only embedded video files are affected by this setting; active Web content such as java applets are not.If you enable th
nology that enhances the readability of text on LCD displays.If you enable this policy setting, applications that host MSHTML do not render
.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the brow
n the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view
ormation.If you enable this policy setting, Profile Assistant information will not be provided, and users will not be prompted to provide info
(UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.If you enable this policy setting, you must spec
e next pre-loaded page of a website.Microsoft collects your browsing history to improve how flip ahead with page prediction works. This fe
ty) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.Important: So
e to a webpage by using the keyboard to move the cursor. Caret Browsing supports standard text-editor functionality, such as using the Sh
processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations
policy setting, Internet Explorer uses HTTP 1.1.If you disable this policy setting, Internet Explorer does not use HTTP 1.1.If you do not confi
nnections.If you enable this policy setting, Internet Explorer uses HTTP 1.1 through proxy connections.If you disable this policy setting, Inte
og box.If you enable this policy setting, Internet Explorer displays the Content Advisor setting on the Content tab of the Internet Options d
d. By default, Internet Explorer displays the home page. In Internet Explorer 10, Internet Explorer can start a new browsing session with th
f you enable this policy setting, websites will be able to store application caches on client computers. Allow website database and caches o
.If you enable this policy setting, websites will be able to store an indexed database on client computers. Allow website database and cach
o exceed their storage limit. The ΓÇ£Set default storage limits for websitesΓÇ¥ policy setting sets the data storage limits for application cac
ed. If the application cache is used before the expiration time limit, it will not be automatically removed. When you set this policy setting, y
websites. When you set this policy setting, you provide the cache limit, in MB.If you enable this policy setting, Internet Explorer displays a
to exceed their storage limit. The ΓÇ£Set default storage limits for websitesΓÇ¥ policy setting sets the data storage limits for indexed data
The manifest file is used to create the application cache. If any file in the manifest exceeds the allowed size, Internet Explorer sends an err
file associated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed, i
u set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user mu
ou set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user m
cted security level, for example, Low, Medium Low, Medium, or High.If you enable this template policy setting and select a security level,
e are forced into the local Intranet security zone.If you enable this policy setting, local sites which are not explicitly mapped into a zone ar
urity zone.If you enable this policy setting, all network paths are mapped into the Intranet Zone.If you disable this policy setting, network p
tranet security zone.If you enable this policy setting, sites which bypass the proxy server are mapped into the Intranet Zone.If you disable
curity zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security
gs to a domain.If you enable this policy setting, automatic detection of the intranet is turned on, and intranet mapping rules are applied au
is policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different
nd the intranet mapping rules have not been configured. The Notification bar allows the user to enable intranet mappings, if they require
curity zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).If you enable this policy setting, users can load a page
l in the Intranet Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be set in
le this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried
apsulate specific functionality for HTML elements to which they were attached.If you enable this policy setting, binary and script behaviors
mple, cut, copy, and paste) in a specified region.If you enable this policy setting, a script can perform a clipboard operation.If you select Pr
source within the zone.If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you sele
option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.If you enabl
u enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the d
ne. The settings for this option are: If you enable this policy setting, users can install desktop items from this zone automatically.If you sele
re browser-hosted, ClickOnce-deployed applications built via WinFX. These applications run in a security sandbox and take advantage of th
ML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take adva
presentation of paginated content and are portable across platforms, devices, and applications.If you enable this policy setting and set the
b page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.If you enable this polic
websites other than the website that installed the ActiveX control.If you enable this policy setting, the user is prompted before ActiveX con
d using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search res
lay custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch quer
t.If you enable this policy setting, script access to the WebBrowser control is allowed.If you disable this policy setting, script access to the
ws that include the title and status bars.If you enable this policy setting, Windows Restrictions security will not apply in this zone. The secur
setting, the user can run scriptlets.If you disable this policy setting, the user cannot run scriptlets.If you do not configure this policy setting
e zone.If you enable this policy setting, script is allowed to update the status bar.If you disable or do not configure this policy setting, scrip
d zones. Video and animation playback through the object tag may still be allowed, because this involves external controls or media player
status bar or Address bar.If you enable this policy setting, websites can open new Internet Explorer windows that have no status bar or A
his policy setting, scripted windows are displayed.If you disable this policy setting, the user must choose to display any scripted windows b
ations.If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.If
Regardless of this setting, users will receive file download dialogs for user-initiated downloads.If you enable this setting, users will receive
hether users receive a security information message to display pages containing both secure and nonsecure items.If you enable this policy
o certificate or only one certificate exists.If you enable this policy setting, Internet Explorer does not prompt users with a "Client Authentica
X controls, to check if they're safe to load on pages. If you enable this policy setting, Internet Explorer won't check with your antimalwar
a page in the zone.If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the dro
om the zone. Such code is potentially harmful, especially when coming from an untrusted zone.If you enable this policy setting, users can r
main when the source and destination are in different windows.If you enable this policy setting and click Enable, users can drag content fro
main when the source and destination are in the same window.If you enable this policy setting and click Enable, users can drag content fro
based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.If you enable this polic
a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance
y setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This se
g, you can choose options from the drop-down box. Custom, to control permissions settings individually.Low Safety enables applets to per
ded from an IFRAME reference in the HTML of the pages in this zone.If you enable this policy setting, users can run applications and down
ou can choose from the following logon options.Anonymous logon to disable HTTP authentication and use the guest account only for the
ons across different domains.If you enable this policy setting, users can open windows and frames from othe domains and access applicati
enable this policy setting, you can control whether or not Internet Explorer renders legacy filters by selecting Enable, or Disable, under Op
with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag an
Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and m
from the specified zone.If you enable this policy setting, controls and plug-ins can run without user intervention.If you selected Prompt in
teract with a script.If you enable this policy setting, script interaction can occur automatically without user intervention.If you select Prom
ou enable this policy setting, scripts can access applets automatically without user intervention.If you select Prompt in the drop-down box
n the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).If y
ng, you can choose the following options from the drop-down box.Low safety to allow users to be notified of software updates by e-mail,
submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submissi
n the user is browsing to .NET Framework content in Internet Explorer. The .NET Framework is the next-generation platform for Windows
the user encounters a new control that has not previously run in Internet Explorer, he or she may be prompted to approve the control. Thi
site script injections into websites in this zone.If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS
plorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.If you e
t.If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.If you disable this policy setting, SmartS
ws that are opened when the end user clicks a link are not blocked.If you enable this policy setting, most unwanted pop-up windows are p
favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can
ricted Sites, can navigate into this zone.If you enable this policy setting, Web sites from less privileged zones can open new windows in, or
net sites, can navigate into this zone.If you enable this policy setting, Web sites from less privileged zones can open new windows in, or na
ons across different domains.If you enable this policy setting, users can open additional windows and frames from other domains and acce
l in the Trusted Sites Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be
enable this policy setting, Internet Explorer opens tiles only on the desktop.If you disable this policy setting, Internet Explorer does not ope
orer decide, always in Internet Explorer, or always in Internet Explorer on the desktop.If you enable this policy setting, Internet Explorer en
f you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.I
which can be used to invoke the default phone application on the system.If you enable this policy setting, phone number detection is turne
nd that require additional software.If you enable this policy setting, Internet Explorer plays these files, if the appropriate software is instal
this policy setting, you must specify which of the following actions applies to searches on the Address bar. The user cannot change the spe
en search is enabled on the Address bar. The possible options are: ΓÇó Disable top result search: When a user performs a search in the A
he address bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over
e Internet Explorer Address bar.Windows Search AutoComplete suggests possible matches when a user is entering a web address in the b
ipher strength. When the user logs on to a secure page, the page cannot grant access unless the Internet browser connects with a prespe
Explorer and Internet Tools.If you enable this policy setting, the user cannot change the URL that is displayed for checking updates to Inte
30 days.If you enable this policy setting, the user cannot specify the update check interval. You must specify the update check interval.If yo
hreshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this valu
e threshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this va
are loaded by default during an InPrivate Browsing session.Toolbars and BHOs may store data about a user's browsing session. By default
atic mode.The data consists of the URLs of third-party content, along with data about the first-party websites that referenced it. It is collec
Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other dat
ether third parties can automatically collect information about their browsing based on the sites that they visit. InPrivate Filtering does thi
whether third parties can automatically collect information about their browsing based on the sites that they visit. Tracking Protection doe
sers for a password. The reveal password button is displayed during password entry. When the user clicks the button, the current passwor
on Windows Server 2008, Windows Vista with SP1, and Windows XP with SP3.If you enable this policy setting, Internet Explorer does not
pers to encapsulate images and .css files within the body of the URL and optionally encode them by using base 64 encoding. Malware filter
er. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to ex
rences (as reflected by Add-on Manager) or policy settings. By default, any process other than the Internet Explorer processes or those lis
List' policy setting are denied. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which a
user preferences (as entered into Add-on Manager) or policy settings. By default, only Internet Explorer processes use the add-on manage
ternet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applic
is policy setting, the user can run natively implemented, scriptable XMLHTTP.If you disable this policy setting, the user cannot run natively
s per host to a limit of your choice (from 2 through 128).If you enable this policy setting, Internet Explorer uses the connection limit of you
s per host to a limit of your choice (from 2 through 128).If you disable or do not configure this policy setting, Internet Explorer will use the
default limit is 6; you can select a value from 2 through 128.If you enable this policy setting, Internet Explorer uses the WebSocket connecti
mains embedded in the page.If you enable this policy setting, documents cannot request data across third-party domains embedded in th
the WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not p
the XDomainRequest object. Note that this policy setting does not block client-side communication across domains through other feature
y a list of admin-approved behaviors. This list may be configured here, and applies to all processes which have opted in to the behavior, an
nality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setti
d other binaries signed with MD2 and MD4 signing technologies. Internet Explorer 9 does not support MD2 and MD4 signing technologies
g procedures for files received through a Web server.This policy setting determines whether Internet Explorer requires that all file-type inf
e location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restr
e location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security
file of one type to a more dangerous file type.If you enable this policy setting, the Mime Sniffing Safety Feature is enabled for all processes
file of one type to a more dangerous file type.If you enable this policy setting, MIME sniffing will never promote a file of one type to a mor
file of one type to a more dangerous file type.This policy setting allows administrators to define applications for which they want this secur
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting, the MK Protocol is disabled for all processes. Any
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting, the MK Protocol is prevented for File Explorer an
K protocol. Resources hosted on the MK protocol will fail.This policy setting allows administrators to define applications for which they wa
s from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is preve
estricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted
tive content obtained through restricted protocols from running in an unsafe manner, either by prompting the user, or simply disabling th
er than the Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is not displayed for any pro
rer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.If you en
ses when file or code installs are restricted. By default, the Notification bar is not displayed for any process when file or code installs are r
thin the same domain or to a new domain.If you enable this policy setting, object reference is no longer accessible when navigating within
thin the same domain or to a new domain.If you enable this policy setting, an object reference is no longer accessible when navigating wit
thin the same domain or to a new domain.This policy setting allows administrators to define applications for which they want this security
n the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have t
n the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security r
n the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest sec
ting of ActiveX control installation.If you enable this policy setting, the Web Browser Control will block automatic prompting of ActiveX con
esses.If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.If you dis
ting of ActiveX control installation.If you enable this policy setting and enter a Value of 1, automatic prompting of ActiveX control installatio
ting of file downloads that are not user initiated.If you enable this policy setting, the Web Browser Control will block automatic prompting
e this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.If you disable this pol
ting of file downloads that are not user initiated.If you enable this policy setting and enter a Value of 1, automatic prompting of non-initiat
types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title
text labels, show selective text, or show only icons.If you enable this policy setting, command buttons are displayed according to which o
abs are displayed on a separate row.If you disable this policy setting, tabs are not displayed on a separate row.If you do not configure this
Command bar is hidden and the user cannot choose to show it.If you disable this policy setting, the Command bar is shown and the user c
us bar is hidden and the user cannot choose to show it.If you disable this policy setting, the status bar is shown and the user cannot choos
olicy setting, the toolbars are locked and the user cannot move them.If you disable this policy setting, the toolbars are unlocked and the u
ttons.If you enable this policy setting, the Stop and Refresh buttons are next to the Forward and Back buttons, and the user cannot move t
plorer.If you enable this policy setting, the user cannot access Developer Tools.If you disable or do not configure this policy setting, the use
nes whether incompatible toolbars or Browser Helper Objects are installed when Internet Explorer starts. If the tool detects an incompatib
y setting, icons for command buttons are 20 x 20 pixels and cannot be made smaller (16 x 16 pixels).If you disable this policy setting, icons
lso add a search provider from the provider's website.If you enable this policy setting, the user can add and remove search providers, but
with particular web applications.If you enable this policy setting, OnUnLoad script handlers display UI during shutdown.If you disable or do
ft services.If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be
lorer are considered to be the same as newly installed add-ons and are not activated when the user upgrades to Internet Explorer 9.In Inte
ustom string in the version portion of the User Agent header.If you disable or do not configure this policy setting, Internet Explorer sends
mponent.If you disable this policy or do not configure it, users will be prompted to download and install a component when visiting a Web
s provided in a file by the system administrator.If you enable this policy setting, the user will not be able to do automatic configuration. Yo
re it, users can change their settings for dial-up connections.If you set the "Disable the Connections page" policy (located in \User Configu
pages.If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot s
other browser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import
version and notifying users if a new version is available.If you disable this policy or do not configure it, Internet Explorer checks every 30 d
not displayed.If you disable this policy or do not configure it, the splash screen will be displayed when users start their browsers.
ally on users' computers by using Open Software Distribution (.osd) technologies.If you enable this policy, users will not be notified if their
-On Manager. The only exception occurs if an add-on has been specifically entered into the 'Add-On List' policy setting in such a way as to
desktop.The navigation bar includes features for browsing webpages, searching the web by using a selection of search tools, viewing a his
turned on.If you disable this policy setting, automatic upgrade of Internet Explorer will be turned off.If you do not configure this policy, us
policy or do not configure it, users of the same computer can establish their own proxy settings.This policy is intended to ensure that proxy
u can enter a list of sites which will be allowed to open pop-up windows regardless of user settings. Only the domain name is allowed, so w
e or do not configure this policy setting, the user can use the "Fix settings" functionality.Note: When this policy setting is enabled, the "Fix
d from the Command bar. ΓÇó The shortcut key F1 does not make Help appear. ΓÇó Help cannot be accessed from the Settings charm (s
us content. SmartScreen Filter also prevents the execution of files that are known to be malicious.If you enable this policy setting, SmartScr
from the Internet.If you enable this policy setting, SmartScreen Filter warnings block the user.If you disable or do not configure this policy
om secure sites.If you enable this policy setting, the user cannot change the filter level. You can specify the filter level by importing Privacy
can configure proxy settings.
der.If you disable or do not configure this policy setting, the user can change the default search provider.
en in Internet Explorer when he or she clicks links from other applications. You must specify one of the following: ΓÇó Open in an existin
pecify whether tabs should open in the foreground or in the background. The user cannot open the tabs in the background by pressing Ctr
etting, the Search box does not appear in the Internet Explorer frame.If you disable or do not configure this policy setting, the Search box a
or do not configure this policy setting, the user can add websites to or remove websites from the exception list.Note: You can allow a defa
r is known to host malware.If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses
s policy setting, the user is not prompted to enable the phishing filter. You must specify which mode the phishing filter uses: manual, auto
dback Options command does not appear on the Help menu.If you disable this policy setting, the user must participate in the CEIP, and the
onfigure this policy setting, ActiveX controls can be installed on a per-user basis.
ake one of the following choices: ΓÇó Skip the First Run wizard, and go directly to the user's home page. ΓÇó Skip the First Run wizard, a
ware\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup,
are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then cl
ty tab in the Internet Options dialog box are disabled.If you disable this policy or do not configure it, users can change the settings for secu
e will apply to all users of that computer.If you disable this policy or do not configure it, users of the same computer can establish their ow
gh, or default. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process
out:blank), the first home page, or the new tab page.If you disable or do not configure this policy setting, the user can select his or her pref
o allow the installation of ActiveX controls.If you disable or do not configure this policy setting, ActiveX controls, including per-user control
es.If you disable or do not configure this policy setting, users can pin sites.
hat Internet Explorer has not used before, a Notification bar will appear, asking the user for approval.If you enable this policy setting, the A
re slowing his or her browsing and displays a button that opens the Disable Add-ons dialog box. The Disable Add-ons dialog box displays th
sable or do not configure this policy setting, Automatic Crash Recovery prompts the user to recover his or her data after a program stops r
rned off.If you disable this policy setting, browser geolocation support is turned on.If you do not configure this policy setting, browser geo
indows in tabbed browsing. You must specify one of the following values: 0: Let Internet Explorer decide. 1: Force pop-up windows to o
Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.I
avorites bar is turned on.If you do not configure this policy setting, the user can turn on or turn off the Favorites bar.
nown to host malware.If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. You must specify which mo
content to be re-rendered at a scaled size.If you disable or do not configure this policy setting, applications that host MSHTML respond to
le (grayed out) and all other pop-up manager controls, notifications, and dialog boxes will not appear. Pop-up windows will continue to fun
you disable or do not configure this policy setting, Quick Tabs is turned on.
ing Session feature.If you disable or do not configure this policy setting, the user can use the Reopen Last Browsing Session feature.
do not configure this policy setting, the user can choose to view suggestions for all user-installed search providers that offer suggestions.
p.If you enable this policy setting, tabbed browsing and related entry points are turned off for Internet Explorer, and the user cannot turn
eb addresses. The user cannot change the auto-complete for web-address setting.If you disable this policy setting, user will be suggested m
s not appear until the user starts typing.If you disable or do not configure this policy setting, when a user clicks in the Search box, the quick
feature is turned off.If you disable or do not configure this policy setting, the feature is turned on.
perly.If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, althou
can log information that is blocked by new Internet Explorer features. The user cannot turn off logging.If you disable this policy setting, th
t, and the user cannot turn it off.If you disable this policy setting, the menu bar appears in Internet Explorer by default, and the user canno
that the user might want to visit.If you enable this policy setting, the user is not prompted to enable Suggested Sites. The userΓÇÖs brows
user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overla
t the user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not o
d through Group Policy. The user cannot add or delete Accelerators.If you disable or do not configure this policy setting, the user can acce
access Accelerators and install new Accelerators.
ng, the user is not prompted when a script that is running in any process on the computer performs a Clipboard operation. This means tha
ne is set to prompt.If you enable this policy setting, the user is not prompted when a script that is running in the Internet Explorer process
Internet Explorer processes, use the "Bypass prompting for Clipboard access for scripts running in the Internet Explorer process" policy. If
Explorer and any printers under the Devices charm.If you enable this policy setting, the Print menu in Internet Explorer will not be availabl
used during browser navigation. If a user visits a site on the compatibility lists, the pages are automatically displayed in Compatibility View
use the Compatibility View button or manage the Compatibility View sites list.If you disable or do not configure this policy setting, the user
able this policy setting, the user cannot use the Compatibility View button.If you disable or do not configure this policy setting, the user can
in Internet Explorer 7 Standards Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this policy s
ernet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in
nnot remove the entries that you specify.If you disable or do not configure this policy setting, the user can add and remove sites from the
net Explorer.If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appe
rify, and install code for an Object Linking and Embedding (OLE) component.If you enable this policy setting, the user cannot specify the do
et files, cookies, history, form data, and passwords) are applied, and those items are deleted.If you enable this policy setting, deleting brow
menu, click Internet Options, click the General tab, and then click Settings under Browsing history.If you enable this policy setting, a user c
er 10" in the TechNet technical library.If you enable this policy setting, the user cannot access the Delete Browsing History dialog box. Starti
o disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tr
If you disable this policy setting, cookies are deleted when the user clicks Delete.If you do not configure this policy setting, the user can ch
when the user clicks Delete.If you disable this policy setting, download history is deleted when the user clicks Delete.If you do not configu
e user clicks Delete.If you disable this policy setting, favorites site data is deleted when the user clicks Delete.If you do not configure this po
ete.If you disable this policy setting, form data is deleted when the user clicks Delete.If you do not configure this policy setting, the user can
third-party items should be blocked when InPrivate Filtering is enabled. This feature is available in the Delete Browsing History dialog box.
ete.If you disable this policy setting, passwords are deleted when the user clicks Delete.If you do not configure this policy setting, the user
rved when the user clicks Delete.If you disable this policy setting, temporary Internet files are deleted when the user clicks Delete.If you do
that the user has visited are preserved when he or she clicks Delete.If you disable this policy setting, websites that the user has visited are
net Explorer.If you enable this policy setting, users will not be able to delete temporary Internet files and cookies.If you disable or do not c
a, and printing.If you disable this policy or do not configure it, users can see and change these settings.When you set this policy, you do no
cy or do not configure it, users can see and change these settings.When you set this policy, you do not need to set the following policies fo
n see and change these settings.
e, and accessibility.If you disable this policy or do not configure it, users can see and change these settings.When you set this policy, you d
not configure it, users can see and change these settings.
s policy or do not configure it, users can see and change these settings.When you set this policy, you do not need to set the following polic
d user authentication.If you disable this policy or do not configure it, users can see and change these settings.When you set this policy, you
n Internet Explorer.If you enable this policy setting, the user cannot continue browsing.If you disable or do not configure this policy settin
(DNS) servers or to proxy servers.If you enable this policy setting, you must specify when IDN server names should be sent: 0) Unicode do
UTF-8.If you disable or do not configure this policy setting, Internet Explorer sends mailto links encoded through the user's code page. This
t.If you disable this policy setting, active content on a CD will always prompt before running.If you do not configure this policy, users can c
a and Java) that are required in order to view web pages as intended.If you enable this policy setting, non-Internet Explorer components w
Web page that requires Japanese-text display support, Internet Explorer could prompt the user to download the Japanese Language Pack
nd prioritization.If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.If you disable this policy setting, Inte
ate that someone has tampered with the file.If you enable this policy setting, users will be prompted to install or run files with an invalid si
ns which impact Internet Explorer's performance or stability.If you enable this policy setting, Internet Explorer automatically launches any
s. The DNT:1 header signals to the servers not to track the user.For Internet Explorer 9 and 10:If you disable this policy setting, Internet Exp
e prompted to install new versions as they become available.If you enable this policy setting, Internet Explorer checks the Internet for a ne
his option protects users from submitting confidential data to a site that may be fraudulent or not secure.If you enable this policy setting, I
computers before downloading executable programs.If you enable this policy setting, Internet Explorer will check the digital signatures of
otected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in reg
ory, and disable add-ons that are not preapproved.If you enable this policy setting, the user cannot use Reset Internet Explorer Settings.If y
e, which may be insecure.If you enable this policy setting, Internet Explorer will not save encrypted pages containing secure (HTTPS) inform
s on the computer, or storing sensitive files that other users could see, in addition to managing total disk space usage.If you enable this po
as java applets are not.If you enable this policy setting, Internet Explorer will play animated pictures found in Web content.If you disable th
ava applets are not.If you enable this policy setting, Internet Explorer will play sounds found in Web content.If you disable this policy settin
pplets are not.If you enable this policy setting, Internet Explorer will play videos found in Web content.If you disable this policy setting, Int
t host MSHTML do not render text by using the Microsoft ClearType rendering engine.If you disable or do not configure this policy setting,
munication between the browser and the target server. When the browser attempts to set up a protected communication with the targe
e seamlessly switches into view.If you enable this policy setting, Internet Explorer doesn't load any websites or content in the background.
ot be prompted to provide information.If you disable this policy setting, then when a Web site requests Profile Assistant information, user
s policy setting, you must specify when to use UTF-8 to encode query strings: 0) Never encode query strings. 1) Only encode query strin
page prediction works. This feature isn't available for Internet Explorer for the desktop.If you enable this policy setting, flip ahead with pa
ons of Windows.Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.If you enable this po
ctionality, such as using the Shift key to select text and copying a selection to the clipboard. This policy setting is particularly useful to user
Mode also limits the locations Internet Explorer can read from in the registry and the file system.If you enable this policy setting, Enhanced
e HTTP 1.1.If you do not configure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1.
disable this policy setting, Internet Explorer does not use HTTP 1.1 through proxy connections.If you do not configure this policy setting, us
t tab of the Internet Options dialog box. Users can change Content Advisor settings.If you disable or do not configure this policy setting, In
new browsing session with the tabs from the last browsing session.If you enable this policy setting, Internet Explorer starts a new browsin
website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting, websites will not be ab
ow website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting, websites will not b
orage limits for application caches. If a domain exceeds the application cache storage limit for an individual domain, Internet Explorer send
en you set this policy setting, you provide the expiration time limit in days.If you enable this policy setting, Internet Explorer will remove ap
ng, Internet Explorer displays a notification when a website exceeds the configured storage limit.If you disable or do not configure this poli
storage limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain, Internet Explorer se
Internet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting, you provide
umber of resources allowed, including the page that referenced the manifest, Internet Explorer sends an error to the website. No notificati
fies the user, and the user must delete application caches before an updated one can be saved on their computer. The default maximum
otifies the user, and the user must delete indexed databases before an updated database can be saved on their computer. The default max
ng and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.If you disa
plicitly mapped into a zone are considered to be in the Intranet Zone.If you disable this policy setting, local sites which are not explicitly m
e this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).If you do not con
e Intranet Zone.If you disable this policy setting, sites which bypass the proxy server aren't necessarily mapped into the Intranet Zone (oth
ternet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intra
t mapping rules are applied automatically if the computer belongs to a domain.If you disable this policy setting, automatic detection of th
rtificates issued for a different website address. This warning helps prevent spoofing attacks.If you enable this policy setting, the certificate
net mappings, if they require them.If you enable this policy setting, a Notification bar notification appears whenever the user browses to a
setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in th
tricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.If you enable this
-down box, users are queried to choose whether to allow script code on pages in the zone to run.If you disable this policy setting, script co
ng, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin
oard operation.If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.If you disable
zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.If
he file is delivered.If you enable this policy setting, files can be downloaded from the zone.If you disable this policy setting, files are preven
nd Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.If you disable this policy setting,
zone automatically.If you select Prompt in the drop-down box, users are queried to choose whether to install desktop items from this zon
dbox and take advantage of the Windows Presentation Foundation platform for the web.If you enable this policy setting and set the drop-
es and graphics that take advantage of the Windows Presentation Foundation.If you enable this policy setting and set the drop-down box
e this policy setting and set the drop-down box to Enable, XPS files are automatically loaded inside Internet Explorer. The user cannot chan
eb page.If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to a
s prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current si
within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.If you enable this policy setting, us
returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it m
y setting, script access to the WebBrowser control is not allowed.If you do not configure this policy setting, the user can enable or disable
ot apply in this zone. The security zone runs without the added layer of security provided by this feature.If you disable this policy setting, th
not configure this policy setting, the user can enable or disable scriptlets.
nfigure this policy setting, script is not allowed to update the status bar.
ernal controls or media players.The dynsrc attribute on the img tag specifies an older media player. Also, as of Internet Explorer 8, this pol
s that have no status bar or Address bar.If you disable this policy setting, websites cannot open new Internet Explorer windows that have
display any scripted windows by using the Notification bar.If you do not configure this policy setting, the user can enable or disable the Noti
l they do not have installed.If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users c
this setting, users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting, file d
tems.If you enable this policy setting, and the drop-down box is set to Enable, the user does not receive a security information message (T
users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate.If you disable
't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.If you disable this policy setting, Inte
f you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code
this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are querie
ble, users can drag content from one domain to a different domain when the source and destination are in different windows. Users canno
ble, users can drag content from one domain to a different domain when the source and destination are in the same window. Users canno
nature.If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the
aled to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.If you enable this policy
trusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and sa
Safety enables applets to perform all operations.Medium Safety enables applets to run in their sandbox (an area in memory outside of wh
an run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop
he guest account only for the Common Internet File System (CIFS) protocol.Prompt for user name and password to query users for user ID
e domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow win
g Enable, or Disable, under Options in Group Policy Editor.If you disable, or do not configure this policy setting, users can choose whether o
ferenced from an object tag and managed executables referenced from a link.If you enable this policy setting, Internet Explorer will execut
nced from an object tag and managed executables referenced from a link.If you enable this policy setting, Internet Explorer will execute si
tion.If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.If you disable
ntervention.If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.If you disable this p
Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.If you disable this policy setting, scrip
File Explorer, for example).If you enable this policy setting and set the drop-down box to Enable, these files open without a security warni
f software updates by e-mail, software packages to be automatically downloaded to users' computers, and software packages to be autom
ts non-SSL form data submission.If you enable this policy setting, information using HTML forms on pages in this zone can be submitted au
eration platform for Windows. It uses the common language runtime and incorporates support from multiple developer tools. It includes t
ed to approve the control. This policy setting determines whether the user is prompted.If you enable this policy setting, the first-run prom
sites in this zone, and the XSS Filter attempts to block cross-site script injections.If you disable this policy setting, the XSS Filter is turned o
try and the file system.If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode.If you disab
able this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.If you do not configure this policy setting
wanted pop-up windows are prevented from appearing.If you disable this policy setting, pop-up windows are not prevented from appeari
age, the state of the page can be restored if this policy setting is appropriately configured.If you enable this policy setting, users can preser
can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by th
nfigure this policy setting, script is allowed to update the status bar.
this setting, users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting, user
g Enable, or Disable, under Options in Group Policy Editor.If you disable, or do not configure this policy setting, users can choose whether
n open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the P
s from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether t
of restricted protocols may be set in the Trusted Sites Zone Restricted Protocols section under Network Protocol Lockdown policy.If you en
nternet Explorer does not open tiles on the desktop.If you do not configure this policy, users can choose how Internet Explorer tiles are op
y setting, Internet Explorer enforces your choice. Users cannot change the setting.If you disable or do not configure this policy setting, use
Address bar, if it is available.If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site
one number detection is turned off. Users won't be able to modify this setting.If you disable this policy setting, phone number detection is
appropriate software is installed.If you disable this policy setting, Internet Explorer does not play these files.If you do not configure this po
he user cannot change the specified action. ΓÇó Do not search from the Address bar: The user cannot use the Address bar for searches. T
ser performs a search in the Address bar, a list of search results from the selected search provider is displayed in the main window. ΓÇó
nth. No user data is sent over the internet by this feature.If you enable this policy setting, URL Suggestions will be turned off. Users will not
ntering a web address in the browser Address bar. This feature provides more relevant results in the browser Address bar.If you enable th
owser connects with a prespecified encryption. To ensure that the browser meets this requirement, this policy setting allows you to specif
d for checking updates to Internet Explorer and Internet Tools. You must specify this URL.If you disable or do not configure this policy setti
the update check interval.If you disable or do not configure this policy setting, the user can specify the update check interval.
e it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However, do
re it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However,
s browsing session. By default, the computer does not load them when InPrivate Browsing starts.If you enable this policy setting, toolbars
s that referenced it. It is collected during non-InPrivate (normal) browsing sessions.If you enable this policy setting, InPrivate Filtering data
et files, history, and other data.If you enable this policy setting, InPrivate Browsing is turned off.If you disable this policy setting, InPrivate
sit. InPrivate Filtering does this by identifying third-party content that is used by multiple websites that users have visited.If you enable thi
y visit. Tracking Protection does this by identifying third-party content that is used by multiple websites that users have visited.If you enab
e button, the current password value is visible until the mouse button is released (or until the tap ends).If you enable this policy setting, th
ng, Internet Explorer does not turn on Data Execution Prevention on platforms that support the SetProcessDEPPolicy function.If you disabl
se 64 encoding. Malware filters or other network-based filters may not properly filter encapsulated data.If you enable this policy setting, D
h are specifically written to extend or enhance the functionality of the browser or web pages.This list can be used with the 'Deny all add-o
Explorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.If you
Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.By default, the 'A
esses use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user pr
r Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog b
g, the user cannot run natively implemented, scriptable XMLHTTP.If you do not configure this policy setting, the user can choose to run nati
es the connection limit of your choice for HTTP 1.1.If you disable or do not configure this policy setting, Internet Explorer uses the default
Internet Explorer will use the default connection limit for HTTP 1.0 (6 connections per host).In versions of Internet Explorer prior to Intern
r uses the WebSocket connection limit that you set with this policy setting.If you disable or do not configure this policy setting, Internet Ex
arty domains embedded in the page.If you disable or do not configure this policy setting, documents can request data across third-party d
. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also, this policy
domains through other features in Internet Explorer 8, and it does not prevent a site from requesting cross-domain data through a server.I
ve opted in to the behavior, and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page.)If y
avior Security Restriction setting is prevented or allowed.If you enable this policy setting, binary behaviors are prevented for all processes.
nd MD4 signing technologies by default, because they are not as secure as other technologies.If you enable this policy setting, Internet Ex
avior Security Restriction setting is prevented or allowed.If you enable this policy setting, binary behaviors are prevented for the File Explo
avior Security Restriction setting is prevented or allowed.This policy setting allows administrators to define applications for which they wa
er requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the
have the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content
puter have the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and c
ure is enabled for all processes.If you disable or do not configure this policy setting, the Mime Sniffing Safety Feature is disabled for all proc
ote a file of one type to a more dangerous file type.If you disable this policy setting, Internet Explorer processes will allow a MIME sniff pro
for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, this protection
disabled for all processes. Any use of the MK Protocol is blocked.If you disable or do not configure this policy setting, the MK Protocol is en
prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.If you disable this policy setting, applic
pplications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, us
h restricted protocols is prevented or allowed.If you enable this policy setting, restricting content obtained through restricted protocols is
t obtained through restricted protocols is prevented or allowed.If you enable this policy setting, restricting content obtained through restr
h restricted protocols is prevented or allowed.This policy setting allows administrators to define applications for which they want restricti
he user, or simply disabling the content. For each zone, this list of protocols may be configured here, and applies to all processes which ha
ar is not displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes, for which the Notifi
t Explorer processes.If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.If you disable th
when file or code installs are restricted (except for the Internet Explorer Processes, for which the Notification bar is displayed by default).If
essible when navigating within or across domains for all processes.If you disable or do not configure this policy setting, object reference is
accessible when navigating within or across domains for Internet Explorer processes.If you disable this policy setting, an object reference is
which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, references to ob
s on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone
uter have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for
computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime targ
matic prompting of ActiveX control installation for all processes.If you disable or do not configure this policy setting, the Web Browser Cont
t Explorer processes.If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer p
ng of ActiveX control installation is blocked. If you enter a Value of 0, automatic prompting of ActiveX control installation is allowed. The V
ill block automatic prompting of file downloads that are not user initiated for all processes.If you disable this policy setting, the Web Brows
ocesses.If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes
matic prompting of non-initiated file downloads is blocked. If you enter a Value of 0, automatic prompting of non-initiated file downloads i
ing windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable th
ing windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.This policy setti
isplayed according to which one of the following options you choose, and the user cannot change how command buttons are displayed:Sh
w.If you do not configure this policy setting, the user can change where tabs are displayed.
nd bar is shown and the user cannot choose to hide it.If you do not configure this policy setting, the Command bar is shown by default, an
wn and the user cannot choose to hide it.If you do not configure this policy setting, the status bar is shown by default, and the user can ch
olbars are unlocked and the user can move them.If you do not configure this policy setting, the toolbars are locked by default, but the use
s, and the user cannot move them.If you disable this policy setting, the Stop and Refresh buttons are next to the Address bar, and the user
gure this policy setting, the user can access Developer Tools.
the tool detects an incompatible toolbar, the user is prompted to update or disable the toolbar. Specific toolbars or Browser Helper Objec
sable this policy setting, icons for command buttons are 16 x 16 pixels (the default) and cannot be made bigger (20 x 20 pixels).If you do n
remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HK
shutdown.If you disable or do not configure this policy setting, OnUnLoad script handlers do not display UI during shutdown (default beha
ar. In addition, users won't be able to change the Suggestions setting on the Settings charm.If you disable this policy setting, users won't re
es to Internet Explorer 9.In Internet Explorer 9, add-ons are defined as toolbars, Browser Helper Objects, or Explorer bars. ActiveX controls
tting, Internet Explorer sends the current Internet Explorer version in the User Agent header (for example, "MSIE 7.0").
omponent when visiting a Web site that uses that component.This policy is intended to help the administrator control which components
o automatic configuration. You can import your current connection settings from your machine using Internet Explorer Maintenance unde
olicy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do n
ome pages. The user cannot set custom default secondary home pages.If you disable or do not configure this policy setting, the user can a
file allows the user to import favorites, feeds and cookies from a file. Exporting settings to a file allows the user to export favorites, feeds
net Explorer checks every 30 days by default, and then notifies users if a new version is available.This policy is intended to help the admin
start their browsers.
ers will not be notified if their programs are updated using Software Distribution Channels.If you disable this policy or do not configure it, u
icy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still manage the add-on through th
n of search tools, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu bar contains menus that open
o not configure this policy, users can turn on or turn off automatic updates from the About Internet Explorer dialog.
intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
domain name is allowed, so www.contoso.com is valid, but not http://www.contoso.com. Wildcards are allowed, so *.contoso.com is also
icy setting is enabled, the "Fix settings" command on the Notification bar shortcut menu should be disabled.
sed from the Settings charm (starting with Internet Explorer 10 on Windows 8).If you disable or do not configure this policy setting, the Int
le this policy setting, SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting, the user can bypass S
or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
lter level by importing Privacy settings from your computer under Internet Explorer Maintenance.If you disable or do not configure this po
wing: ΓÇó Open in an existing Internet Explorer window. If tabbed browsing is enabled, a new tab is created in this scenario. ΓÇó Open
he background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select.If you disable or do not config
policy setting, the Search box appears by default in the Internet Explorer frame.Note: If you enable this policy setting, Internet Explorer doe
list.Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker s
n Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you di
shing filter uses: manual, automatic, or off.If you select manual mode, the phishing filter performs only local analysis, and the user is prom
participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.If you do not configure this polic
ΓÇó Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.Starting with Windows 8, the "Welcome to I
rd-party toolbars or in Setup, but the user can also add them from a search provider's website.If you enable this policy setting, the user ca
k the Security tab, and then click the Sites button.)If you disable this policy or do not configure it, users can add Web sites to or remove sit
an change the settings for security zones.This policy prevents users from changing security zone settings established by the administrator.N
mputer can establish their own security zone settings.This policy is intended to ensure that security zone settings apply uniformly to the sa
nd high allows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The default setti
user can select his or her preference for this behavior. The new tab page is the default setting.
ols, including per-user controls, are installed through the standard installation process.
enable this policy setting, the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to load an Ac
Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-ons and con
er data after a program stops responding.
his policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs.If you disable or do not configure thi
Reporting continue to apply.If you disable or do not configure this policy setting, the crash detection feature for add-on management will
er. You must specify which mode the SmartScreen Filter uses: on, or off.All website addresses that are not on the filter's allow list are sent
hat host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
p windows will continue to function as they did in Windows XP Service Pack 1 or earlier, although windows launched off screen will contin
owsing Session feature.

iders that offer suggestions.
rer, and the user cannot turn them on.If you disable this policy setting, tabbed browsing and related entry points appear on the user inter
etting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.
ks in the Search box, the quick pick menu appears.
rn off ActiveX Filtering, although they may add per-site exceptions.If you disable or do not configure this policy setting, ActiveX Filtering is
u disable this policy setting, the user cannot log information that is blocked by new Internet Explorer features. The user cannot turn on log
by default, and the user cannot turn it on.If you do not configure this policy setting, the menu bar is turned off by default. The user can tur
ted Sites. The userΓÇÖs browsing history is sent to Microsoft to produce suggestions.If you disable this policy setting, the entry points and
Accelerators should not overlap.If you disable or do not configure this policy setting, the user has Accelerators that are provided through fi
ault Accelerators should not overlap.If you disable or do not configure this policy setting, the user has Accelerators that are provided throu
olicy setting, the user can access any Accelerators that he or she has installed.
ard operation. This means that if the zone behavior is currently set to prompt, it will be bypassed and enabled.If you disable this policy setti
n the Internet Explorer process performs a Clipboard operation. In the Internet Explorer process, if the zone behavior is currently set to pro
et Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enabled, the p
et Explorer will not be available. Starting with Windows 8, the Print flyout for Internet Explorer will not be available, and users will not see
isplayed in Compatibility View.If you disable this policy setting, the Microsoft-provided website lists are not used. Additionally, the user ca
ure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list.
this policy setting, the user can use the Compatibility View button.
lorer.If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended).
ndards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this beha
dd and remove sites from the list.
with an additional string appended). Additionally, webpages included in this list appear in Quirks Mode.
the user cannot specify the download path for the code. You must specify the download path.If you disable or do not configure this policy
his policy setting, deleting browsing history on exit is turned on.If you disable this policy setting, deleting browsing history on exit is turned
able this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must s
wsing History dialog box. Starting with Windows 8, users cannot click the Delete Browsing History button on the Settings charm.If you disa
rs turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.With at least Internet Explor
policy setting, the user can choose whether to delete or preserve cookies when he or she clicks Delete.If the "Prevent access to Delete Bro
s Delete.If you do not configure this policy setting, the user can choose whether to delete or preserve download history when he or she cl
.If you do not configure this policy setting, the user can choose whether to delete or preserve favorites site data when he or she clicks Dele
this policy setting, the user can choose whether to delete or preserve form data when he or she clicks Delete.If the "Prevent access to Dele
e Browsing History dialog box.If you enable this policy setting, InPrivate Filtering data is preserved when the user clicks Delete.If you disab
re this policy setting, the user can choose whether to delete or preserve passwords when he or she clicks Delete.If the "Prevent access to D
the user clicks Delete.If you do not configure this policy setting, the user can choose whether to delete or preserve temporary Internet file
s that the user has visited are deleted when he or she clicks Delete.If you do not configure this policy setting, the user can choose whethe
okies.If you disable or do not configure this policy setting, users will be able to delete temporary Internet files and cookies.
n you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administ
to set the following policies for the Content tab, because this policy removes the Connections tab from the interface:"Disable Internet Con
When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Tem
need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface:"Disable changing
.When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab fro
not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
hould be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN format o
ugh the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavior on the
nfigure this policy, users can choose whether to be prompted before running active content on a CD.
ternet Explorer components will be automatically installed as necessary.If you disable this policy setting, users will be prompted when non
d the Japanese Language Pack component if it is not already installed.If you enable this policy setting, Web components such as fonts will
disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.If you don't configure this policy setting, users can turn
ll or run files with an invalid signature.If you disable this policy setting, users cannot run or install files with an invalid signature.If you do n
er automatically launches any browser helper objects that are installed on the user's computer.If you disable this policy setting, browser h
this policy setting, Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode
er checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are avai
ou enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.If you disable this policy setting, In
check the digital signatures of executable programs and display their identities before downloading them to user computers.If you disable
ption to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced
t Internet Explorer Settings.If you disable or do not configure this policy setting, the user can use Reset Internet Explorer Settings.
ntaining secure (HTTPS) information to the cache.If you disable this policy setting, Internet Explorer will save encrypted pages containing s
ace usage.If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all b
n Web content.If you disable this policy setting, Internet Explorer will not play or download animated pictures, helping pages display more
If you disable this policy setting, Internet Explorer will not play or download sounds in Web content, helping pages display more quickly.If
u disable this policy setting, Internet Explorer will not play or download videos, helping pages display more quickly.If you do not configure t
t configure this policy setting, applications that host MSHTML render text by using the Microsoft ClearType rendering engine.
ommunication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attem
or content in the background.If you disable this policy setting, Internet Explorer preemptively loads websites and content in the backgroun
le Assistant information, users will be prompted to choose which information to share. At that time, users can also choose to allow this in
s. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the Intranet
licy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.If you disable this policy s
are used.If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on
ng is particularly useful to users who do not use a mouse.If you enable this policy setting, Caret Browsing is turned on.If you disable this po
e this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected
onfigure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections.
onfigure this policy setting, Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Options dialo
Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the hom
etting, websites will not be able to store application caches on client computers. Allow website database and caches on Website Data Setti
icy setting, websites will not be able to store an indexed database on client computers. Allow website database and caches on Website Da
domain, Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum
ternet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting.If you disable or do n
e or do not configure this policy setting, users can set default data storage limits for indexed databases and application caches.
l domain, Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data sto
his policy setting, you provide the resource size limit, in MB. The default is 50 MB.If you enable this policy setting, Internet Explorer will all
or to the website. No notification will be displayed to the user. When you set this policy setting, you provide the resource limit as a numbe
puter. The default maximum storage limit for all application caches is 1 GB.If you enable this policy setting, you can set the maximum stor
eir computer. The default maximum storage limit for all indexed databases is 4 GB.If you enable this policy setting, you can set the maxim
d template defaults.If you disable this template policy setting, no security level is configured.If you do not configure this template policy se
ites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zon
p one there).If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
ped into the Intranet Zone (other rules might map one there).If you do not configure this policy setting, users choose whether sites which b
es to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set
ng, automatic detection of the intranet is turned off, and intranet mapping rules are applied however they are configured.If this policy setti
is policy setting, the certificate address mismatch warning always appears.If you disable or do not configure this policy setting, the user ca
henever the user browses to a page that loads content from an intranet site.If you disable this policy setting, a Notification bar notification
one. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses M
down policy.If you enable this policy setting, no Intranet Zone content accessed is affected, even for protocols on the restricted list. If you s
ble this policy setting, script code on pages in the zone is prevented from running.If you do not configure this policy setting, script code on
y behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.If you disable this polic
oard operations.If you disable this policy setting, a script cannot perform a clipboard operation.If you do not configure this policy setting, a
or copy files from this zone.If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this
policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy setting, files can be downloade
you disable this policy setting, HTML fonts are prevented from downloading.If you do not configure this policy setting, HTML fonts can be
all desktop items from this zone.If you disable this policy setting, users are prevented from installing desktop items from this zone.If you do
policy setting and set the drop-down box to Enable, XBAPs are automatically loaded inside Internet Explorer. The user cannot change this b
ng and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavio
Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XPS files.If you d
h setting can be redirected to another Web page.If you disable this policy setting, a user's browser that loads a page containing an active M
trol to run from the current site or from all sites.If you disable this policy setting, the user does not see the per-site ActiveX prompt, and A
u enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.If you disable this policy setting, u
m within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific item
he user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed onl
u disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title a
of Internet Explorer 8, this policy setting controls HTML+TIME media elements that refer to audio and video files.If you enable this policy s
t Explorer windows that have no status bar or Address bar.If you do not configure this policy setting, the user can choose whether website
can enable or disable the Notification bar behavior.
ng the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.If you do not configure this policy setting
not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the fil
curity information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nons
y one certificate.If you disable this policy setting, Internet Explorer prompts users with a "Client Authentication" message when they conne
disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the Ac
hers who aren't trusted. Code signed by trusted publishers is silently downloaded.If you disable the policy setting, signed controls cannot b
op-down box, users are queried to choose whether to allow the unsigned control to run.If you disable this policy setting, users cannot run
different windows. Users cannot change this setting.If you enable this policy setting and click Disable, users cannot drag content from one d
he same window. Users cannot change this setting.If you enable this policy setting and click Disable, users cannot drag content from one d
rity zone will run without the added layer of security provided by this feature.If you disable this policy setting, the actions that may be har
e path.If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.If you disable this policy
tting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option
area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on th
you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on th
word to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.A
queried whether to allow windows and frames to access applications from other domains.If you disable this policy setting, users cannot o
ng, users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options
g, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt
ternet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the us
or plug-in to run.If you disable this policy setting, controls and plug-ins are prevented from running.If you do not configure this policy settin
nteraction.If you disable this policy setting, script interaction is prevented from occurring.If you do not configure this policy setting, script
disable this policy setting, scripts are prevented from accessing applets.If you do not configure this policy setting, scripts can access applet
open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.If you disable t
oftware packages to be automatically installed on users' computers.Medium safety to allow users to be notified of software updates by e-
this zone can be submitted automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow inform
e developer tools. It includes the new managed code APIs for Windows.If you enable this policy setting, .NET Framework Setup is turned o
licy setting, the first-run prompt is turned off in the corresponding zone.If you disable this policy setting, the first-run prompt is turned on
tting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.
ff Protected Mode.If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode.If you do not c
ot configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.Note: In Inte
e not prevented from appearing.If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing
policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to
security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is is
not configure this setting, users will receive a file download dialog for automatic download attempts.
e not prevented from appearing.If you do not configure this policy setting, pop-up windows are not prevented from appearing.
curity that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issu
ble this policy setting, script code on pages in the zone is prevented from running.If you do not configure this policy setting, users are quer
policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy setting, files are prevented fro
you disable this policy setting, HTML fonts are prevented from downloading.If you do not configure this policy setting, users are queried w
x, users are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy
disable this policy setting, scripts are prevented from accessing applets.If you do not configure this policy setting, scripts are prevented fro
ocol Lockdown policy.If you enable this policy setting, no Trusted Sites Zone content accessed is affected, even for protocols on the restric
w Internet Explorer tiles are opened.
nfigure this policy setting, users can choose how links are opened in Internet Explorer.
go directly to an intranet site for a one-word entry in the Address bar.
g, phone number detection is turned on. Users won't be able to modify this setting.If you don't configure this policy setting, users can turn
.If you do not configure this policy setting, the user can change the "Enable alternative codecs in HTML5 media elements" setting on the A
he Address bar for searches. The user can still perform searches on the Search bar by clicking the Search button. ΓÇó Display the results
ed in the main window. ΓÇó Enable top result search: When a user performs a search in the Address bar, the user is directed to an extern
ill be turned off. Users will not be able to turn on URL Suggestions.If you disable this policy setting, URL Suggestions will be turned on. Use
r Address bar.If you enable this policy setting, Internet Explorer does not use Windows Search AutoComplete for providing relevant result
cy setting allows you to specify the URL to update the browser security setting.If you enable this policy setting, the user cannot specify the
o not configure this policy setting, the user can change the URL that is displayed for checking updates to Internet Explorer and Internet Too
te check interval.
user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you ena
a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you en
ble this policy setting, toolbars and BHOs are not loaded by default during an InPrivate Browsing session.If you disable this policy setting, to
etting, InPrivate Filtering data collection is turned off.If you disable this policy setting, InPrivate Filtering collection is turned on.If you do n
e this policy setting, InPrivate Browsing is available for use.If you do not configure this policy setting, InPrivate Browsing can be turned on
s have visited.If you enable this policy setting, InPrivate Filtering is turned off in all browsing sessions, and InPrivate Filtering data is not col
users have visited.If you enable this policy setting, Tracking Protection is disabled in all browsing sessions, and Tracking Protection data is
u enable this policy setting, the reveal password button will be hidden for all password fields. Users and developers will not be able to dep
EPPolicy function.If you disable or do not configure this policy setting, Internet Explorer uses the SetProcessDEPPolicy function to turn on D
ou enable this policy setting, Data URI support is turned off. Without Data URI support, a Data URI will be interpreted as a failed URL.If you
used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed her
nces and policy settings.If you enable this policy setting, all processes will respect add-on management user preferences and policy setting
r web pages.By default, the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. However, us
end support for these user preferences and policy settings to specific processes listed in the process list.If you enable this policy setting an
the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Interne
the user can choose to run natively implemented, scriptable XMLHTTP.
rnet Explorer uses the default connection limit for HTTP 1.1 (6 connections per host).In versions of Internet Explorer before Internet Explo
ternet Explorer prior to Internet Explorer 8, the default connection limit for HTTP 1.0 was 4.
this policy setting, Internet Explorer uses the default limit of 6 WebSocket connections per server.
quest data across third-party domains embedded in the page.
et Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a server.If you enable this policy
omain data through a server.If you enable this policy setting, websites cannot request data across domains by using the XDomainRequest
ity or behavior on a page.)If you enable this policy setting, this sets the list of behaviors permitted in each zone for which Script and Binary
e prevented for all processes. Any use of binary behaviors for HTML rendering is blocked.If you disable or do not configure this policy setti
this policy setting, Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies.If you disable or do not configure this
e prevented for the File Explorer and Internet Explorer processes.If you disable this policy setting, binary behaviors are allowed for the File
applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 bin
pe of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it
es to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load ma
es to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone is used
y applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to lo
Feature is disabled for all processes.
ses will allow a MIME sniff promoting a file of one type to a more dangerous file type.If you do not configure this policy setting, MIME sniffi
ter a Value of 1, this protection will be in effect. If you enter a Value of 0, any file may be promoted to more dangerous file types. The Valu
y setting, the MK Protocol is enabled.
sable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and
tting and enter a Value of 1, use of the MK protocol is prevented. If you enter a Value of 0, use of the MK protocol is allowed. If a Value Nam
hrough restricted protocols is allowed for all processes other than File Explorer or Internet Explorer.If you disable this policy setting, restri
ontent obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example, you can restrict acti
s for which they want restricting content obtained through restricted protocols to be prevented or allowed.If you enable this policy setting
plies to all processes which have opted in to the security restriction.If you enable this policy setting for a zone, this sets the list of protocol
Processes, for which the Notification bar is displayed by default). If you enable this policy setting, the Notification bar will be displayed for a
rer Processes.If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.If you do not config
n bar is displayed by default).If you enable this policy setting and enter a Value of 1, the Notification bar is displayed. If you enter a Value o
cy setting, object reference is retained when navigating within or across domains in the Restricted Zone sites.
setting, an object reference is retained when navigating within or across domains for Internet Explorer processes.If you do not configure t
a Value of 1, references to objects are inaccessible after navigation. If you enter a Value of 0, references to objects are still accessible afte
he Local Machine security zone a prime target for malicious users.If you enable this policy setting, any zone can be protected from zone ele
curity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.If you enab
ine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.This p
etting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
locked for Internet Explorer processes.If you do not configure this policy setting, the user's preference will be used to determine whether
l installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setti
policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
or Internet Explorer processes.If you do not configure this policy setting, the user's preference determines whether to prompt for file dow
non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1
nd status bars.If you enable this policy setting, scripted windows are restricted for all processes.If you disable or do not configure this polic
nd status bars.If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processe
nd status bars.This policy setting allows administrators to define applications for which they want this security feature to be prevented or
mand buttons are displayed:Show all text labels: All command buttons have only text.Show selective text: Some command buttons have on
nd bar is shown by default, and the user can choose to hide it.
by default, and the user can choose to hide it.
locked by default, but the user can unlock them through the shortcut menu of the Command bar.
the Address bar, and the user cannot move them.If you do not configure this policy setting, the Stop and Refresh buttons are next to the A
bars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check.If you enable this policy setting,
ger (20 x 20 pixels).If you do not configure this policy setting, icons for command buttons are 16 x 16 pixels, and the user can make them b
ch providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created fr
uring shutdown (default behavior in Internet Explorer 9).
is policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the
xplorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition.If you enable this policy setting, newly installed
MSIE 7.0").
or control which components the user installs.
et Explorer Maintenance under Admin Templates using group policy editor.If you disable or do no configure this policy setting, the user wi
ernet Control Panel), you do not need to set this policy, because the "Disable the Connections page" policy removes the Connections tab f
s policy setting, the user can add secondary home pages.Note: If the ΓÇ£Disable Changing Home Page SettingsΓÇ¥ policy is enabled, the us
ser to export favorites, feeds and cookies to a file.If you enable this policy setting, the user will not be able to use the Import/Export Settin
is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new ver
policy or do not configure it, users will be notified before their programs are updated.This policy is intended for administrators who want
manage the add-on through the Add-On Manager.If you disable or do not configure this policy setting, the appropriate controls in the Add-
bar contains menus that open lists of commands for printing, customizing Internet Explorer, copying and pasting text, managing favorites
owed, so *.contoso.com is also valid.If you disable this or do not configure this policy setting, you will not be able to provide a default Pop-
gure this policy setting, the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access
y setting, the user can bypass SmartScreen Filter warnings.
ble or do not configure this policy setting, the user can manage pop-ups by changing the filter level.You may also want to enable the "Prev
d in this scenario. ΓÇó Open a new Internet Explorer window.If you disable or do not configure this policy setting, the user can configure
If you disable or do not configure this policy setting, the user can configure how new tabs are created by default.
y setting, Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on, users ca
rer process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
ut prompting the user.If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen
analysis, and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled, all website addresses that are
you do not configure this policy setting, the user can choose to participate in the CEIP.
Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is c
this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do no
add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.This policy
blished by the administrator.Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Wind
ttings apply uniformly to the same computer and do not vary from user to user.Also, see the "Security zones: Do not allow users to change
sical memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical mem
r for permission to load an ActiveX control, and Internet Explorer loads the control if it passes all other internal security checks.If you disab
ser to disable add-ons and configure the threshold.If you enable this policy setting, users are not notified when the average time to load al
disable or do not configure this policy setting, Internet Explorer uses the user's setting for pop-up windows in tabbed browsing.
e for add-on management will be functional.
n the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setting,
aunched off screen will continue to be re-positioned onscreen.If you disable or do not configure this policy setting, the popup managemen
oints appear on the user interface for Internet Explorer, and the user cannot turn them off.If you do not configure this policy setting, the u
plete for web-address setting.If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete
cy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
es. The user cannot turn on logging.If you do not configure this policy setting, the user can change the logging settings.
off by default. The user can turn on or turn off the menu bar.
y setting, the entry points and functionality associated with this feature are turned off.If you do not configure this policy setting, the user c
rs that are provided through first use of the browser.
rators that are provided through first use of the browser.
ed.If you disable this policy setting, the user is prompted when a script that is running in any process on the computer attempts to perform
behavior is currently set to prompt, it will be bypassed and enabled.If you disable this policy setting, the user is prompted when a script th
policy setting is enabled, the processes configured in this policy setting take precedence over that policy setting.If you enable this policy se
ailable, and users will not see printers under the Devices charm.If you disable or do not configure this policy setting, the Print menu in Inte
used. Additionally, the user cannot activate the feature by using the Compatibility View Settings dialog box.If you do not configure this pol
additional string appended). Additionally, all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option result
user cannot change this behavior through the Compatibility View Settings dialog box.If you disable this policy setting, Internet Explorer us
or do not configure this policy setting, the user can specify the download path for the code.
wsing history on exit is turned off.If you do not configure this policy setting, it can be configured on the General tab in Internet Options.If t
in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not dele
the Settings charm.If you disable or do not configure this policy setting, the user can access the Delete Browsing History dialog box. Starti
g.With at least Internet Explorer 11:This policy setting prevents users from deleting ActiveX Filtering data, Tracking Protection data, and D
"Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
load history when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is e
data when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effe
e.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
user clicks Delete.If you disable this policy setting, InPrivate Filtering data is deleted when the user clicks Delete.If you do not configure th
lete.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
eserve temporary Internet files when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled, th
, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.If the "Prevent access to Delete Browsin
s and cookies.
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the Advanced tab
nterface:"Disable Internet Connection Wizard""Disable changing connection settings""Prevent changing proxy settings""Disable changing
nfiguration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the General tab from the in
he interface:"Disable changing Messaging settings""Disable changing Calendar and Contact settings""Disable the Reset Web Settings featu
y removes the Security tab from the interface:"Security zones: Do not allow users to change policies""Security zones: Do not allow users to
are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN format
n change this behavior on the Internet Explorer Tools menu: Click Internet Options, click the Advanced tab, and then under International, s
rs will be prompted when non-Internet Explorer components would be installed.If you do not configure this policy setting, non-Internet Ex
omponents such as fonts will be automatically installed as necessary.If you disable this policy setting, users will be prompted when Web C
is policy setting, users can turn this behavior on or off, using Internet Explorer Advanced Internet Options settings. The default is on.
n invalid signature.If you do not configure this policy, users can choose to run or install files with an invalid signature.
e this policy setting, browser helper objects do not launch.If you do not configure this policy, Internet Explorer automatically launches any
ed or inPrivate Browsing mode is used.For at least Internet Explorer 11:If you disable this policy setting, Internet Explorer only sends the D
w versions when they are available.If you disable this policy setting, Internet Explorer does not check the Internet for new versions of the b
u disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.If you do not configure th
user computers.If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display
ll websites to run in Enhanced Protected Mode.Enhanced Protected Mode provides additional protection against malicious websites by us
net Explorer Settings.
encrypted pages containing secure (HTTPS) information to the cache.If you do not configure this policy, Internet Explorer will save encryp
Internet Files folder when all browser windows are closed.If you disable this policy setting, Internet Explorer will not delete the contents o
s, helping pages display more quickly.If you do not configure this policy setting, Internet Explorer will play animated pictures found in Web
pages display more quickly.If you enable this policy setting, Internet Explorer will play sounds found in Web content.
uickly.If you do not configure this policy setting, Internet Explorer will play videos found in Web content.
rendering engine.
The browser and server attempt to match each otherΓÇÖs list of supported protocols and versions, and they select the most preferred ma
and content in the background.If you don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer setti
an also choose to allow this information to be shared with the Web site in the future without being prompted.If you do not configure this
URLs that are in the Intranet zone. 3) Always encode query strings.If you disable or don't configure this policy setting, users can turn this
und.If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.If y
Enhanced Protected Mode on 64-bit versions of Windows.If you disable this policy setting, Internet Explorer 11 will use 32-bit tab process
urned on.If you disable this policy setting, Caret Browsing is turned off.If you do not configure this policy setting, Caret Browsing support ca
d will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.If you disable this policy setting, Enhance
onnections.
b of the Internet Options dialog box.
his option to start with the home page.If you disable this policy setting, Internet Explorer starts a new browsing session with the home pag
d caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting, websites will be able to store app
ase and caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting, websites will be able to sto
oup policy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting, you provide the cach
y setting.If you disable or do not configure this policy setting, Internet Explorer will use the default application cache expiration time limit f
application caches.
cy sets the maximum data storage limit for domains that are trusted by users. When you set this policy setting, you provide the cache limit
tting, Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size
the resource limit as a number. The default is 1000 resources.If you enable this policy setting, Internet Explorer will allow the creation of
you can set the maximum storage limit for all application caches. The default is 1 GB.If you disable or do not configure this policy setting, In
etting, you can set the maximum storage limit for all indexed databases. The default is 4 GB.If you disable or do not configure this policy se
nfigure this template policy setting, no security level is configured.Note. Local Machine Zone Lockdown Security and Network Protocol Loc
typically be in the Internet Zone).If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone
o the Intranet Zone.
s choose whether sites which bypass the proxy server are mapped into the Intranet Zone.
e. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low
are configured.If this policy setting is not configured, the user can choose whether or not to automatically detect the intranet through the
this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Inte
, a Notification bar notification does not appear when the user loads content from an intranet site that is being treated as though it is in th
oaded in the zone that uses MSXML or ADO to access data from another site in the zone.If you disable this policy setting, users cannot load
s on the restricted list. If you select Prompt from the drop-down box, the Notification bar will appear to allow control over questionable co
s policy setting, script code on pages in the zone can run automatically.
vailable.If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom secu
configure this policy setting, a script can perform a clipboard operation.
ing and pasting files from this zone.If you do not configure this policy setting, users can drag files or copy and paste files from this zone aut
setting, files can be downloaded from the zone.
cy setting, HTML fonts can be downloaded automatically.
items from this zone.If you do not configure this policy setting, users are queried to choose whether to install desktop items from this zon
The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XBAPs.If you disable this
er cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.If you disable this po
d for loading XPS files.If you disable this policy setting, XPS files are not loaded inside Internet Explorer. The user cannot change this behav
a page containing an active Meta Refresh setting cannot be redirected to another Web page.If you do not configure this policy setting, a u
er-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.
ou disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.If you do not
ome application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in F
Browser control is allowed only in the Local Machine and Intranet zones.
windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by th
files.If you enable this policy setting, video and animation can be played through older media players in specified zones.If you disable this
r can choose whether websites can open new Internet Explorer Windows that have no status bar or Address bar.
not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification b
tification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
e nonsecure items?) and nonsecure content can be displayed.If the drop-down box is set to Prompt, the user will receive the security info
on" message when they connect to a Web site that has no certificate or only one certificate.If you do not configure this policy setting, Inte
o create an instance of the ActiveX control.If you don't configure this policy setting, Internet Explorer always checks with your antimalwar
etting, signed controls cannot be downloaded.If you do not configure this policy setting, users are queried whether to download controls s
olicy setting, users cannot run unsigned controls.If you do not configure this policy setting, users cannot run unsigned controls.
annot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot c
nnot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change
g, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feat
form.If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.If you do not confi
marked safe for scripting option.If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allo
and secure storage area on the client computer) and user-controlled file I/O.High Safety enables applets to run in their sandbox. Disable J
nload files from IFRAMEs on the pages in this zone.If you disable this policy setting, users are prevented from running applications and dow
the remainder of the session.Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user i
s policy setting, users cannot open windows and frames to access applications from different domains.If you do not configure this policy se
ty tab of the Internet Options dialog box. Filters are not rendered by default in this zone.
, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.If you disable this policy setting,
net Explorer will prompt the user to determine whether to execute signed managed components.If you disable this policy setting, Internet
not configure this policy setting, controls and plug-ins can run without user intervention.
gure this policy setting, script interaction can occur automatically without user intervention.
tting, scripts can access applets automatically without user intervention.
e the files open.If you disable this policy setting, these files do not open.If you do not configure this policy setting, the user can configure h
fied of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.High
hoose whether to allow information using HTML forms on pages in this zone to be submitted.If you disable this policy setting, information
T Framework Setup is turned off. The user cannot change this behavior.If you disable this policy setting, .NET Framework Setup is turned on
first-run prompt is turned on in the corresponding zone.If you do not configure this policy setting, the first-run prompt is turned off by de
rotected Mode.If you do not configure this policy setting, the user can turn on or turn off Protected Mode.
malicious content.Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious con
are prevented from appearing.
y within a Web page saved to disk.If you disable this policy setting, users cannot preserve information in the browser's history, in favorites
drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting, the poss
not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
o create an instance of the ActiveX control.If you don't configure this policy setting, Internet Explorer won't check with your antimalware
ty tab of the Internet Options dialog box. Filters are rendered by default in this zone.
first-run prompt is turned on in the corresponding zone.If you do not configure this policy setting, the first-run prompt is turned on by def
ed from appearing.
items from this zone.If you do not configure this policy setting, users can install desktop items from this zone automatically.
etting, signed controls cannot be downloaded.If you do not configure this policy setting, users can download signed controls without user i
olicy setting, users cannot run unsigned controls.If you do not configure this policy setting, users can run unsigned controls without user int
ed from appearing.
op-down box, a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting, the possibly
s policy setting, users are queried to choose whether to allow script code on pages in the Local Machine zone to run.
not configure this policy setting, controls and plug-ins are prevented from running.
ed from appearing.
ed from appearing.
s policy setting, script code on pages in the zone is prevented from running.
configure this policy setting, a script cannot perform a clipboard operation.
ing and pasting files from this zone.If you do not configure this policy setting, users are queried to choose whether to drag or copy files fro
setting, files are prevented from being downloaded from the zone.
cy setting, users are queried whether to allow HTML fonts to download.
items from this zone.If you do not configure this policy setting, users are prevented from installing desktop items from this zone.
etting, signed controls cannot be downloaded.If you do not configure this policy setting, signed controls cannot be downloaded.
mains.If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from differ
gure this policy setting, script interaction is prevented from occurring.
tting, scripts are prevented from accessing applets.
ed from appearing.
en for protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar will appear to allow control over q
olicy setting, users cannot run unsigned controls.If you do not configure this policy setting, users are queried to choose whether to allow th
ed from appearing.
s policy setting, users can turn this behavior on or off, using Internet Explorer settings. The default is on.
dia elements" setting on the Advanced tab in the Internet Options dialog box.
tton. ΓÇó Display the results in the main window: When the user searches on the Address bar, the list of search results is displayed in the
he user is directed to an external top result website determined by the search provider, if available.If you enable this policy setting, you can
estions will be turned on. Users will not be able to turn off URL Suggestions.If you do not configure this policy setting, URL Suggestions wil
e for providing relevant results in the Address bar. The user cannot change this setting.If you disable this policy setting, Internet Explorer u
ng, the user cannot specify the cipher strength update information URL. You must specify the cipher strength update information URL.If yo
rnet Explorer and Internet Tools.
nge is 3 through 30.If you enable this policy setting, the selected value is enforced.If you disable or do not configure this policy setting, the
range is 3 through 30.If you enable this policy setting, the selected value is enforced.If you disable or do not configure this policy setting, th
u disable this policy setting, toolbars and BHOs are loaded by default during an InPrivate Browsing session.If you do not configure this poli
ection is turned on.If you do not configure this policy setting, InPrivate Filtering data collection can be turned on or off on the Privacy tab in
e Browsing can be turned on or off through the registry.
Private Filtering data is not collected.If you disable this policy setting, InPrivate Filtering is available for use.If you do not configure this poli
nd Tracking Protection data is not collected.If you disable this policy setting, Tracking Protection is available for use.If you do not configure
elopers will not be able to depend on the reveal password button being displayed in any web form or web application.If you disable or do
DEPPolicy function to turn on Data Execution Prevention on platforms that support the function.This policy setting has no effect if Window
erpreted as a failed URL.If you disable this policy setting, Data URI support is turned on.If you do not configure this policy setting, Data UR
whether add-ons not listed here are assumed to be denied.If you enable this policy setting, you can enter a list of add-ons to be allowed or
preferences and policy settings.If you disable or do not configure this policy setting, all processes will not respect add-on management use
ugh Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'Add-
ou enable this policy setting and enter a Value of 1, the process entered will respect the add-on management user preferences and policy s
able this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless
Explorer before Internet Explorer 8, the default connection limit for HTTP 1.1 was 2.
server.If you enable this policy setting, websites cannot request data across domains by using the WebSocket object.If you disable or do no
by using the XDomainRequest object.If you disable or do not configure this policy setting, websites can request data across domains by usi
one for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation, e.g., #def
o not configure this policy setting, binary behaviors are allowed for all processes.
isable or do not configure this policy setting, Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies.
haviors are allowed for the File Explorer and Internet Explorer processes.If you do not configure this policy setting, binary behaviors are pr
tting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name is the
r renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting, Consistent Mime H
r renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting, Internet Explorer r
r renames the file by saving it in the Internet Explorer cache and changing its extension.This policy setting allows administrators to define a
as an attack vector to load malicious HTML code.If you enable this policy setting, the Local Machine zone security applies to all local files a
he Local Machine zone is used as an attack vector to load malicious HTML code.If you enable this policy setting, the Local Machine zone se
used as an attack vector to load malicious HTML code.If you enable this policy setting and enter a value of 1, Local Machine Zone security
e this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting
work for the File Explorer and Internet Explorer processes.If you do not configure this policy setting, the MK Protocol is prevented for File
tocol is allowed. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer proces
sable this policy setting, restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or
r example, you can restrict active content from pages served over the http and https protocols by adding the value names http and https.I
f you enable this policy setting and enter a Value of 1, restricting content obtained through restricted protocols is allowed. If you enter a V
e, this sets the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active content over restricted protocols t
tion bar will be displayed for all processes.If you disable or do not configure this policy setting, the Notification bar will not be displayed fo
processes.If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
splayed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name is e
esses.If you do not configure this policy setting, an object reference is no longer accessible when navigating within or across domains for I
objects are still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 o
an be protected from zone elevation for all processes.If you disable or do not configure this policy setting, processes other than Internet E
o security context.If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.If you dis
re is no security context.This policy setting allows administrators to define applications for which they want this security feature to be prev
e used to determine whether to block ActiveX control installations for Internet Explorer processes.
ue is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Proce
ser initiated for all processes.
hether to prompt for file downloads that are not user initiated for Internet Explorer processes.
mpty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Intern
e or do not configure this policy setting, scripted windows are not restricted.
and Internet Explorer processes.If you disable this policy setting, scripts can continue to create popup windows and windows that obfusca
ty feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, such windows may not be opened. If you ent
me command buttons have only text; some have icons and text.Show only icons: All command buttons have only icons.If you disable or do
fresh buttons are next to the Address bar by default, and the user can choose to move them.
you enable this policy setting, the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted, and incompati
and the user can make them bigger (20 x 20 pixels).
Note: This list can be created from a custom administrative template file. For information about creating this custom administrative templa
s won't be able to change the Suggestions setting on the Settings charm.If you don't configure this policy setting, users can change the Sug
policy setting, newly installed add-ons are automatically activated in the browser.If you disable or do not configure this policy setting, new
this policy setting, the user will have the freedom to automatically configure these settings.
emoves the Connections tab from the interface.
gsΓÇ¥ policy is enabled, the user cannot add secondary home pages.
o use the Import/Export Settings wizard.If you disable or do not configure this policy setting, the user will be able to use the Import/Export
m being notified about new versions of the browser.
for administrators who want to use Software Distribution Channels to update their users' programs without user intervention.
propriate controls in the Add-On Manager will be available to the user.
sting text, managing favorites, and accessing Help. The Command bar enables the user to access and manage favorites, feeds, shortcuts to
able to provide a default Pop-up Blocker exception list.Note: You can disable users from adding or removing websites to the exception list
ommand bar and F1 to access Help.
also want to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the user
etting, the user can configure how windows open when he or she clicks links from other applications.
erators are turned on, users can install search providers as Accelerators to include them on the Accelerator menu.
hether to turn on SmartScreen Filter during the first-run experience.

all website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or
regardless of which option is chosen.If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard th
fault providers installed do not appear (including providers installed from other applications). The only providers that appear are those in t
Local Intranet zone.This policy prevents users from changing site management settings for security zones established by the administrator
dministrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet E
Do not allow users to change policies" policy.
m and amount of physical memory. We recommend the default setting.The second algorithm must be explicitly enabled through the creati
nal security checks.If you disable or do not configure this policy setting, the ActiveX Opt-In prompt appears.
en the average time to load all the user's enabled add-ons exceeds the threshold.If you disable or do not configure this policy setting, user
n tabbed browsing.
ot configure this policy setting, the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience.
etting, the popup management feature will be functional.
figure this policy setting, the user can turn on or turn off tabbed browsing.
ose to turn the auto-complete setting for web-addresses on or off.
e this policy setting, the user can turn on and turn off the Suggested Sites feature.
computer attempts to perform a Clipboard operation.If you do not configure this policy setting, current values of the URL action for the ap
is prompted when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation.If you do not config
tting.If you enable this policy setting and enter a value of 1, prompts are bypassed. If you enter a value of 0, prompts are not bypassed. Val
setting, the Print menu in Internet Explorer will be available. Starting with Windows 8, the Print flyout for Internet Explorer will be availab
f you do not configure this policy setting, the Microsoft-provided website lists are not active. The user can activate the feature by using the
dards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet stand
cy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Ad
eral tab in Internet Options.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.
History List. Users can not delete browsing history.If you disable or do not configure this policy setting, a user can set the number of days t
wsing History dialog box. Starting with Windows 8, users can click the Delete Browsing History button on the Settings charm.
acking Protection data, and Do Not Track exceptions stored for visited websites. This feature is available in the Delete Browsing History di
enabled, this policy setting is enabled by default.

, this policy setting has no effect.
ete.If you do not configure this policy setting, the user can choose whether to delete or preserve InPrivate Filtering data when he or she c
by default.
ry" policy setting is enabled, this policy setting is enabled by default.
event access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
icy removes the Advanced tab from the interface.

xy settings""Disable changing Automatic Configuration settings"
es the General tab from the interface:"Disable changing home page settings""Disable changing Temporary Internet files settings""Disable c
e the Reset Web Settings feature""Disable changing default browser check"

y zones: Do not allow users to add/delete sites"
s are converted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to IDN fo
nd then under International, select the "Use UTF-8 for mailto links" check box.
policy setting, non-Internet Explorer components will be automatically installed as necessary.

will be prompted when Web Components such as fonts would be downloaded.If you do not configure this policy, users will be prompted w
ttings. The default is on.
er automatically launches any browser helper objects that are installed on the user's computer.
rnet Explorer only sends the Do Not Track header if inPrivate Browsing mode is used.If you don't configure the policy setting, users can sel
ernet for new versions of the browser, so does not prompt users to install them.If you do not configure this policy setting, Internet Explore
ked.If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
ecutable programs or display their identities before downloading them to user computers.If you do not configure this policy, Internet Expl
ainst malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced P
ernet Explorer will save encrypted pages containing secure (HTTPS) information to the cache.
will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.If you do not configure this p
imated pictures found in Web content.
select the most preferred match.If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by us
off, using Internet Explorer settings. This feature is turned on by default
d.If you do not configure this policy setting, a user will have the freedom to accept requests from Web sites for Profile Assistant informatio
licy setting, users can turn this behavior on or off, using Internet Explorer Advanced Options settings. The default is to encode all query str
aded into the background.If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
r 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.If you don't configure this pol
tting, Caret Browsing support can be turned on or off through the registry.
ble this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Pro
ng session with the home page. Users cannot change this option to start with the tabs from the last browsing session.If you do not configu
bsites will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be ava
g, websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings w
y setting, you provide the cache limit, in MB. The default is 50 MB.If you enable this policy setting, Internet Explorer will allow trusted dom
n cache expiration time limit for all application caches. The default is 30 days.
ng, you provide the cache limit, in MB. The default is 500 MB.If you enable this policy setting, Internet Explorer will allow trusted domains
e less than or equal to the size set in this policy setting.If you disable or do not configure this policy setting, Internet Explorer will use the d
orer will allow the creation of application caches whose manifest file contains the number of resources, including the page that referenced
configure this policy setting, Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB.
do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed databases. The default is
rity and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equival
cal sites into the Intranet Zone.
s are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zo
tect the intranet through the intranet settings dialog in Control Panel.
the Advanced page in the Internet Control panel).
ng treated as though it is in the Internet zone.If this policy setting is not configured, a Notification bar notification appears for intranet con
olicy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.If you do not confi
w control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you disable this
e implemented a custom security manager.If you do not configure this policy setting, binary and script behaviors are available.
d paste files from this zone automatically.
all desktop items from this zone.

ding XBAPs.If you disable this policy setting, XBAPs are not loaded inside Internet Explorer. The user cannot change this behavior.If you do
AML files.If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.If you d
user cannot change this behavior.If you do not configure this policy setting, the user can decide whether to load XPS files inside Internet E
onfigure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web
arch Connectors.If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet z
n in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.If you do not configure this
cified zones.If you disable this policy setting, video and animation cannot be played through older media players.If you do not configure th
can click on the Notification bar to allow the ActiveX control prompt.
ownload prompt.
er will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.If yo
nfigure this policy setting, Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has
s checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or o
hether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
unsigned controls.
erent windows. Users cannot change this setting.In Internet Explorer 10, if you disable this policy setting or do not configure it, users cann
window. Users cannot change this setting in the Internet Options dialog.In Internet Explorer 10, if you disable this policy setting or do not
s zone, as dictated by the feature control setting for the process.If you do not configure this policy setting, the MIME Sniffing Safety Featu
HTML form.If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a
rs are queried whether to allow the control to be loaded with parameters or scripted.If you disable this policy setting, ActiveX controls tha
run in their sandbox. Disable Java to prevent any applets from running.If you disable this policy setting, Java applets cannot run.If you do n
m running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting, users are q
s in other zones. After a user is queried, these values can be used silently for the remainder of the session.Automatic logon with current u
do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
you disable this policy setting, Internet Explorer will not execute unsigned managed components.If you do not configure this policy setting
ble this policy setting, Internet Explorer will not execute signed managed components.If you do not configure this policy setting, Internet E
tting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in th
led on) users' computers.High safety to prevent users from being notified of software updates by e-mail, software packages from being au
his policy setting, information using HTML forms on pages in this zone is prevented from being submitted.If you do not configure this polic
Framework Setup is turned on. The user cannot change this behavior.If you do not configure this policy setting, .NET Framework Setup is
un prompt is turned off by default.
s in this zone for malicious content.
browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.If you do not configure this policy setting, user
le this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set b

do not have installed.
nfigure this policy setting, Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web sit
check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off,
unsigned controls.
un prompt is turned on by default.

e automatically.
signed controls without user intervention.
gned controls without user intervention.
m running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting, users can r
this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by P
e implemented a custom security manager.If you do not configure this policy setting, only behaviors listed in the Admin-approved Behavio

ownload prompt.
unsigned controls.
s zone, as dictated by the feature control setting for the process.If you do not configure this policy setting, the actions that may be harmfu

ownload prompt.
unsigned controls.
e automatically.
ownload prompt.
unsigned controls.
e implemented a custom security manager.If you do not configure this policy setting, binary and script behaviors are not available unless a
hether to drag or copy files from this zone.
tems from this zone.

onfigure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another W
arch Connectors.If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors
ownload prompt.
ot be downloaded.
unsigned controls.
m running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting, users are p
access applications from different domains.If you do not configure this policy setting, users cannot open other windows and frames from d
e automatically.
ownload prompt.
unsigned controls.
appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If yo

ownload prompt.
ot be downloaded.
unsigned controls.
e automatically.
to choose whether to allow the unsigned control to run.
arch results is displayed in the main window.If you disable or do not configure this policy setting, the user can specify what action applies
able this policy setting, you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results
y setting, URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By de
icy setting, Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot change t
h update information URL.If you disable or do not configure this policy setting, the user can specify the cipher strength update information
onfigure this policy setting, the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate F
configure this policy setting, the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Trackin
you do not configure this policy setting, it can be configured on the Privacy tab in Internet Options.
d on or off on the Privacy tab in Internet Options.
you do not configure this policy setting, it can be configured through the registry.
for use.If you do not configure this policy setting, it can be configured through the registry.
pplication.If you disable or do not configure this policy setting, the reveal password button can be shown by the application as a user types
etting has no effect if Windows has been configured to enable Data Execution Prevention.
re this policy setting, Data URI support can be turned on or off through the registry.
st of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:Name o
spect add-on management user preferences or policy settings.
ons not listed within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assumed
t user preferences and policy settings. If you enter a Value of 0, the add-on management user preferences and policy settings are ignored
and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. If you disable, or do not configure this policy setting,
t object.If you disable or do not configure this policy setting, websites can request data across domains by using the WebSocket object. By
est data across domains by using the XDomainRequest object.
#behavior notation, e.g., #default#vml.If you disable this policy setting, no behaviors will be allowed in zones set to 'admin-approved', just
MD4 signing technologies.

etting, binary behaviors are prevented for the File Explorer and Internet Explorer processes.
owed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do
icy setting, Consistent Mime Handling is enabled for all processes.If you disable or do not configure this policy setting, Consistent Mime Ha
icy setting, Internet Explorer requires consistent MIME data for all received files.If you disable this policy setting, Internet Explorer will not
ows administrators to define applications for which they want this security feature to be prevented or allowed.If you enable this policy setti
urity applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list.If you dis
tting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.If you disable this policy setting, Lo
, Local Machine Zone security applies. If you enter a value of 0, Local Machine Zone security does not apply. If a Value Name is empty or th
s not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Process
Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
r the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All P
ses other than File Explorer or Internet Explorer.If you do not configure this policy setting, no policy is enforced for processes other than F
e value names http and https.If you disable this policy setting, restricting content obtained through restricted protocols is prevented for Fil
ols is allowed. If you enter a Value of 0, restricting content obtained through restricted protocols is blocked. The Value Name is the name
ent over restricted protocols to access my computer."If you disable or do not configure this policy setting for a zone, no protocols are restr
on bar will not be displayed for all processes other than Internet Explorer or those listed in the Process List.
rer Processes.
ecutable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in t
within or across domains for Internet Explorer processes.

s empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Inte
rocesses other than Internet Explorer or those listed in the Process List receive no such protection.
et Explorer processes.If you disable this policy setting, no zone receives such protection for Internet Explorer processes.If you do not config
this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, elevation to more privileged zones
elated Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes con
this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, th
ws and windows that obfuscate other windows.If you do not configure this policy setting, popup windows and other restrictions apply for
may not be opened. If you enter a Value of 0, windows have none of these restrictions. The Value Name is the name of the executable. If a
only icons.If you disable or do not configure this policy setting, the command buttons show selective text by default, and the user can cha
not prompted, and incompatible toolbars run unless previously disabled through policy settings or user choice.If you disable or do not con
custom administrative template file, see the Internet Explorer documentation on search providers.If you disable or do not configure this p
tting, users can change the Suggestions setting on the Settings charm.
nfigure this policy setting, newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user when
able to use the Import/Export Settings wizard.
t user intervention.
e favorites, feeds, shortcuts to home page, and more. Full-screen mode disables not only these three bars, but also the shortcuts to these
websites to the exception list by enabling "Turn off Managing Pop-up Allow list" policy.
y settings to prevent the user from configuring pop-up behavior.
pting the user.If you disable or do not configure this policy setting, the user is prompted to decide the mode of operation for the phishing fi
may run the First Run wizard the first time the browser is started after installation.
ders that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative tem
tablished by the administrator.Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Win
e Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.Also, see the
itly enabled through the creation of an integer setting. In this case, each Internet Explorer isolation setting will quickly grow to use the spe
nfigure this policy setting, users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is th
ing the first-run experience.
es of the URL action for the application or process on the computer prevail.
operation.If you do not configure this policy setting, current values of the URL action for the Internet Explorer process prevail.
prompts are not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1, the policy setti
ternet Explorer will be available, and users will see installed printers under the Devices charm.
tivate the feature by using the Compatibility View Settings dialog box.
tten to common Internet standards may be displayed incorrectly.If you disable this policy setting, Internet Explorer uses a current user age
) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user
olicy setting has no effect.

r can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
Settings charm.
he Delete Browsing History dialog box.If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is pres
iltering data when he or she clicks Delete.

ternet files settings""Disable changing history settings""Disable changing color settings""Disable changing link color settings""Disable chan
are always converted to IDN format.If you disable or do not configure this policy setting, the user can control this setting by using Advance
olicy, users will be prompted when Web Components such as fonts would be downloaded.
he policy setting, users can select the Always send Do Not Track header option, in Internet Explorer settings. By selecting this option, Intern
policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them.
y have been revoked.
figure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloadi
least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.W
d.If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser win
ate an encryption tunnel by using the encryption methods that you select from the drop-down list.If you disable or do not configure this p
for Profile Assistant information.

fault is to encode all query strings in UTF-8.
Settings charm.
If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by
led will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.If you do not configure this policy, users w
g session.If you do not configure this policy setting, Internet Explorer starts with the home page. Users can change this option to start with
ebsite Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
es on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computer
Explorer will allow trusted domains to store additional files in application caches, up to the limit set in this policy setting.If you disable or do
er will allow trusted domains to store additional data in indexed databases, up to the limit set in this group policy.If you disable or do not
nternet Explorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB.
uding the page that referenced the manifest, that are less than or equal to the limit set in this policy setting.If you disable or do not configu
caches. The default is 1 GB.
xed databases. The default is 4 GB.
e in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should
mplate), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings t
cation appears for intranet content loaded on a browser on a computer that is not a domain member, until the user turns off the Notificati
in the zone.If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from a
unaffected.If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked.If you do not confi
viors are available.
change this behavior.If you do not configure this policy setting, the user can decide whether to load XBAPs inside Internet Explorer.
t change this behavior.If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.
oad XPS files inside Internet Explorer.
be redirected to another Web page.
e using Search Connectors.

ng this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the z
ss.If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that in
yers.If you do not configure this policy setting, video and animation can be played through older media players in specified zones.
nsecure (http://) content.If you disable this policy setting, users cannot receive the security information message and nonsecure content c
onnect to a Web site that has no certificate or only one certificate.
can turn this behavior on or off, using Internet Explorer Security settings.
lently downloaded.
do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different win
e this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destina
he MIME Sniffing Safety Feature will not apply in this zone.
when he or she is uploading a file via an HTML form. By default, path information is sent.
cy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting
applets cannot run.If you do not configure this policy setting, the permission is set to High Safety.
this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
utomatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM auth
lications from other domains.
ot configure this policy setting, Internet Explorer will execute unsigned managed components.
e this policy setting, Internet Explorer will execute signed managed components.
Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.
ftware packages from being automatically downloaded to users' computers, and software packages from being automatically installed on u
you do not configure this policy setting, users are queried to choose whether to allow information using HTML forms on pages in this zone
tting, .NET Framework Setup is turned on by default. The user can change this behavior.
nfigure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web pa
will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting, Web sites from le
in the zone.If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that u


ss.If you do not configure this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the a
hen they connect to a Web site that has no certificate or only one certificate.
an turn this behavior on or off, using Internet Explorer Security settings.
lently downloaded.
applets cannot run.If you do not configure this policy setting, the permission is set to Medium Safety.
you do not configure this policy setting, information using HTML forms on pages in this zone can be submitted automatically.
in the zone.If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from ano

this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
ot configure this policy setting, Internet Explorer will not execute unsigned managed components.
e this policy setting, Internet Explorer will not execute signed managed components.
l be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting, the possibly harmfu
n the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

lently downloaded.
he actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature
applets cannot run.If you do not configure this policy setting, Java applets are disabled.

lently downloaded.
viors are not available unless applications have implemented a custom security manager.
not be redirected to another Web page.
zone using Search Connectors.

this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
er windows and frames from different domains or access applications from different domains.
nfigure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a We

er protocols is unaffected.If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked.If yo


applets cannot run.If you do not configure this policy setting, the permission is set to Low Safety.
will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting, a warning is issue
n specify what action applies to searches on the Address bar.
ult website or a search-results webpage in the main window.If you disable or do not configure this policy setting, the user can select their p
Internet Options dialog. By default, URL Suggestions are turned on.
bar. The user cannot change this setting.If you do not configure this policy setting, the user can choose to turn the Use Windows Search se
r strength update information URL.
on and then clicking InPrivate Filtering.

utton and then clicking Tracking Protection.
the application as a user types in a password. The reveal password button is visible by default.On at least Windows 8, if the "Do not displa
following information:Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in br
sers - all add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting.If you enable this p
nd policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Val
ot configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate
sing the WebSocket object. By default, the WebSocket object is enabled.
s set to 'admin-approved', just as if those zones were set to 'disable'.If you do not configure this policy setting, only VML will be allowed in
e policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to en
cy setting, Consistent Mime Handling is prevented for all processes.
tting, Internet Explorer will not require consistent MIME data for all received files.If you do not configure this policy setting, Internet Explor
ed.If you enable this policy setting and enter a Value of 1, MIME handling is in effect. If you enter a Value of 0 file-type information is allow
fined in a process list.If you disable or do not configure this policy setting, Local Machine zone security is not applied to local files or conten
u disable this policy setting, Local Machine zone security is not applied to local files or content processed by Internet Explorer.If you do no
If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: us
ated Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes config
isable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.If y
ced for processes other than File Explorer and Internet Explorer.
protocols is prevented for File Explorer and Internet Explorer processes.If you do not configure this policy setting, the policy setting is ign
The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not en
a zone, no protocols are restricted for that zone, regardless of the setting for "Allow active content over restricted protocols to access my
nternet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Proc
n this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled,
processes.If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
ation to more privileged zones can be prevented. If you enter a Value of 0, elevation to any zone is allowed. The Value Name is the name o
is enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the
ses policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this p
nd other restrictions apply for File Explorer and Internet Explorer processes.
he name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explo
y default, and the user can change this.
ce.If you disable or do not configure this policy setting, the toolbar upgrade tool checks for incompatible toolbars. The user can enable or
able or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such
xplorer notifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the noti
but also the shortcuts to these bars.If you enable this policy setting, the navigation bar, the menu bar, and the Command bar are not visibl
of operation for the phishing filter.
gh a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explore
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the inte
policy is ignored.Also, see the "Security zones: Use only machine settings" policy.
will quickly grow to use the specified integer number of tab processes, regardless of the physical memory on the computer or how many In
ceeds the threshold. This is the default.

er process prevail.
ue is not 0 or 1, the policy setting is ignored.If you enable this policy setting for an application or process in the list, a script can perform a C
plorer uses a current user agent string. Additionally, all Standards Mode webpages appear in the Standards Mode available in the latest ve
r 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.If you do not configure this p
browsing history.
and Do Not Track data is preserved when the user clicks Delete.If you disable this policy setting, ActiveX Filtering, Tracking Protection and
nk color settings""Disable changing font settings""Disable changing language settings""Disable changing accessibility settings"
this setting by using Advanced Options in Internet Control Panel. By default, domain names are converted to IDN format only for address
By selecting this option, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific ex
mpt users to install them.
ir identities before downloading them to user computers.

registry and the file system.When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX
Files folder when browser windows are closed.
able or do not configure this policy setting, the user can select which encryption method the browser supports.Note: SSL 2.0 is off by defau
. This feature is turned off by default.
t configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dial
hange this option to start with the tabs from the last session.
ta on their computers.
store data on their computers.
licy setting.If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all applica
policy.If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed data
urces. The default is 50 MB.
f you disable or do not configure this policy setting, Internet Explorer will use the default maximum application cache resource list size for
rity), the same change should be made to the Locked-Down equivalent.Note. It is recommended to configure template policy settings in o
have special security settings that protect your local computer.)If you enable this policy setting, you can enter a list of sites and their relate
he user turns off the Notification bar.

L or ADO to access data from another site in the zone.
is blocked.If you do not configure this policy setting, the Notification bar will appear to allow control over questionable content accessed
nside Internet Explorer.

files inside Internet Explorer.
custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able
windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone a
rs in specified zones.
ssage and nonsecure content cannot be displayed.If you do not configure this policy setting, the user will receive the security information
destination are in different windows. Users can change this setting in the Internet Options dialog.In Internet Explorer 9 and earlier versions
n when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.In Internet Explore
ot configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
s on the pages in this zone.

nse (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's networ
usted zones.
ng automatically installed on users' computers.If you disable this policy setting, permissions are set to high safety.If you do not configure t
ML forms on pages in this zone to be submitted.
re, or directly within a Web page saved to disk.

olicy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
curity zone runs without the added layer of security provided by this feature.

usted zones.
d automatically.
ADO to access data from another site in the zone.

ot configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
hout user intervention.

usted zones.
d automatically.

cy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protectio

ne, as dictated by the feature control setting for the process.

usted zones.



usted zones.
d automatically.



usted zones.
d automatically.

he pages in this zone.

usted zones.
store, or directly within a Web page saved to disk.


usted zones.
d automatically.

cted protocols is blocked.If you do not configure this policy setting, all attempts to access such content over the restricted protocols is blo


usted zones.



usted zones.
d automatically.

olicy setting, a warning is issued to the user that potentially risky navigation is about to occur.
tting, the user can select their preference for this behavior. Browsing to the top-result website is the default.
rn the Use Windows Search setting on or off.Note: If you enable this policy setting, feeds do not appear in the Address bar. This does not a
ndows 8, if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Templates\W
ist. The CLSID should be in brackets for example, ΓÇÿ{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obta
licy setting.If you enable this policy setting, Internet Explorer only allows add-ons that are specifically listed (and allowed) through the 'Add
alue Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter Internet Explorer processes in this list because the
lorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that Adobe Flash c
g, only VML will be allowed in zones set to 'admin-approved'.Note. If this policy is set in both Computer Configuration and User Configura
xplorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box
policy setting, Internet Explorer requires consistent MIME data for all received files.
0 file-type information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the Value
applied to local files or content processed by any process other than Internet Explorer or those defined in a process list.
Internet Explorer.If you do not configure this policy setting, the Local Machine zone security applies to all local files and content processed
plorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy s
enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the se
ecedence over that setting.If you disable or do not configure this policy setting, the policy setting is ignored.
etting, the policy setting is ignored.

cy setting is ignored.Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processes po
tricted protocols to access my computer."Note. If policy for a zone is set in both Computer Configuration and User Configuration, both lis
for IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you
esses policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure thi
rnet Explorer processes.

The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not ente
onfigure this policy setting, the security feature is allowed.
able or do not configure this policy setting, the security feature is allowed.
o not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes
olbars. The user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo these
er policy setting restricts such configuration.
hem by responding to the notification, using Manage Add-ons, or using other methods.
e Command bar are not visible, and the user cannot access them.If you disable or do not configure this policy setting, the user can view an
e file, see the Internet Explorer documentation on search providers.If you disable or do not configure this policy setting, the user can config
the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.Also, see the "Security zones: U
the computer or how many Internet Explorer isolation settings are running.If you enable this policy setting, you set the rate at which Inter
he list, a script can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to prom
Mode available in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer.If you do not config
x.If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appen
ering, Tracking Protection and Do Not Track data is deleted when the user clicks Delete.If you don't configure this policy setting, users can
ssibility settings"
o IDN format only for addresses that are not in the Intranet zone.
e user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default, this option is
at attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives
ts.Note: SSL 2.0 is off by default. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality
ab of the Internet Options dialog.

um storage limit for all application caches. The default is 50 MB.
orage limit for all indexed databases. The default is 500 MB.
on cache resource list size for all application caches. The default is 1000 resources.
e template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can
r a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified
uestionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled.
e the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.If you enable this p
eature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
eive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.
Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different dom
tions dialog.In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from o
logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the
afety.If you do not configure this policy setting, permissions are set to Medium safety.
or scripted.
afety.If you do not configure this policy setting, permissions are set to Low safety.
n this zone as set by Protection from Zone Elevation feature control.


the restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
afety.If you do not configure this policy setting, permissions are set to High safety.
or scripted.
e Address bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center.
n\Administrative Templates\Windows Components\Credential User Interface is enabled for the system, it will override this policy setting.
LSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.Value - A number indic
and allowed) through the 'Add-on List' policy setting.If you disable or do not configure this policy setting, users may use Add-on Manager t
ocesses in this list because these processes always respect add-on management user preferences and policy settings. If the All Processes p
g box. Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on
figuration and User Configuration, both lists of behaviors will be allowed as appropriate.
rocesses configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the security feature
ue Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the re
process list.
cal files and content processed by Internet Explorer.
es. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do
figure this policy setting, the security feature is allowed.

nternet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled, the processes configur
d User Configuration, both lists of protocols will be restricted for that zone.
dence over that setting. If you disable or do not configure this policy setting, the Notification bar is not displayed for the specified process
disable or do not configure this policy setting, the security feature is allowed.
y setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or
enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that
settings do not undergo these checks.

y setting, the user can view and access the navigation bar, the menu bar, and the Command bar.
licy setting, the user can configure his or her list of search providers.
Also, see the "Security zones: Use only machine settings" policy.
you set the rate at which Internet Explorer creates new tab processes to low, medium, or high, or to an integer.If you disable or do not con
ehavior is currently set to prompt, it will be bypassed and enabled.If you disable this policy setting for an application or process in the list, a
et Explorer.If you do not configure this policy setting, the user can turn on and turn off Internet Explorer 7 Standards Mode.
with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Expl
e this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do No
tion. By default, this option is turned on.
rer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.If you enable this policy setting,
erformance and functionality of TLS 1.0.

gs in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply in
urity settings for the specified zone are applied to the site. á┬For each entry that you add to the list, enter the following information:Value
eature is enabled.
of the item.If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zon
ng for the process.

(http://) content.
ne domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot ch
t supported by the server, the user is queried to provide the user name and password.If you disable this policy setting, logon is set to Auto
eature is enabled.
(http://) content.
eature is enabled.
(http://) content.
ng for the process.
(http://) content.
ng for the process.

(http://) content.
ng for the process.
(http://) content.
ng for the process.
(http://) content.
ng for the process.
(http://) content.
ng for the process.
(http://) content.
eature is enabled.
(http://) content.
ill override this policy setting.
renced.Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on sho
ers may use Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting.Note: If an add-on is liste
settings. If the All Processes policy setting is enabled, the processes configured in this policy setting take precedence over that setting.If yo
ecifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disa
y setting, the security feature is allowed.
rocesses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting i
hat setting.If you disable or do not configure this policy setting, the security feature is allowed.
nabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the sec
ayed for the specified processes.
Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take p
box take precedence over that setting.If you disable or do not configure this policy setting, the security feature is allowed.
er.If you disable or do not configure this policy setting, the tab process growth is set to the default. The user can change this value by usin
lication or process in the list, a script that is running in the application or process cannot bypass the prompt for delete, copy, or paste ope
andards Mode.
pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer c
racking Protection, and Do Not Track data when clicking Delete.

you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode
itance, or enforce) to apply individual settings to specific targets.

e following information:Valuename ΓÇô A host for an intranet site, or a fully qualified domain name for other sites. The valuename may al
earch query results in this zone using File Explorer.If you disable this policy setting, users will be prevented from previewing items and get
hange this setting.
ame window. Users cannot change this setting in the Internet Options dialog.
cy setting, logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting, logon is set to Automatic logon o
hange this setting.

hange this setting.

cy setting, logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting, logon is set to Automatic logon w
hange this setting.

hange this setting.
hange this setting.

hange this setting.

cy setting, logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting, logon is set to Prompt for userna
hange this setting.

hange this setting.
hange this setting.
. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) in
etting.Note: If an add-on is listed in the 'Add-on List' policy setting, the user cannot change its state through Add-on Manager (unless its va
cedence over that setting.If you do not configure this policy, processes other than the Internet Explorer processes will not be affected by a
However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy se
e All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do not con
gure this policy setting, the security feature is allowed.
s configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the security feature is allow
re is allowed.
can change this value by using the registry key. Note: On Terminal Server, the default value is the integer ΓÇ£1ΓÇ¥.
for delete, copy, or paste operations from the Clipboard.If you do not configure this policy setting, current values of the URL action for an
xisting webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the defaul
ted Mode. All Protected Mode websites will run in Enhanced Protected Mode.If you disable or do not configure this policy setting, Internet
er sites. The valuename may also include áa
┬ specific áprotocol.
┬ For example, if you enter http://www.contoso.com áas
┬ the valuename,
rom previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.If you do not configure th
gon is set to Automatic logon only in Intranet zone.

gon is set to Automatic logon with current username and password.


gon is set to Prompt for username and password.


be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on thr
Add-on Manager (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
esses will not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
ed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiat
ng.If you disable or do not configure this policy setting, the security feature is allowed.
g, the security feature is allowed.
alues of the URL action for an application or process in the list prevail.
his option matches the default behavior of Internet Explorer.

ure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regula
oso.com áas
┬ the valuename, other protocols are not affected. áIf
┬ you enter just www.contoso.com, áthen
┬ all protocols áare
┬ affected
orer.If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this
orer.If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in th
user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.If you disable this policy setting, the list is deleted. The
ore details).
is enabled).
plorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the
tible ActiveX controls in regular Protected Mode. This is the default behavior.
n all protocols áare
┬ affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0
enSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
penSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether ad
in Internet Explorer 10" in the Internet Explorer TechNet library.

d as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters
ser logs off from Windows.

user logs off from Windows.
will still determine whether add-ons not in this list are assumed to be denied.
include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and
ngs for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would there
net Explorer, and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security
ould be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy,
r do not configure this policy, users may choose their own site-to-zone assignments.
Policy Path
Windows Components\Internet Explorer\Accelerat
Windows Components\Internet Explorer\Administr
Windows Components\Internet Explorer\Applicatio
Windows Components\Internet Explorer\Browser
Windows Components\Internet Explorer\Compatibi
Windows Components\Internet Explorer\Delete Br
Windows Components\Internet Explorer\Internet C
Windows Components\Internet Explorer\Internet
Windows Components\Internet Explorer\Internet Co
Windows Components\Internet Explorer\Internet S
Windows Components\Internet Explorer\Internet Se
Windows Components\Internet Explorer\Offline P
Windows Components\Internet Explorer\Persisten
Windows Components\Internet Explorer\Security
Windows Components\Internet Explorer\Security F
Policy Setting Name
Add a specific list of search providers to the user's list of search providers
Allow Internet Explorer 8 shutdown behavior
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Automatically activate newly installed add-ons
Configure Media Explorer Bar
Configure Outlook Express
Customize user agent string
Disable AutoComplete for forms
Disable caching of Auto-Proxy scripts
Disable changing accessibility settings
Disable changing Advanced page settings
Disable changing Automatic Configuration settings
Disable changing Calendar and Contact settings
Disable changing certificate settings
Disable changing color settings
Disable changing connection settings
Disable changing default browser check
Disable changing font settings
Disable changing home page settings
Disable changing language settings
Disable changing link color settings
Disable changing Messaging settings
Disable changing Profile Assistant settings
Disable changing ratings settings
Disable changing secondary home page settings
Disable changing Temporary Internet files settings
Disable external branding of Internet Explorer
Disable Import/Export Settings wizard
Disable Internet Connection wizard
Disable the Reset Web Settings feature
Display error message on proxy script download failure
Do not allow users to enable or disable add-ons
Enforce full-screen mode
Identity Manager: Prevent users from using Identities
Notify users if Internet Explorer is not the default web browser
Pop-up allow list
Position the menu bar above the navigation bar
Prevent "Fix settings" functionality
Prevent access to Internet Explorer Help
Prevent bypassing SmartScreen Filter warnings
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Prevent changing pop-up filter level
Prevent changing proxy settings
Prevent changing the default search provider
Prevent configuration of how windows open
Prevent configuration of new tab creation
Prevent Internet Explorer Search box from appearing
Prevent managing pop-up exception list
Prevent managing SmartScreen Filter
Prevent managing the phishing filter
Prevent participation in the Customer Experience Improvement Program
Prevent per-user installation of ActiveX controls
Prevent running First Run wizard
Restrict search providers to a specific list
Search: Disable Find Files via F3 within the browser
Search: Disable Search Customization
Set tab process growth
Specify default behavior for a new tab
Specify use of ActiveX Installer Service for installation of ActiveX controls
Turn off ability to pin sites in Internet Explorer on the desktop
Turn off ActiveX Opt-In prompt
Turn off add-on performance notifications
Turn off Automatic Crash Recovery
Turn off browser geolocation
Turn off configuration of pop-up windows in tabbed browsing
Turn off Crash Detection
Turn off Favorites bar
Turn off Managing SmartScreen Filter for Internet Explorer 8
Turn off page-zooming functionality
Turn off pop-up management
Turn off Quick Tabs functionality
Turn off Reopen Last Browsing Session
Turn off suggestions for all user-installed providers
Turn off Tab Grouping
Turn off tabbed browsing
Turn off the auto-complete feature for web addresses
Turn off the quick pick menu
Turn off the Security Settings Check feature
Turn on ActiveX Filtering
Turn on compatibility logging
Turn on menu bar by default
Turn on Suggested Sites
Turn on the auto-complete feature for user names and passwords on forms
Use Automatic Detection for dial-up connections
Add default Accelerators
Add non-default Accelerators
Restrict Accelerators to those deployed through Group Policy
Turn off Accelerators
Audio/Video Player
Carpoint
DHTML Edit Control
Investor
Menu Controls
Microsoft Agent
Microsoft Chat
Microsoft Scriptlet Component
Microsoft Survey Control
MSNBC
NetShow File Transfer Control
Shockwave Flash
Bypass prompting for Clipboard access for scripts running in any process
Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
Define applications and processes that can access the Clipboard without prompting
Disable Open in New Window menu option
Disable Save this program to disk option
File menu: Disable closing the browser and Explorer windows
File menu: Disable New menu option
File menu: Disable Open menu option
File menu: Disable Save As Web Page Complete
File menu: Disable Save As... menu option
Help menu: Remove 'For Netscape Users' menu option
Help menu: Remove 'Send Feedback' menu option
Help menu: Remove 'Tip of the Day' menu option
Help menu: Remove 'Tour' menu option
Hide Favorites menu
Tools menu: Disable Internet Options... menu option
Turn off Print Menu
Turn off Shortcut Menu
View menu: Disable Full Screen menu option
View menu: Disable Source menu option
Include updated website lists from Microsoft
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for local intranet
Use Policy List of Internet Explorer 7 sites
Use Policy List of Quirks Mode sites
Allow deleting browsing history on exit
Disable "Configuring History"
Prevent access to Delete Browsing History
Prevent deleting ActiveX Filtering, Tracking Protection, and Do Not Track data
Prevent deleting cookies
Prevent deleting download history
Prevent deleting favorites site data
Prevent deleting form data
Prevent deleting InPrivate Filtering data
Prevent deleting passwords
Prevent deleting temporary Internet files
Prevent deleting websites that the user has visited
Prevent the deletion of temporary Internet files and cookies
Disable the Advanced page
Disable the Connections page
Disable the Content page
Disable the General page
Disable the Privacy page
Disable the Programs page
Disable the Security page
Prevent ignoring certificate errors
Send internationalized domain names
Use UTF-8 for mailto links
Allow active content from CDs to run on user machines
Allow Install On Demand (except Internet Explorer)
Allow Install On Demand (Internet Explorer)
Allow Internet Explorer to use the SPDY/3 network protocol
Allow software to run or install even if the signature is invalid
Allow third-party browser extensions
Always send Do Not Track header
Automatically check for Internet Explorer updates
Check for server certificate revocation
Check for signatures on downloaded programs
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Do not allow resetting Internet Explorer settings
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Play animations in web pages
Play sounds in web pages
Play videos in web pages
Turn off ClearType
Turn off encryption support
Turn off loading websites and content in the background to optimize performance
Turn off Profile Assistant
Turn off sending UTF-8 query strings for URLs
Turn off the flip ahead with page prediction feature
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Turn on Caret Browsing support
Turn on Enhanced Protected Mode
Use HTTP 1.1
Use HTTP 1.1 through proxy connections
Show Content Advisor on Internet Options
Start Internet Explorer with tabs from last browsing session
Allow websites to store application caches on client computers
Allow websites to store indexed databases on client computers
Set application cache storage limits for individual domains
Set application caches expiration time limit for individual domains
Set default storage limits for websites
Set indexed database storage limits for individual domains
Set maximum application cache individual resource size
Set maximum application cache resource list size
Set maximum application caches storage limit for all domains
Set maximum indexed database storage limit for all domains
Internet Zone Template
Intranet Sites: Include all local (intranet) sites not listed in other zones
Intranet Sites: Include all network paths (UNCs)
Intranet Sites: Include all sites that bypass the proxy server
Intranet Zone Template
Local Machine Zone Template
Locked-Down Internet Zone Template
Locked-Down Intranet Zone Template
Locked-Down Local Machine Zone Template
Locked-Down Restricted Sites Zone Template
Locked-Down Trusted Sites Zone Template
Restricted Sites Zone Template
Site to Zone Assignment List
Trusted Sites Zone Template
Turn on automatic detection of intranet
Turn on certificate address mismatch warning
Turn on Notification bar notification for intranet content
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Open Internet Explorer tiles on the desktop
Set how links are opened in Internet Explorer
Go to an intranet site for a one-word entry in the Address bar
Turn off configuring underline links
Turn off details in messages about Internet connection problems
Turn off page transitions
Turn off phone number detection
Turn off smooth scrolling
Turn on script debugging
Turn on the display of script errors
Start the Internet Connection Wizard automatically
Allow Internet Explorer to play media files that use alternative codecs
Allow the display of image download placeholders
Turn off automatic image resizing
Turn off image display
Turn off smart image dithering
Turn on printing of background colors and images
Prevent configuration of search on Address bar
Prevent configuration of top-result search on Address bar
Turn on automatic signup
Turn off inline AutoComplete in File Explorer
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Turn on inline AutoComplete
Prevent choosing default text size
Prevent specifying background color
Prevent specifying text color
Prevent the use of Windows colors
Prevent specifying the color of links that have already been clicked
Prevent specifying the color of links that have not yet been clicked
Prevent specifying the hover color
Turn on the hover color option
Turn off sending URL path as UTF-8
Disable adding channels
Disable adding schedules for offline pages
Disable all scheduled offline pages
Disable channel user interface completely
Disable downloading of site subscription content
Disable editing and creating of schedule groups
Disable editing schedules for offline pages
Disable offline page hit logging
Disable removing channels
Disable removing schedules for offline pages
Subscription Limits
File size limits for Internet zone
File size limits for Intranet zone
File size limits for Local Machine zone
File size limits for Restricted Sites zone
File size limits for Trusted Sites zone
Establish InPrivate Filtering threshold
Establish Tracking Protection threshold
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
Turn off collection of InPrivate Filtering data
Turn off InPrivate Browsing
Turn off InPrivate Filtering
Turn off Tracking Protection
Do not display the reveal password button
Turn off Data URI support
Add-on List
All Processes
Deny all add-ons unless specifically allowed in the Add-on List
Process List
Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantia
Allow native XMLHTTP support
Change the maximum number of connections per host (HTTP 1.1)
Maximum number of connections per server (HTTP 1.0)
Set the maximum number of WebSocket connections per server
Turn off cross-document messaging
Turn off the WebSocket Object
Turn off the XDomainRequest object
Admin-approved behaviors
All Processes
Install binaries signed by MD2 and MD4 signing technologies
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Internet Zone Restricted Protocols
Intranet Zone Restricted Protocols
Local Machine Zone Restricted Protocols
Restricted Sites Zone Restricted Protocols
Trusted Sites Zone Restricted Protocols
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Configure Toolbar Buttons
Customize command labels
Disable customizing browser toolbar buttons
Disable customizing browser toolbars
Display tabs on a separate row
Hide the Command bar
Hide the status bar
Lock all toolbars
Lock location of Stop and Refresh buttons
Turn off Developer Tools
Turn off toolbar upgrade tool
Use large icons for command buttons
MSFT IE 11
Enabled
Enabled
ded from the Internet

Disabled
Not Defined
of Windows
owsing starts
orer technology to instantia

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!AddPolicySearchProvi
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ShutdownWaitForOnUnload
HKCU\Software\Policies\Microsoft\Internet Explorer!AllowServicePoweredQSA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!IgnoreFrameApprovalCheck
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!No_LaunchMediaBar, HKCU\Softwa
HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!Version
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest, HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableAutoProxyRes
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Accessibility
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Advanced
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Autoconfig
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!CalendarContact
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Colors
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connection Settings
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Check_If_Default
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Fonts
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!HomePage, HKCU\Software\Polici
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Languages
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!links
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Messaging
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Profiles
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Ratings
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Cache
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding
HKCU\Software\Policies\Microsoft\Internet Explorer!DisableImportExportFavorites
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisplayScriptDownloa
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus, HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Identities!Locked Down
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Check_Associations
HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows!ListBox_Support_Allow, HKCU\S
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar\WebBrowser!ITBar7Position
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!DisableFixSecuritySettings
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpMenu
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverride
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverrideAppRepUnknow
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!DisablePopupFilterLevel
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Proxy
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChangeDefaultSea
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AllowWindowReuse
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!OpenInForeground
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchBox
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!RestrictPopupExceptionList
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV9
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram
HKCU\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX!BlockNonAdminActiveXInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableFirstRunCustomize
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!UsePolicySearchProvi
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFindFiles
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchCustomizati
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!TabProcGrowth
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!NewTabPageShow
HKCU\Software\Policies\Microsoft\Windows\AxInstaller!OnlyUseAXISForActiveXInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableAddSiteMode
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!NoFirsttimeprompt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!DisableAddonLoadTimePerformance
HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery!AutoRecover
HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation!PolicyDisableGeolocation
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!PopupsUseNewWindow
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
HKCU\Software\Policies\Microsoft\Internet Explorer\LinksBar!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV8
HKCU\Software\Policies\Microsoft\Internet Explorer\ZOOM!ZoomDisabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPopupManagement
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!QuickTabsThreshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery!NoReopenLastSession
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!ShowSearchSuggestionsGlobal
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Groups
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Enabled
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!AutoSuggest
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!DisplayQuickPick
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!DisableSecuritySettingsCheck
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering!IsEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus
HKCU\Software\Policies\Microsoft\Internet Explorer\Suggested Sites!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords, HKCU\Software\P
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DialupAutodetect
HKCU\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesDefaultInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions!UsePolicyActivitiesOnly
HKCU\Software\Policies\Microsoft\Internet Explorer\Activities!NoActivities
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_P
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_Featur
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoOpeninNewWnd
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserClose
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFileNew
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFileOpen
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoBrowserSaveWeb
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserSaveAs
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemNetscapeHelp
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemSendFeedback
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemTipOfTheDay
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemTutorial
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFavorites
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserOptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPrinting
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserContextMenu
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoTheaterMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoViewSource
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!MSCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!DisableSiteListEditing
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowCompatibilityViewButton
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!AllSitesCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!IntranetCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!ClearBrowsingHistoryOnExit
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!History, HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteBrowsingHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTrackingProtection
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanCookies
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanDownloadHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!UseAllowList
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteForms
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanInPrivateBlocking
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeletePasswords
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTIF
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Settings
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!AdvancedTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ConnectionsTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ContentTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!GeneralTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!PrivacyTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ProgramsTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!SecurityTab
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!PreventIgnoreCertErr
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnablePunyCode
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols\Mailto!UT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMA
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoWebJITSetup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableSPDY3_0
HKCU\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DoNotTrack
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoUpdateCheck
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CertificateRevocation
HKCU\Software\Policies\Microsoft\Internet Explorer\Download!CheckExeSignatures
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableEPMCompat
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableRIED
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisableCachingOfSSL
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache!Persistent
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Play_Animations
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Play_Background_Sounds
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Videos
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!UseClearType
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!SecureProtocols
HKCU\Software\Policies\Microsoft\Internet Explorer\PrefetchPrerender!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Security\P3Global!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!UTF8URLQuery
HKCU\Software\Policies\Microsoft\Internet Explorer\FlipAhead!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation64Bit
HKCU\Software\Policies\Microsoft\Internet Explorer\CaretBrowsing!EnableOnStartup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHttp1_1
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxyHttp1.1
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ShowContentAdvisor
HKCU\Software\Policies\Microsoft\Internet Explorer\ContinuousBrowsing!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!AllowWebsiteCache
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!AllowWebsiteData
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!MaxTrustedDomai
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!GarbageCollectionT
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage!DefaultDomainCacheLimitInM
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!MaxTrustedDomai
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestSingleRe
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestResource
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!TotalLimitInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!TotalLimitInMB
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies!Int
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!IntranetN
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!UNCAsIntr
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!ProxyByPas
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies!Int
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template P
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template P
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Tem
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Templa
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Polic
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_Zo
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policie
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!AutoDetec
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnBadCertRecv
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnIntranet
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1406
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120b
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180E
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180F
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120A
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A04
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270C
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1C00
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270B
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1E05
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ApplicationTileImmersiveActivation
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AssociationActivationMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!GotoIntranetSiteForSingleWordEntry
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Anchor Underline
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Friendly http errors
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FormatDetection!PhoneNumberEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!SmoothScroll
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Disable Script Debugger
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Error Dlg Displayed On Every Error
HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!EnableAlternativeCodec
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Show image placeholders
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Enable AutoImageResize
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Images
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer!SmartDithering
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Print_Background
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AutoSearch
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!TopResult
HKCU\Software\Policies\Microsoft\IEAK!NoAutomaticSignup
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!Use AutoCo
HKCU\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch!EnabledScopes
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!Append Com
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoDefaultTextSize, HKCU\Software\
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Background Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Text Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use_DlgBox_Colors
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color Visited
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color Hover
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Use Anchor Hover Color
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!UrlEncoding
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoAddingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoAddingSubscription
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoScheduledUpdates
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChannelUI
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSubscriptionConte
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoEditingScheduleGr
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoEditingSubscription
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChannelLogging
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoRemovingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoRemovingSubscript
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!MaxSubscriptionSize,
HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence\3!DomainLimit, HKCU\Software\Pol
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!Threshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!TrackingProtectionThreshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableToolbars
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableLogging
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!EnableInPrivateBrowsing
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableInPrivateBlocking
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableTrackingProtection
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisablePasswordReveal
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI!iexpl
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID, HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKCU\Software\Policies\Microsoft\Internet Explorer!DisableFlashInIE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!XMLHTTP
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET!ie
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQU
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_All
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!ENABLE_MD2_MD4
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!(Re
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEAT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDL
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLIN
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMAC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_L
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAN
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND!
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACH
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVAT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_F
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RES
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_REST
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SpecifyDefaultButtons, HKCU\
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!TextOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarCustomize
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoBandCustomize
HKCU\Software\Policies\Microsoft\Internet Explorer\MINIE!ShowTabsBelowAddressBar
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!CommandBarEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!StatusBarWeb
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar!Locked
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowLeftAddressToolbar
HKCU\Software\Policies\Microsoft\Internet Explorer\IEDevTools!Disabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions!DisableToolbarUpgrader
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!SmallIcons
Supported On
At least Internet Explorer 5.0. Not supported on Windows Vista
Only Internet Explorer 5.0 through Internet Explorer 9.0
Only Internet Explorer 5.0 and Internet Explorer 6.0
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic
Internet Explorer 7.0 to Internet Explorer 10.0
Only Internet Explorer 6.0 in Windows 2003 Service Pack 1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1. Not supported on Windows Vista
Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 throu
At least Internet Explorer 7.0 in Windows Vista
Help Text
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, se
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI d
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide e
This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explore
Allows Administrators to enable and disable the Media Explorer Bar and set the auto-play default.The Media Explorer Bar play
Allows Administrators to enable and disable the ability for Outlook Express users to save or open attachments that can potenti
This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Ag
This AutoComplete feature suggests possible matches when users are filling up forms.If you enable this setting, the user is not
Prevents automatic proxy scripts, which interact with a server to automatically configure users' proxy settings, from being stor
If you enable this policy, the user cannot modify the Accessibility options. All options in the "Accessibility" window on the Gen
Prevents users from changing settings on the Advanced tab in the Internet Options dialog box.If you enable this policy, users a
This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet
Prevents users from changing the default programs for managing schedules and contacts.If you enable this policy, the Calenda
Prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify the identity of software pu
Prevents users from changing the default Web page colors.If you enable this policy, the color settings for Web pages appear d
Prevents users from changing dial-up settings.If you enable this policy, the Settings button on the Connections tab in the Intern
Prevents Microsoft Internet Explorer from checking to see whether it is the default browser.If you enable this policy, the Inter
Prevents users from changing font settings.If you enable this policy, users will not be able to change font settings for viewing W
The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer
Prevents users from changing language preference settings.If you enable this policy, users will not be able to set language pref
Prevents users from changing the colors of links on Web pages.If you enable this policy, the color settings for links appear dim
Prevents users from changing the default programs for messaging tasks.If you enable this policy, the E-mail, Newsgroups, and
Prevents users from changing Profile Assistant settings.If you enable this policy, the My Profile button appears dimmed in the
Prevents users from changing ratings that help control the type of Internet content that can be viewed.If you enable this polic
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page wheneve
Prevents users from changing the browser cache settings, such as the location and amount of disk space to use for the Tempo
Prevents branding of Internet programs, such as customization of Internet Explorer and Outlook Express logos and title bars, b
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browse
Prevents users from running the Internet Connection Wizard.If you enable this policy, the Setup button on the Connections ta
Prevents users from restoring default settings for home and search pages.If you enable this policy, the Reset Web Settings butt
Specifies that error messages will be displayed to users if problems occur with proxy scripts.If you enable this policy, error mes
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.If y
This policy setting allows you to enforce full-screen mode, which disables the navigation bar, the menu bar, and the Command
Prevents users from configuring unique identities by using Identity Manager.Identity Manager enables users to create multiple
This policy setting allows you to choose whether users will be notified if Internet Explorer is not the default web browser.If you
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Intern
This policy setting positions the menu bar above the navigation bar. The navigation bar contains icons for a variety of features
This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check.If you enable
This policy setting prevents the user from accessing Help in Internet Explorer.If you enable this policy setting, the following occ
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the us
This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Bloc
This policy setting specifies if a user can change proxy settings.If you enable this policy setting, the user will not be able to confi
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applic
This policy setting allows you to configure how new tabs are created by default in Internet Explorer.If you enable this policy se
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available, it includes a
You can allow pop-ups from specific websites by adding the sites to the exception list.If you enable this policy setting, the user
This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is kn
This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudu
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).If you enable
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.If you enable this policy setting
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after in
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those define
Disables using the F3 key to search in Internet Explorer and File Explorer.If you enable this policy, the search functionality of th
Makes the Customize button in the Search Assistant appear dimmed.The Search Assistant is a tool that appears in the Search b
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms th
This policy setting allows you to specify what is displayed when the user opens a new tab.If you enable this policy setting, you
This policy setting allows you to specify how ActiveX controls are installed.If you enable this policy setting, ActiveX controls are
This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed, such as the taskbar
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX
This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enable
This policy setting turns off Automatic Crash Recovery.If you enable this policy setting, Automatic Crash Recovery does not pro
This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data
This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Inte
This policy setting allows you to manage the crash detection feature of add-on Management.If you enable this policy setting, a
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer.If you enable this p
This policy setting allows the user to enable the SmartScreen Filter, which warns the user if the website being visited is known
This policy setting prevents the user from zooming in to or out of a page to better see the content.If you enable this policy setti
This policy setting allows you to manage pop-up management functionality in Internet Explorer.If you enable this policy setting
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer.If you enable this policy setting, the e
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Ex
This policy setting allows you to turn off suggestions for all user-installed search providers.If you enable this policy setting, the
This policy setting allows you to manage whether the user has access to Tab Grouping in Internet Explorer.If you enable this p
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. S
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.If y
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box.If you enabl
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine w
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to
This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information i
This policy setting allows you to turn on or turn off the earlier menus (for example, File, Edit, and View) in Internet Explorer.If y
This policy setting controls the Suggested Sites feature, which recommends websites based on the userΓÇÖs browsing activity
This AutoComplete feature can remember and suggest User names and passwords on Forms.If you enable this setting, the use
Specifies that Automatic Detection will be used to configure dial-up settings for users.Automatic Detection uses a DHCP (Dyna
This policy setting allows you to add default Accelerators.If you enable this policy setting, the specified Accelerators are added
This policy setting allows you to add non-default Accelerators.If you enable this policy setting, the specified Accelerators are a
This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy.If yo
This policy setting allows you to manage whether users can access Accelerators.If you enable this policy setting, users cannot a
Designates the Audio/Video Player ActiveX control as administrator-approved.This control is used for playing sounds, videos, a
Designates the Microsoft Network (MSN) Carpoint automatic pricing control as administrator-approved.This control enables e
This ActiveX control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser. Th
Designates a set of Microsoft Network (MSN) Investor controls as administrator-approved.These controls enable users to view
Designates a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as administrator-approved.If
Designates the Microsoft Agent ActiveX control as administrator-approved.Microsoft Agent is a set of software services that su
Designates the Microsoft Chat ActiveX control as administrator-approved.This control is used by Web authors to build text-bas
Designates Microsoft Scriptlet Component as an administrator approved control. It is an Active X control which is used to rend
Designates Microsoft Survey Control as an administrator approved control.If you enable this policy, this control can be run in s
Designates a set of MSNBC controls as administrator-approved.These controls enable enhanced browsing of news reports on
Designates NetShow File Transfer Control as an administrator approved control.If you enable this policy, this control can be ru
Designates Shockwave flash as an administrator approved control.If you enable this policy, this control can be run in security z
This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to pe
This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to pe
This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user.N
Prevents using the shortcut menu to open a link in a new browser window.If you enable this policy, users cannot point to a lin
Prevents users from saving a program or file that Microsoft Internet Explorer has downloaded to the hard disk.If you enable th
Prevents users from closing Microsoft Internet Explorer and File Explorer.If you enable this policy, the Close command on the
Prevents users from opening a new browser window from the File menu.If this policy is enabled, users cannot open a new bro
Prevents users from opening a file or Web page from the File menu in Internet Explorer.If you enable this policy, the Open dia
Prevents users from saving the complete contents that are displayed on or run from a Web page, including the graphics, script
Prevents users from saving Web pages from the browser File menu to their hard disk or to a network share.If you enable this p
Prevents users from displaying tips for users who are switching from Netscape.If you enable this policy, the For Netscape User
Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the Help menu.If you enable t
Prevents users from viewing or changing the Tip of the Day interface in Microsoft Internet Explorer.If you enable this policy, th
Prevents users from running the Internet Explorer Tour from the Help menu in Internet Explorer.If you enable this policy, the T
Prevents users from adding, removing, editing or viewing the list of Favorite links.The Favorites list is a way to store popular lin
Prevents users from opening the Internet Options dialog box from the Tools menu in Microsoft Internet Explorer.If you enable
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8, this policy setting
This policy setting prevents the shortcut menu from appearing when a user right-clicks a webpage while using Internet Explore
Prevents users from displaying the browser in full-screen (kiosk) mode, without the standard toolbar.If you enable this policy,
Prevents users from viewing the HTML source of Web pages by clicking the Source command on the View menu.If you enable
This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Window
This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she
This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Exp
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage t
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.If you enable
Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rend
This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences sele
This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Tempor
This policy setting prevents the user from performing actions which will delete browsing history. For more information on brow
In Internet Explorer 9 and Internet Explorer 10:This policy setting prevents users from deleting ActiveX Filtering and Tracking P
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing
This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History d
This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog bo
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data du
This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing His
This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history, avai
Removes the Advanced tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevented
Removes the Connections tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevent
If you enable this policy setting, users are prevented from seeing and changing ratings, certificates, AutoComplete, Wallet, and
Removes the General tab from the interface in the Internet Options dialog box.If you enable this policy, users are unable to se
Removes the Privacy tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevented fro
Removes the Programs tab from the interface in the Internet Options dialog box.If you enable this policy, users are prevented
Removes the Security tab from the interface in the Internet Options dialog box.If you enable this policy, it prevents users from
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors th
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized dom
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mai
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to ru
This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Exp
This policy setting allows you to manage whether users can automatically download and install Web components (such as fon
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests
This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.If you enable this policy
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Exp
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certific
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. Wh
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings a
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) info
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder
This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Gene
This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only soun
This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only em
This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the r
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (S
This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speedin
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information.If you enable thi
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query s
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (fo
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using th
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versio
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1.If you enable this policy setting, Internet Exp
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections.If you enable thi
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box.If you enable this p
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default, Internet Expl
This policy setting allows websites to store file resources in application caches on client computers.If you enable this policy setti
This policy setting allows websites to store indexed database cache information on client computers.If you enable this policy s
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage lim
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set t
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage li
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an app
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting, you
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting, y
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.If you enable thi
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.If you
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone nu
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain.If you enab
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned o
This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping ru
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop.If you enable this policy setting, I
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide, always in Inter
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.If you enable this policy se
This policy setting specifies how you want links on webpages to be underlined.If you enable this policy setting, a user cannot c
This policy setting specifies whether, when there is a problem connecting with an Internet server, to provide a detailed descrip
This policy setting specifies if, as you move from one Web page to another, Internet Explorer fades out of the page you are lea
This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invok
This policy setting specifies whether smooth scrolling is used to display content at a predefined speed.If you enable this policy
This policy setting allows you to turn on your script debugger, if one is installed. Website developers use script debuggers to te
This policy setting specifies whether to display script errors when a page does not appear properly because of problems with i
This policy setting determines whether the Internet Connection Wizard was completed. If the Internet Connection Wizard was
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional
This policy setting specifies whether placeholders appear for graphical images while the images are downloading. This allows i
This policy setting specifies that you want Internet Explorer to automatically resize large images so that they fit in the browser
This policy setting specifies whether graphical images are included when pages are displayed.Sometimes, pages that contain s
This policy setting specifies whether you want Internet Explorer to smooth images so that they appear less jagged when displa
This policy setting specifies whether Internet Explorer prints background colors and images when the user prints a webpage. In
This policy setting specifies whether the user can conduct a search on the Address bar.If you enable this policy setting, you mu
This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on th
This policy setting allows Internet Explorer to be started automatically to complete the signup process after the branding is co
This policy setting let you turn off Inline AutoComplete in File Explorer. Inline AutoComplete provides suggestions for what you
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on c
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Addre
This policy setting allows you to turn on inline AutoComplete in Internet Explorer and File Explorer. The AutoComplete feature
This policy setting prevents the user from choosing the default text size in Internet Explorer.If you enable this policy setting, th
This policy setting prevents the user from specifying the background color in Internet Explorer.If you enable this policy setting,
This policy setting prevents the user from specifying the text color in Internet Explorer.If you enable this policy setting, the use
This policy setting prevents the user from using Windows colors as a part of the display settings.If you enable this policy settin
This policy setting prevents the user from specifying the color of webpage links that he or she has already clicked. Appropriate
This policy setting prevents the user from specifying the color of webpage links that he or she has not yet clicked. Appropriate
This policy setting prevents the user from specifying the color to which hyperlinks change when the mouse pointer pauses on
This policy setting makes hyperlinks change color when the mouse pointer pauses on them.If you enable this policy setting, th
This policy setting specifies whether to use 8-bit Unicode Transformation Format (UTF-8), a standard that defines characters s
Prevents users from adding channels to Internet Explorer.Channels are Web sites that are updated automatically on your com
Prevents users from specifying that Web pages can be downloaded for viewing offline. When users make Web pages available
Disables existing schedules for downloading Web pages for offline viewing.When users make Web pages available for offline v
Prevents users from viewing the Channel bar interface. Channels are Web sites that are automatically updated on their compu
Prevents content from being downloaded from Web sites that users have subscribed to.When users make Web pages availabl
Prevents users from adding, editing, or removing schedules for offline viewing of Web pages and groups of Web pages that us
Prevents users from editing an existing schedule for downloading Web pages for offline viewing.When users make Web pages
Prevents channel providers from recording information about when their channel pages are viewed by users who are working
Prevents users from disabling channel synchronization in Microsoft Internet Explorer.Channels are Web sites that are automati
Prevents users from clearing the preconfigured settings for Web pages to be downloaded for offline viewing.When users make
Restricts the amount of information downloaded for offline viewing.If you enable this policy, you can set limits to the size and
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Internet security zone.I
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Intranet security
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Computer securit
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Restricted Sites security
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Trusted Sites security z
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode.The threshold sets the number
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode.The threshold sets the numbe
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default dur
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode.The data consist
This policy setting allows you to turn off the InPrivate Browsing feature.InPrivate Browsing prevents Internet Explorer from sto
This policy setting allows you to turn off InPrivate Filtering.InPrivate Filtering helps users control whether third parties can aut
This policy setting allows you to turn off Tracking Protection.Tracking Protection helps users control whether third parties can
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The re
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are
This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Ad
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are deni
This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as enter
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology
This policy setting allows the user to run natively implemented, scriptable XMLHTTP.If you enable this policy setting, the user c
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can s
This policy setting allows you to manage whether documents can request data across third-party domains embedded in the pa
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. T
This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest obje
For each zone, the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed wit
File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from ru
This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explor
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or
This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code insta
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.If you enable this po
This policy setting enables blocking of file download prompts that are not user initiated.If you enable this policy setting, file do
Specifies which buttons will be displayed on the standard toolbar in Microsoft Internet Explorer.If you enable this policy, you c
This policy setting allows you to choose among three different labels for command buttons: show all text labels, show selective
Prevents users from determining which buttons appear on the Microsoft Internet Explorer and File Explorer standard toolbars
Prevents users from determining which toolbars are displayed in Microsoft Internet Explorer and File Explorer.If you enable th
This policy setting allows you to manage where tabs are displayed.If you enable this policy setting, tabs are displayed on a sep
This policy setting allows you to show or hide the Command bar.If you enable this policy setting, the Command bar is hidden a
This policy setting allows you to show or hide the status bar.If you enable this policy setting, the status bar is hidden and the u
This policy setting allows you to lock or unlock the toolbars on the user interface.If you enable this policy setting, the toolbars
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons.If you enable this pol
This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer.If you enable this p
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible
This policy setting allows you increase the size of icons for command buttons.If you enable this policy setting, icons for comma
rch providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from
ipt handlers to display UI during shutdown. This policy setting may be needed to fix compatibility problems with particular web application
Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.If you enable this p
ed in the Internet Explorer 9 browser. Any add-ons that were activated in a previous version of Internet Explorer are considered to be the
he Media Explorer Bar plays music and video content from the Internet.If you disable the Media explorer bar, users cannot display the Med
achments that can potentially contain a virus.If you check the block attachments setting, users will be unable to open or save attachments
ervers in the HTTP User Agent header.If you enable this policy setting, Internet Explorer sends the specified custom string in the version po
this setting, the user is not suggested matches when filling forms. The user cannot change it.If you disable this setting, the user is suggeste
y settings, from being stored in the users' cache.If you enable this policy, automatic proxy scripts will not be stored temporarily on the use
bility" window on the General Tab in the Internet Options dialog box appear dimmed.If you disable this policy or do not configure it, users
enable this policy, users are prevented from changing advanced Internet settings, such as security, multimedia, and printing. Users canno
et and customize Internet Explorer. This setting specifies that Internet explorer use the configuration settings provided in a file by the syste
ble this policy, the Calendar and Contact combo boxes appear dimmed in the Internet Programs area. To display these options, users open
the identity of software publishers.If you enable this policy, the settings in the Certificates area on the Content tab in the Internet Options
s for Web pages appear dimmed. The settings are located in the Colors area in the dialog box that appears when the user clicks the Gener
nnections tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it, users can change their se
nable this policy, the Internet Explorer Should Check to See Whether It Is the Default Browser check box on the Programs tab in the Intern
font settings for viewing Web pages. All font settings visible after pressing the "Fonts" button on the General Tab in the Internet Options d
age that Internet Explorer loads whenever it is run.If you enable this policy setting, a user cannot set a custom default home page. You mu
e able to set language preferences to read websites. Language preference settings visible after pressing the "Languages" button on the Ge
ttings for links appear dimmed. The settings are located in the Links area of the dialog box that appears when users click the General tab a
e E-mail, Newsgroups, and Internet Call options in the Internet Programs area appear dimmed. To display these options, users open the Int
n appears dimmed in the Personal Information area on the Content tab in the Internet Options dialog box.If you disable this policy or do n
ed.If you enable this policy, the settings in the Content Advisor area on the Content tab in the Internet Options dialog box appear dimmed
m the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.If you enable this policy
pace to use for the Temporary Internet Files folder.If you enable this policy, the browser cache settings appear dimmed. These settings are
ress logos and title bars, by another party.If you enable this policy, it prevents customization of the browser by another party, such as an I
ngs from another browser, import settings from a file, or export settings to a file. Importing settings from another browser allows the user
tton on the Connections tab in the Internet Options dialog box appears dimmed.Users will also be prevented from running the wizard by cl
he Reset Web Settings button on the Programs tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not c
nable this policy, error messages will be displayed when the browser does not download or run a script to set proxy settings.If you disable
ough Add-On Manager.If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. The only excep
nu bar, and the Command bar. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop.The navigation bar in
es users to create multiple accounts, such as e-mail accounts, on the same computer. Each user has a unique identity, with a different pas
default web browser.If you enable this policy setting, users will be notified if Internet Explorer is not the default web browser. Users canno
ws regardless of the Internet Explorer process's Pop-Up Blocker settings.If you enable this policy setting, you can enter a list of sites which
ns for a variety of features, including browsing web pages, searching the web by using a selection of search tools, accessing and managing
ttings Check.If you enable this policy setting, the user cannot use the "Fix settings" functionality.If you disable or do not configure this poli
y setting, the following occur: ΓÇó The Help menu on the menu bar is not functional. ΓÇó Help is removed from the Command bar. ΓÇ
tScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter
tScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.If you enab
are as follows: High: Block all pop-ups. Medium: Block most automatic pop-ups. Low: Allow pop-ups from secure sites.If you enable t
ser will not be able to configure proxy settings.If you disable or do not configure this policy setting, the user can configure proxy settings.
and the toolbar Search box.If you enable this policy setting, the user cannot change the default search provider.If you disable or do not con
cks links from other applications.If you enable this policy setting, the user cannot configure how windows open in Internet Explorer when h
If you enable this policy setting, the user cannot configure how new tabs are created by default. You must specify whether tabs should ope
ox is available, it includes all installed search providers and a link to search settings.If you enable this policy setting, the Search box does no
his policy setting, the user cannot add websites to or remove websites from the exception list.If you disable or do not configure this policy
website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.If
visited is known for fraudulent attempts to gather personal information through "phishing."If you enable this policy setting, the user is not
ogram (CEIP).If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does
u enable this policy setting, ActiveX controls cannot be installed on a per-user basis.If you disable or do not configure this policy setting, Ac
starts the browser after installing Internet Explorer or Windows.If you enable this policy setting, you must make one of the following choic
et Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Intern
e search functionality of the F3 key is disabled. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard
hat appears in the Search bar to help users search the Internet.If you enable this policy, users cannot change their Search Assistant setting
here are two algorithms that Internet Explorer uses.The default algorithm has four settings: low, medium, high, or default. Low creates ve
ble this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page
etting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of Activ
owed, such as the taskbar, the desktop, or File Explorer.If you enable this policy setting, users cannot pin sites.If you disable or do not con
s from loading any ActiveX control without prior approval. If a website attempts to load an ActiveX control that Internet Explorer has not u
o load all the user's enabled add-ons exceeds the threshold. The notification informs the user that add-ons are slowing his or her browsing
ash Recovery does not prompt the user to recover his or her data after a program stops responding.If you disable or do not configure this
m requesting location data about the user.If you enable this policy setting, browser geolocation support is turned off.If you disable this pol
in tabbed browsing in Internet Explorer.If you enable this policy setting, the user cannot configure pop-up windows in tabbed browsing. Yo
enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, na
xplorer.If you enable this policy setting, the Favorites bar is turned off.If you disable this policy setting, the Favorites bar is turned on.If you
site being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.If you
you enable this policy setting, applications that host MSHTML do not respond to user input that causes the content to be re-rendered at a
u enable this policy setting, the Control Panel information relating to pop-up management will be unavailable (grayed out) and all other p
le this policy setting, the entry points to Quick Tabs are removed from the Internet Explorer user interface.If you disable or do not configu
sion feature in Internet Explorer.If you enable this policy setting, the user cannot use the Reopen Last Browsing Session feature.If you disa
ble this policy setting, the user cannot view suggestions for user-installed search providers.If you disable or do not configure this policy se
plorer.If you enable this policy setting, Tab Grouping is turned off.If you disable this policy setting, Tab Grouping is turned on.If you do not
Explorer user interface. Starting with Windows 8, this policy only applies to Internet Explorer on the desktop.If you enable this policy setti
e browser address bar.If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user canno
he Search box.If you enable this policy setting, when a user clicks in the Search box, the quick pick menu does not appear until the user sta
rity settings to determine when the settings put Internet Explorer at risk.If you enable this policy setting, the feature is turned off.If you dis
ls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.If you enable this policy
compatibility information is displayed in the Windows Event Viewer.If you enable this policy setting, the user can log information that is bl
ew) in Internet Explorer.If you enable this policy setting, the menu bar appears in Internet Explorer by default, and the user cannot turn it o
serΓÇÖs browsing activity. Suggested Sites reports a userΓÇÖs browsing history to Microsoft to suggest sites that the user might want to v
enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete
ection uses a DHCP (Dynamic Host Configuration Protocol) or DNS server to customize the browser the first time it is started.If you enable
ed Accelerators are added to the user's browser. The user can append other Accelerators to this list, but the user cannot remove or chang
pecified Accelerators are added to the user's browser. The user can append other Accelerators to this list, but the user cannot remove or c
through Group Policy.If you enable this policy setting, the user can access only Accelerators that are deployed through Group Policy. The u
olicy setting, users cannot access Accelerators.If you disable or do not configure this policy setting, users can access Accelerators and instal
r playing sounds, videos, and other media.If you enable this policy, this control can be run in security zones in which you specify that adm
ved.This control enables enhanced pricing functionality on the Carpoint Web site, where users can shop for and obtain information about
uld look in the browser. There are two versions of the control: a more powerful version that cannot be invoked by a web site because it inc
ntrols enable users to view updated lists of stocks on their Web pages.If you enable this policy, these controls can be run in security zones
administrator-approved.If you enable this policy, these controls can be run in security zones in which you specify that administrator-appro
of software services that supports the presentation of software agents as interactive personalities within the Microsoft Windows interface
b authors to build text-based and graphical-based Chat communities for real-time conversations on the Web.If you enable this policy, this
ntrol which is used to render HTML pages.If you enable this policy, this control can be run in security zones in which you specify that admin
this control can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy or d
wsing of news reports on the MSNBC Web site.If you enable this policy, these controls can be run in security zones in which you specify th
olicy, this control can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this polic
rol can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy or do not co
e computer attempts to perform a Clipboard operation (delete, copy, or paste).If you enable this policy setting, the user is not prompted w
rer process attempts to perform a Clipboard operation (delete, copy, or paste) and the URL action for the zone is set to prompt.If you ena
hout prompting the user.Note: Do not enter the Internet Explorer processes in this list. To enable or disable Internet Explorer processes, u
users cannot point to a link, click the right mouse button, and then click the Open in New Window command.If you disable this policy or d
e hard disk.If you enable this policy, users cannot save a program to disk by clicking the Save This Program to Disk command while attempti
e Close command on the File menu will appear dimmed.If you disable this policy or do not configure it, users are not prevented from closi
ers cannot open a new browser window by clicking the File menu, pointing to the New menu, and then clicking Window. The user interface
e this policy, the Open dialog box will not appear when users click the Open command on the File menu. If users click the Open command,
cluding the graphics, scripts, linked files, and other elements. It does not prevent users from saving the text of a Web page.If you enable th
k share.If you enable this policy, the Save As command on the File menu will be removed.If you disable this policy or do not configure it, u
icy, the For Netscape Users command is removed from the Help menu.If you disable this policy or do not configure it, users can display co
Help menu.If you enable this policy, the Send Feedback command is removed from the Help menu.If you disable this policy or do not confi
f you enable this policy, the Tip of the Day command is removed from the Help menu.If you disable this policy or do not configure it, users
ou enable this policy, the Tour command is removed from the Help menu.If you disable this policy or do not configure it, users can run the
s a way to store popular links for future use.If you enable this policy, the Favorites menu is removed from the interface, and the Favorites
net Explorer.If you enable this policy, users cannot change their Internet options, such as default home page, cache size, and connection a
ndows 8, this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers unde
while using Internet Explorer. Starting with Windows 8, this policy setting only applies to Internet Explorer on the desktop.If you enable this
r.If you enable this policy, the Full Screen command on the View menu will appear dimmed, and pressing F11 will not display the browser
View menu.If you enable this policy, the Source command on the View menu will appear dimmed.If you disable this policy or do not confi
s are available on Windows Update.If you enable this policy setting, the Microsoft-provided website lists are used during browser navigatio
ay problems that he or she may encounter while browsing.If you enable this policy setting, the user cannot use the Compatibility View butt
utton allows the user to fix website display problems that he or she may encounter while browsing.If you enable this policy setting, the use
ermines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Internet Explorer 7 Standar
defined as any webpage that belongs to the local intranet security zone.If you enable this policy setting, Internet Explorer uses the curren
tibility View.If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that y
s whether content is rendered in Quirks Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this
oses. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form
List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options,
more information on browsing history Group Policy settings, see "Group Policies Settings in Internet Explorer 10" in the TechNet technica
eX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or T
owsing History dialog box.If you enable this policy setting, cookies are preserved when the user clicks Delete.If you disable this policy settin
ble in the Delete Browsing History dialog box.If you enable this policy setting, download history is preserved when the user clicks Delete.If
Delete Browsing History dialog box.If you enable this policy setting, favorites site data is preserved when the user clicks Delete.If you disab
Browsing History dialog box.If you enable this policy setting, form data is preserved when the user clicks Delete.If you disable this policy se
InPrivate Filtering data during browser sessions other than InPrivate Browsing sessions to determine which third-party items should be bl
owsing History dialog box.If you enable this policy setting, passwords are preserved when the user clicks Delete.If you disable this policy se
in the Delete Browsing History dialog box.If you enable this policy setting, temporary Internet files are preserved when the user clicks Dele
This feature is available in the Delete Browsing History dialog box.If you enable this policy setting, websites that the user has visited are p
net browsing history, available by clicking Tools, Internet Options, and then Delete Browsing History in Internet Explorer.If you enable this
olicy, users are prevented from seeing and changing advanced Internet settings, such as security, multimedia, and printing.If you disable t
s policy, users are prevented from seeing and changing connection and proxy settings.If you disable this policy or do not configure it, users
AutoComplete, Wallet, and Profile Assistant settings.If you disable this policy or do not configure it, users can see and change these setting
icy, users are unable to see and change settings for the home page, the cache, history, Web page appearance, and accessibility.If you disa
cy, users are prevented from seeing and changing default settings for privacy.If you disable this policy or do not configure it, users can see
olicy, users are prevented from seeing and changing default settings for Internet programs.If you disable this policy or do not configure it,
licy, it prevents users from seeing and changing settings for security zones, such as scripting, downloads, and user authentication.If you dis
SL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.If you ena
s to internationalized domain name (IDN) format (Punycode) before sending them to Domain Name System (DNS) servers or to proxy serve
on Format (UTF-8) for mailto links.If you enable this policy setting, Internet Explorer encodes mailto links in UTF-8.If you disable or do not
ctive content on a CD to run.If you enable this policy setting, active content on a CD will run without a prompt.If you disable this policy setti
ram files (non-Internet Explorer components) that are registered with Internet Explorer (such as Macromedia and Java) that are required i
components (such as fonts) that can installed by Internet Explorer Active Setup. For example, if you open a Web page that requires Japan
works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.If you enable
ads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampere
as browser helper objects, such as toolbars. Browser helper objects may contain flaws such as buffer overruns which impact Internet Expl
er.If you enable this policy setting, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to
rsions. When Internet Explorer is set to do this, the checks occur approximately every 30 days, and users are prompted to install new vers
ervers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from
ch identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloadi
cted Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website a
nternet Explorer Settings allows the user to reset all settings changed since installation, delete browsing history, and disable add-ons that a
ontain secure (HTTPS) information such as passwords and credit card numbers to the Internet Explorer cache, which may be insecure.If yo
porary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer, or storing
und in Web content. Generally only animated GIF files are affected by this setting; active Web content such as java applets are not.If you e
ntent. Generally only sound files such as MIDI files are affected by this setting; active Web content such as java applets are not.If you enab
content. Generally only embedded video files are affected by this setting; active Web content such as java applets are not.If you enable th
nology that enhances the readability of text on LCD displays.If you enable this policy setting, applications that host MSHTML do not render
.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the brow
n the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view
ormation.If you enable this policy setting, Profile Assistant information will not be provided, and users will not be prompted to provide info
(UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.If you enable this policy setting, you must spec
e next pre-loaded page of a website.Microsoft collects your browsing history to improve how flip ahead with page prediction works. This fe
ty) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.Important: So
e to a webpage by using the keyboard to move the cursor. Caret Browsing supports standard text-editor functionality, such as using the Sh
processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations
policy setting, Internet Explorer uses HTTP 1.1.If you disable this policy setting, Internet Explorer does not use HTTP 1.1.If you do not confi
nnections.If you enable this policy setting, Internet Explorer uses HTTP 1.1 through proxy connections.If you disable this policy setting, Inte
og box.If you enable this policy setting, Internet Explorer displays the Content Advisor setting on the Content tab of the Internet Options d
d. By default, Internet Explorer displays the home page. In Internet Explorer 10, Internet Explorer can start a new browsing session with th
f you enable this policy setting, websites will be able to store application caches on client computers. Allow website database and caches o
.If you enable this policy setting, websites will be able to store an indexed database on client computers. Allow website database and cach
o exceed their storage limit. The ΓÇ£Set default storage limits for websitesΓÇ¥ policy setting sets the data storage limits for application cac
ed. If the application cache is used before the expiration time limit, it will not be automatically removed. When you set this policy setting, y
websites. When you set this policy setting, you provide the cache limit, in MB.If you enable this policy setting, Internet Explorer displays a
to exceed their storage limit. The ΓÇ£Set default storage limits for websitesΓÇ¥ policy setting sets the data storage limits for indexed data
The manifest file is used to create the application cache. If any file in the manifest exceeds the allowed size, Internet Explorer sends an err
file associated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed, i
u set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user mu
ou set this policy setting, you provide the storage limit in MB. When the limit is reached, Internet Explorer notifies the user, and the user m
e are forced into the local Intranet security zone.If you enable this policy setting, local sites which are not explicitly mapped into a zone ar
urity zone.If you enable this policy setting, all network paths are mapped into the Intranet Zone.If you disable this policy setting, network p
tranet security zone.If you enable this policy setting, sites which bypass the proxy server are mapped into the Intranet Zone.If you disable
curity zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security
gs to a domain.If you enable this policy setting, automatic detection of the intranet is turned on, and intranet mapping rules are applied au
is policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different
nd the intranet mapping rules have not been configured. The Notification bar allows the user to enable intranet mappings, if they require
l in the Trusted Sites Zone can run active content such as script, ActiveX, Java and Binary Behaviors. The list of restricted protocols may be
enable this policy setting, Internet Explorer opens tiles only on the desktop.If you disable this policy setting, Internet Explorer does not ope
orer decide, always in Internet Explorer, or always in Internet Explorer on the desktop.If you enable this policy setting, Internet Explorer en
f you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.I
cy setting, a user cannot choose when to underline links. You must specify when to underline links: ΓÇó Always ΓÇó Never ΓÇó Hover
provide a detailed description with hints about how to correct the problem. If you clear this check box, the user sees only the error code
out of the page you are leaving and fades into the page to which you are going.If you enable this policy setting, page transitions will be turn
which can be used to invoke the default phone application on the system.If you enable this policy setting, phone number detection is turne
d.If you enable this policy setting, smooth scrolling is turned off. The user cannot turn on smooth scrolling.If you disable this policy setting
use script debuggers to test programs and scripts on their webpages. You can use the script debugger to browse, edit, and debug .htm an
ecause of problems with its scripting. This feature is off by default, but it is useful to developers when they are testing webpages.If you en
et Connection Wizard was not completed, this policy setting starts the wizard automatically.If you enable this policy setting, the Internet C
nd that require additional software.If you enable this policy setting, Internet Explorer plays these files, if the appropriate software is instal
downloading. This allows items on the page to be positioned where they will appear when the images are completely downloaded. This op
hat they fit in the browser window.If you enable this policy setting, automatic image resizing is turned off. The user cannot change this setti
times, pages that contain several graphical images are displayed very slowly. If you want to display pages more quickly, you can turn off im
ar less jagged when displayed.If you enable this policy setting, smart image dithering is turned off. The user cannot turn it on.If you disable
e user prints a webpage. Including background colors and images might reduce the speed at which a page is printed and the quality of the
this policy setting, you must specify which of the following actions applies to searches on the Address bar. The user cannot change the spe
en search is enabled on the Address bar. The possible options are: ΓÇó Disable top result search: When a user performs a search in the A
ss after the branding is complete for Internet service providers (ISPs) through the Internet Explorer Administration Kit (IEAK).If you enable
s suggestions for what you type by automatically completing the command inline with the closest match. By default, this functionality is tu
he address bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over
e Internet Explorer Address bar.Windows Search AutoComplete suggests possible matches when a user is entering a web address in the b
The AutoComplete feature provides suggestions for what the user types by automatically completing the address or command with the clo
nable this policy setting, the user cannot choose the default text size in Internet Explorer. You must specify the default text size: ΓÇó Larg
enable this policy setting, the user cannot specify the background color in Internet Explorer. You must specify the background color (for e
this policy setting, the user cannot specify the text color in Internet Explorer. You must specify the text color (for example: 192,192,192).If
u enable this policy setting, Windows colors are turned off. The user cannot turn them on.If you disable this policy setting, Windows color
ready clicked. Appropriate color choices can make links easier to see for some users, especially those who use high-contrast color schemes
ot yet clicked. Appropriate color choices can make links easier to see for some users, especially those who use high-contrast color schemes
mouse pointer pauses on them.If you enable this policy setting, the user cannot specify the hover color. You must specify the hover color
able this policy setting, the hover color option is turned on. The user cannot turn it off.If you disable this policy setting, the hover color op
d that defines characters so they are readable in any language. By using UTF-8, you can exchange Internet addresses (URLs) that contain ch
automatically on your computer, according to a schedule specified by the channel provider.If you enable this policy, the Add Active Channe
make Web pages available for offline viewing, they can view the content when their computer is not connected to the Internet.If you enab
ages available for offline viewing, they can view content when their computer is not connected to the Internet.If you enable this policy, th
ly updated on their computer according to a schedule specified by the channel provider.If you enable this policy, the Channel bar interface
make Web pages available for offline viewing, they can view content when their computer is not connected to the Internet.If you enable
oups of Web pages that users have subscribed to.A subscription group is a favorite Web page plus the Web pages it links to.If you enable t
en users make Web pages available for offline viewing, they can view content when their computer is not connected to the Internet.If you
by users who are working offline.If you enable this policy, it disables any channel logging settings set by channel providers in the channel d
Web sites that are automatically updated on your computer according to a schedule specified by the channel provider.If you enable this po
viewing.When users make Web pages available for offline viewing, they can view content when their computer is not connected to the In
n set limits to the size and number of pages that users can download. If users attempt to exceed the number of subscriptions, a prompt wi
he Internet security zone.If you enable this policy, you can specify the persistence storage amount per domain or per document for this se
he Local Intranet security zone.If you enable this policy, you can specify the persistence storage amount per domain or per document for t
he Local Computer security zone.If you enable this policy, you can specify the persistence storage amount per domain or per document fo
he Restricted Sites security zone.If you enable this policy, you can specify the persistence storage amount per domain or per document fo
he Trusted Sites security zone.If you enable this policy, you can specify the persistence storage amount per domain or per document for th
hreshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this valu
e threshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this va
are loaded by default during an InPrivate Browsing session.Toolbars and BHOs may store data about a user's browsing session. By default
atic mode.The data consists of the URLs of third-party content, along with data about the first-party websites that referenced it. It is collec
Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other dat
ether third parties can automatically collect information about their browsing based on the sites that they visit. InPrivate Filtering does thi
whether third parties can automatically collect information about their browsing based on the sites that they visit. Tracking Protection doe
sers for a password. The reveal password button is displayed during password entry. When the user clicks the button, the current passwor
pers to encapsulate images and .css files within the body of the URL and optionally encode them by using base 64 encoding. Malware filter
er. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to ex
rences (as reflected by Add-on Manager) or policy settings. By default, any process other than the Internet Explorer processes or those lis
List' policy setting are denied. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which a
user preferences (as entered into Add-on Manager) or policy settings. By default, only Internet Explorer processes use the add-on manage
ternet Explorer technology to instantiate Flash objects. If you enable this policy setting, Flash is turned off for Internet Explorer, and applic
is policy setting, the user can run natively implemented, scriptable XMLHTTP.If you disable this policy setting, the user cannot run natively
s per host to a limit of your choice (from 2 through 128).If you enable this policy setting, Internet Explorer uses the connection limit of you
s per host to a limit of your choice (from 2 through 128).If you disable or do not configure this policy setting, Internet Explorer will use the
default limit is 6; you can select a value from 2 through 128.If you enable this policy setting, Internet Explorer uses the WebSocket connecti
mains embedded in the page.If you enable this policy setting, documents cannot request data across third-party domains embedded in th
the WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not p
the XDomainRequest object. Note that this policy setting does not block client-side communication across domains through other feature
y a list of admin-approved behaviors. This list may be configured here, and applies to all processes which have opted in to the behavior, an
d other binaries signed with MD2 and MD4 signing technologies. Internet Explorer 9 does not support MD2 and MD4 signing technologies
e location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest security
file of one type to a more dangerous file type.If you enable this policy setting, the Mime Sniffing Safety Feature is enabled for all processes
file of one type to a more dangerous file type.If you enable this policy setting, MIME sniffing will never promote a file of one type to a mor
file of one type to a more dangerous file type.This policy setting allows administrators to define applications for which they want this secur
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting, the MK Protocol is disabled for all processes. Any
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting, the MK Protocol is prevented for File Explorer an
K protocol. Resources hosted on the MK protocol will fail.This policy setting allows administrators to define applications for which they wa
estricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted
er than the Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is not displayed for any pro
rer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.If you en
ses when file or code installs are restricted. By default, the Notification bar is not displayed for any process when file or code installs are r
thin the same domain or to a new domain.If you enable this policy setting, object reference is no longer accessible when navigating within
thin the same domain or to a new domain.If you enable this policy setting, an object reference is no longer accessible when navigating wit
thin the same domain or to a new domain.This policy setting allows administrators to define applications for which they want this security
n the location of the Web page (Internet, Intranet, Local Machine zone, and so on). For example, Web pages on the local computer have t
n the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security r
n the location of the Web page (Internet, Intranet, Local Machine zone, and so on). Web pages on the local computer have the fewest sec
ting of ActiveX control installation.If you enable this policy setting, the Web Browser Control will block automatic prompting of ActiveX con
esses.If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.If you dis
ting of ActiveX control installation.If you enable this policy setting and enter a Value of 1, automatic prompting of ActiveX control installatio
ting of file downloads that are not user initiated.If you enable this policy setting, the Web Browser Control will block automatic prompting
e this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.If you disable this pol
ting of file downloads that are not user initiated.If you enable this policy setting and enter a Value of 1, automatic prompting of non-initiat
ou enable this policy, you can specify whether or not each button will be displayed by selecting or clearing the check boxes for each button
text labels, show selective text, or show only icons.If you enable this policy setting, command buttons are displayed according to which o
Explorer standard toolbars. The buttons appearing on the toolbar can be customized by the "Customize" option. This is present under the T
e Explorer.If you enable this policy, the list of toolbars, which users can display by clicking the View menu and then pointing to the Toolbar
abs are displayed on a separate row.If you disable this policy setting, tabs are not displayed on a separate row.If you do not configure this
Command bar is hidden and the user cannot choose to show it.If you disable this policy setting, the Command bar is shown and the user c
us bar is hidden and the user cannot choose to show it.If you disable this policy setting, the status bar is shown and the user cannot choos
olicy setting, the toolbars are locked and the user cannot move them.If you disable this policy setting, the toolbars are unlocked and the u
ttons.If you enable this policy setting, the Stop and Refresh buttons are next to the Forward and Back buttons, and the user cannot move t
plorer.If you enable this policy setting, the user cannot access Developer Tools.If you disable or do not configure this policy setting, the use
nes whether incompatible toolbars or Browser Helper Objects are installed when Internet Explorer starts. If the tool detects an incompatib
y setting, icons for command buttons are 20 x 20 pixels and cannot be made smaller (16 x 16 pixels).If you disable this policy setting, icons
lso add a search provider from the provider's website.If you enable this policy setting, the user can add and remove search providers, but
with particular web applications.If you enable this policy setting, OnUnLoad script handlers display UI during shutdown.If you disable or do
ft services.If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be
lorer are considered to be the same as newly installed add-ons and are not activated when the user upgrades to Internet Explorer 9.In Inte
, users cannot display the Media Explorer Bar. The auto-play feature is also disabled. When users click on a link within Internet Explorer,
e to open or save attachments that could potentially contain a virus. Users will not be able to disable the blocking of attachments in optio
ustom string in the version portion of the User Agent header.If you disable or do not configure this policy setting, Internet Explorer sends
is setting, the user is suggested possible matches when filling forms. The user cannot change it.If you do not configure this setting, the use
stored temporarily on the users' computer.If you disable this policy or do not configure it, automatic proxy scripts can be stored in the use
y or do not configure it, users can change accessibility settings, such as overriding fonts and colors on Web pages.If you set the "Disable th
dia, and printing. Users cannot select or clear the check boxes on the Advanced tab.If you disable this policy or do not configure it, users c
s provided in a file by the system administrator.If you enable this policy setting, the user will not be able to do automatic configuration. Yo
play these options, users open the Internet Options dialog box, and then click the Programs tab.If you disable this policy or do not configur
nt tab in the Internet Options dialog box appear dimmed.If you disable this policy or do not configure it, users can import new certificates
when the user clicks the General tab and then clicks the Colors button in the Internet Options dialog box.If you disable this policy or do not
re it, users can change their settings for dial-up connections.If you set the "Disable the Connections page" policy (located in \User Configu
the Programs tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it, users can determine w
l Tab in the Internet Options dialog box will be disabled.If you disable this policy or do not configure it, users can change the default fonts
m default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Ex
"Languages" button on the General Tab in the Internet Options dialog box will be disabled.If you disable this policy or do not configure it, u
n users click the General tab and then click the Colors button in the Internet Options dialog box.If you disable this policy or do not configur
ese options, users open the Internet Options dialog box, and then click the Programs tab.If you disable this policy or do not configure it, us
you disable this policy or do not configure it, users can change their profile information, such as their street and e-mail addresses.The "Di
ons dialog box appear dimmed.If you disable this policy or do not configure it, users can change their ratings settings.The "Disable the Rati
pages.If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot s
ar dimmed. These settings are found in the dialog box that appears when users click the General tab and then click the Settings button in t
by another party, such as an Internet service provider or Internet content provider.If you disable this policy or do not configure it, users c
other browser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import
from running the wizard by clicking the Connect to the Internet icon on the desktop or by clicking Start, pointing to Programs, pointing to
u disable this policy or do not configure it, users can restore the default settings for home and search pages.The "Disable the Programs pag
t proxy settings.If you disable this policy or do not configure it, error messages will not be displayed when problems occur with proxy scrip
-On Manager. The only exception occurs if an add-on has been specifically entered into the 'Add-On List' policy setting in such a way as to
desktop.The navigation bar includes features for browsing webpages, searching the web by using a selection of search tools, viewing a his
e identity, with a different password and different program preferences.If you enable this policy, users will not be able to create new identi
ault web browser. Users cannot change the setting.If you disable this policy setting, users will not be notified if Internet Explorer is not the
u can enter a list of sites which will be allowed to open pop-up windows regardless of user settings. Only the domain name is allowed, so w
ools, accessing and managing favorites, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu bar co
e or do not configure this policy setting, the user can use the "Fix settings" functionality.Note: When this policy setting is enabled, the "Fix
d from the Command bar. ΓÇó The shortcut key F1 does not make Help appear. ΓÇó Help cannot be accessed from the Settings charm (s
us content. SmartScreen Filter also prevents the execution of files that are known to be malicious.If you enable this policy setting, SmartScr
from the Internet.If you enable this policy setting, SmartScreen Filter warnings block the user.If you disable or do not configure this policy
om secure sites.If you enable this policy setting, the user cannot change the filter level. You can specify the filter level by importing Privacy
can configure proxy settings.
der.If you disable or do not configure this policy setting, the user can change the default search provider.
en in Internet Explorer when he or she clicks links from other applications. You must specify one of the following: ΓÇó Open in an existin
pecify whether tabs should open in the foreground or in the background. The user cannot open the tabs in the background by pressing Ctr
etting, the Search box does not appear in the Internet Explorer frame.If you disable or do not configure this policy setting, the Search box a
or do not configure this policy setting, the user can add websites to or remove websites from the exception list.Note: You can allow a defa
r is known to host malware.If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses
s policy setting, the user is not prompted to enable the phishing filter. You must specify which mode the phishing filter uses: manual, auto
dback Options command does not appear on the Help menu.If you disable this policy setting, the user must participate in the CEIP, and the
onfigure this policy setting, ActiveX controls can be installed on a per-user basis.
ake one of the following choices: ΓÇó Skip the First Run wizard, and go directly to the user's home page. ΓÇó Skip the First Run wizard, a
ware\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup,
xplorer) or to search the hard disk (from File Explorer). If the user presses F3, a prompt appears that informs the user that this feature has
their Search Assistant settings, such as setting default search engines for specific tasks.If you disable this policy or do not configure it, use
gh, or default. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process
out:blank), the first home page, or the new tab page.If you disable or do not configure this policy setting, the user can select his or her pref
o allow the installation of ActiveX controls.If you disable or do not configure this policy setting, ActiveX controls, including per-user control
es.If you disable or do not configure this policy setting, users can pin sites.
hat Internet Explorer has not used before, a Notification bar will appear, asking the user for approval.If you enable this policy setting, the A
re slowing his or her browsing and displays a button that opens the Disable Add-ons dialog box. The Disable Add-ons dialog box displays th
sable or do not configure this policy setting, Automatic Crash Recovery prompts the user to recover his or her data after a program stops r
rned off.If you disable this policy setting, browser geolocation support is turned on.If you do not configure this policy setting, browser geo
indows in tabbed browsing. You must specify one of the following values: 0: Let Internet Explorer decide. 1: Force pop-up windows to o
Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.I
avorites bar is turned on.If you do not configure this policy setting, the user can turn on or turn off the Favorites bar.
nown to host malware.If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. You must specify which mo
content to be re-rendered at a scaled size.If you disable or do not configure this policy setting, applications that host MSHTML respond to
le (grayed out) and all other pop-up manager controls, notifications, and dialog boxes will not appear. Pop-up windows will continue to fun
you disable or do not configure this policy setting, Quick Tabs is turned on.
ing Session feature.If you disable or do not configure this policy setting, the user can use the Reopen Last Browsing Session feature.
do not configure this policy setting, the user can choose to view suggestions for all user-installed search providers that offer suggestions.
ping is turned on.If you do not configure this policy setting, the user can turn on or turn off Tab Grouping.
p.If you enable this policy setting, tabbed browsing and related entry points are turned off for Internet Explorer, and the user cannot turn
eb addresses. The user cannot change the auto-complete for web-address setting.If you disable this policy setting, user will be suggested m
s not appear until the user starts typing.If you disable or do not configure this policy setting, when a user clicks in the Search box, the quick
feature is turned off.If you disable or do not configure this policy setting, the feature is turned on.
perly.If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, althou
can log information that is blocked by new Internet Explorer features. The user cannot turn off logging.If you disable this policy setting, th
t, and the user cannot turn it off.If you disable this policy setting, the menu bar appears in Internet Explorer by default, and the user canno
that the user might want to visit.If you enable this policy setting, the user is not prompted to enable Suggested Sites. The userΓÇÖs brows
swords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "pr
time it is started.If you enable this policy, users' dial-up settings will be configured by Automatic Detection.If you disable this policy or do n
user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overla
t the user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not o
d through Group Policy. The user cannot add or delete Accelerators.If you disable or do not configure this policy setting, the user can acce
access Accelerators and install new Accelerators.
n which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it, this control will not b
and obtain information about vehicles.If you enable this policy, this control can be run in security zones in which you specify that administ
ed by a web site because it includes file access and other features, and a "safe for scripting" version that has restricted functionality and is
s can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy or do not con
ecify that administrator-approved controls can be run.If you disable this policy or do not configure it, these controls will not be designated
Microsoft Windows interface.If you enable this policy, this control can be run in security zones in which you specify that administrator-ap
b.If you enable this policy, this control can be run in security zones in which you specify that administrator-approved controls can be run.If
n which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it, this control will not be
n.If you disable this policy or do not configure it, this control will not be designated as administrator-approved.To specify how administrat
zones in which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it, these controls
be run.If you disable this policy or do not configure it, this control will not be designated as administrator-approved.To specify how admin
disable this policy or do not configure it, this control will not be designated as administrator-approved.To specify how administrator-appro
ng, the user is not prompted when a script that is running in any process on the computer performs a Clipboard operation. This means tha
ne is set to prompt.If you enable this policy setting, the user is not prompted when a script that is running in the Internet Explorer process
Internet Explorer processes, use the "Bypass prompting for Clipboard access for scripts running in the Internet Explorer process" policy. If
d.If you disable this policy or do not configure it, users can open a Web page in a new browser window by using the shortcut menu.This po
Disk command while attempting to download a file. The file will not be downloaded and users will be informed that the command is not a
s are not prevented from closing the browser or File Explorer.Note: The Close button in the top right corner of the program will not work;
ng Window. The user interface is not changed, but a new window will not be opened, and users will be informed that the command is not
sers click the Open command, they will be notified that the command is not available.If you disable this policy or do not configure it, users
of a Web page.If you enable this policy, the Web Page, Complete file type option will be removed from the Save as Type box in the Save W
policy or do not configure it, users can save Web pages for later viewing.This policy takes precedence over the "File Menu: Disable Save As
nfigure it, users can display content about switching from Netscape by clicking the For Netscape Users command on the Help menu.Cautio
able this policy or do not configure it, users can fill out an Internet form to provide feedback about Microsoft products.
cy or do not configure it, users can enable or disable the Tip of the Day, which appears at the bottom of the browser.
configure it, users can run the tour from the Help menu.
e interface, and the Favorites button on the browser toolbar appears dimmed. The Add to Favorites command on the shortcut menu is dis
e, cache size, and connection and proxy settings, from the browser Tools menu. When users click the Internet Options command on the To
Explorer and any printers under the Devices charm.If you enable this policy setting, the Print menu in Internet Explorer will not be availabl
the desktop.If you enable this policy setting, the shortcut menu will not appear when a user right-clicks a webpage.If you disable or do no
1 will not display the browser in a full screen.If you disable this policy or do not configure it, users can display the browser in a full screen.T
able this policy or do not configure it, then users can view the HTML source of Web pages from the browser View menu.Caution: This polic
used during browser navigation. If a user visits a site on the compatibility lists, the pages are automatically displayed in Compatibility View
use the Compatibility View button or manage the Compatibility View sites list.If you disable or do not configure this policy setting, the user
able this policy setting, the user cannot use the Compatibility View button.If you disable or do not configure this policy setting, the user can
in Internet Explorer 7 Standards Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this policy s
ernet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in
nnot remove the entries that you specify.If you disable or do not configure this policy setting, the user can add and remove sites from the
net Explorer.If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appe
et files, cookies, history, form data, and passwords) are applied, and those items are deleted.If you enable this policy setting, deleting brow
menu, click Internet Options, click the General tab, and then click Settings under Browsing history.If you enable this policy setting, a user c
er 10" in the TechNet technical library.If you enable this policy setting, the user cannot access the Delete Browsing History dialog box. Starti
o disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the Personalized Tr
If you disable this policy setting, cookies are deleted when the user clicks Delete.If you do not configure this policy setting, the user can ch
when the user clicks Delete.If you disable this policy setting, download history is deleted when the user clicks Delete.If you do not configu
e user clicks Delete.If you disable this policy setting, favorites site data is deleted when the user clicks Delete.If you do not configure this po
ete.If you disable this policy setting, form data is deleted when the user clicks Delete.If you do not configure this policy setting, the user can
third-party items should be blocked when InPrivate Filtering is enabled. This feature is available in the Delete Browsing History dialog box.
ete.If you disable this policy setting, passwords are deleted when the user clicks Delete.If you do not configure this policy setting, the user
rved when the user clicks Delete.If you disable this policy setting, temporary Internet files are deleted when the user clicks Delete.If you do
that the user has visited are preserved when he or she clicks Delete.If you disable this policy setting, websites that the user has visited are
net Explorer.If you enable this policy setting, users will not be able to delete temporary Internet files and cookies.If you disable or do not c
a, and printing.If you disable this policy or do not configure it, users can see and change these settings.When you set this policy, you do no
cy or do not configure it, users can see and change these settings.When you set this policy, you do not need to set the following policies fo
n see and change these settings.
e, and accessibility.If you disable this policy or do not configure it, users can see and change these settings.When you set this policy, you d
not configure it, users can see and change these settings.
s policy or do not configure it, users can see and change these settings.When you set this policy, you do not need to set the following polic
d user authentication.If you disable this policy or do not configure it, users can see and change these settings.When you set this policy, you
n Internet Explorer.If you enable this policy setting, the user cannot continue browsing.If you disable or do not configure this policy settin
(DNS) servers or to proxy servers.If you enable this policy setting, you must specify when IDN server names should be sent: 0) Unicode do
UTF-8.If you disable or do not configure this policy setting, Internet Explorer sends mailto links encoded through the user's code page. This
t.If you disable this policy setting, active content on a CD will always prompt before running.If you do not configure this policy, users can c
a and Java) that are required in order to view web pages as intended.If you enable this policy setting, non-Internet Explorer components w
Web page that requires Japanese-text display support, Internet Explorer could prompt the user to download the Japanese Language Pack
nd prioritization.If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.If you disable this policy setting, Inte
ate that someone has tampered with the file.If you enable this policy setting, users will be prompted to install or run files with an invalid si
ns which impact Internet Explorer's performance or stability.If you enable this policy setting, Internet Explorer automatically launches any
s. The DNT:1 header signals to the servers not to track the user.For Internet Explorer 9 and 10:If you disable this policy setting, Internet Exp
e prompted to install new versions as they become available.If you enable this policy setting, Internet Explorer checks the Internet for a ne
his option protects users from submitting confidential data to a site that may be fraudulent or not secure.If you enable this policy setting, I
computers before downloading executable programs.If you enable this policy setting, Internet Explorer will check the digital signatures of
otected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in reg
ory, and disable add-ons that are not preapproved.If you enable this policy setting, the user cannot use Reset Internet Explorer Settings.If y
e, which may be insecure.If you enable this policy setting, Internet Explorer will not save encrypted pages containing secure (HTTPS) inform
s on the computer, or storing sensitive files that other users could see, in addition to managing total disk space usage.If you enable this po
as java applets are not.If you enable this policy setting, Internet Explorer will play animated pictures found in Web content.If you disable th
ava applets are not.If you enable this policy setting, Internet Explorer will play sounds found in Web content.If you disable this policy settin
pplets are not.If you enable this policy setting, Internet Explorer will play videos found in Web content.If you disable this policy setting, Int
t host MSHTML do not render text by using the Microsoft ClearType rendering engine.If you disable or do not configure this policy setting,
munication between the browser and the target server. When the browser attempts to set up a protected communication with the targe
e seamlessly switches into view.If you enable this policy setting, Internet Explorer doesn't load any websites or content in the background.
ot be prompted to provide information.If you disable this policy setting, then when a Web site requests Profile Assistant information, user
s policy setting, you must specify when to use UTF-8 to encode query strings: 0) Never encode query strings. 1) Only encode query strin
page prediction works. This feature isn't available for Internet Explorer for the desktop.If you enable this policy setting, flip ahead with pa
ons of Windows.Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.If you enable this po
ctionality, such as using the Shift key to select text and copying a selection to the clipboard. This policy setting is particularly useful to user
Mode also limits the locations Internet Explorer can read from in the registry and the file system.If you enable this policy setting, Enhanced
e HTTP 1.1.If you do not configure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1.
disable this policy setting, Internet Explorer does not use HTTP 1.1 through proxy connections.If you do not configure this policy setting, us
t tab of the Internet Options dialog box. Users can change Content Advisor settings.If you disable or do not configure this policy setting, In
new browsing session with the tabs from the last browsing session.If you enable this policy setting, Internet Explorer starts a new browsin
website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting, websites will not be ab
ow website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting, websites will not b
orage limits for application caches. If a domain exceeds the application cache storage limit for an individual domain, Internet Explorer send
en you set this policy setting, you provide the expiration time limit in days.If you enable this policy setting, Internet Explorer will remove ap
ng, Internet Explorer displays a notification when a website exceeds the configured storage limit.If you disable or do not configure this poli
storage limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain, Internet Explorer se
Internet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting, you provide
umber of resources allowed, including the page that referenced the manifest, Internet Explorer sends an error to the website. No notificati
fies the user, and the user must delete application caches before an updated one can be saved on their computer. The default maximum
otifies the user, and the user must delete indexed databases before an updated database can be saved on their computer. The default max
plicitly mapped into a zone are considered to be in the Intranet Zone.If you disable this policy setting, local sites which are not explicitly m
e this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).If you do not con
e Intranet Zone.If you disable this policy setting, sites which bypass the proxy server aren't necessarily mapped into the Intranet Zone (oth
ternet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intra
t mapping rules are applied automatically if the computer belongs to a domain.If you disable this policy setting, automatic detection of th
rtificates issued for a different website address. This warning helps prevent spoofing attacks.If you enable this policy setting, the certificate
net mappings, if they require them.If you enable this policy setting, a Notification bar notification appears whenever the user browses to a
of restricted protocols may be set in the Trusted Sites Zone Restricted Protocols section under Network Protocol Lockdown policy.If you en
nternet Explorer does not open tiles on the desktop.If you do not configure this policy, users can choose how Internet Explorer tiles are op
y setting, Internet Explorer enforces your choice. Users cannot change the setting.If you disable or do not configure this policy setting, use
Address bar, if it is available.If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site
ways ΓÇó Never ΓÇó Hover (when the mouse pointer pauses on a link)If you disable or do not configure this policy setting, the user can
user sees only the error code and the name of the error.If you enable this policy setting, when there is a problem connecting with an Inter
g, page transitions will be turned off. The user cannot change this behavior.If you disable this policy setting, page transitions will be turned
one number detection is turned off. Users won't be able to modify this setting.If you disable this policy setting, phone number detection is
you disable this policy setting, smooth scrolling is turned on. The user cannot turn off smooth scrolling.If you do not configure this policy s
owse, edit, and debug .htm and .asp files that contain Microsoft Visual Basic Scripting Edition (VBScript) or Microsoft JScript.If you enable t
are testing webpages.If you enable this policy setting, the user is shown script errors when a page does not appear properly because of pro
is policy setting, the Internet Connection Wizard starts automatically if it was not completed before. The user cannot prevent the wizard fr
appropriate software is installed.If you disable this policy setting, Internet Explorer does not play these files.If you do not configure this po
mpletely downloaded. This option is ignored if the Show Pictures check box is cleared.If you enable this policy setting, placeholders appea
he user cannot change this setting.If you disable this policy setting, automatic image resizing is turned on. The user cannot change this setti
re quickly, you can turn off image display.If you enable this policy setting, images do not appear. The user cannot turn on image display. H
cannot turn it on.If you disable this policy setting, smart image dithering is turned on. The user cannot turn it off.If you do not configure th
printed and the quality of the printing, depending on the capabilities of the printer.If you enable this policy setting, the printing of backgro
he user cannot change the specified action. ΓÇó Do not search from the Address bar: The user cannot use the Address bar for searches. T
ser performs a search in the Address bar, a list of search results from the selected search provider is displayed in the main window. ΓÇó
ration Kit (IEAK).If you enable this policy setting, Internet Explorer is started automatically to complete the signup process after the brand
default, this functionality is turned on in File Explorer.If you enable this policy setting, Inline AutoComplete for File Explorer is turned off.
nth. No user data is sent over the internet by this feature.If you enable this policy setting, URL Suggestions will be turned off. Users will not
ntering a web address in the browser Address bar. This feature provides more relevant results in the browser Address bar.If you enable th
dress or command with the closest match.If you enable this policy setting, inline AutoComplete is turned on. The user cannot turn it off.If y
he default text size: ΓÇó Largest ΓÇó Larger ΓÇó Medium ΓÇó Smaller ΓÇó SmallestIf you disable or do not configure this policy setti
fy the background color (for example: 192,192,192).If you disable or do not configure this policy setting, the user can specify the backgrou
r (for example: 192,192,192).If you disable or do not configure this policy setting, the user can specify the text color in Internet Explorer.
policy setting, Windows colors are turned on. The user cannot turn them off.If you do not configure this policy setting, the user can turn o
se high-contrast color schemes.If you enable this policy setting, the user cannot specify the color of links already clicked in Internet Explore
e high-contrast color schemes.If you enable this policy setting, the user cannot specify the color of links not yet clicked in Internet Explore
must specify the hover color (for example: 192,192,192).If you disable or do not configure this policy setting, the user can specify the hov
icy setting, the hover color option is turned off. The user cannot turn it on.If you do not configure this policy setting, the user can turn on o
dresses (URLs) that contain characters from any language.If you enable this policy setting, Internet Explorer does not allow sending the pa
policy, the Add Active Channel button, which appears on a channel that users haven't yet subscribed to, will be disabled. Users also canno
ted to the Internet.If you enable this policy, users cannot add new schedules for downloading offline content. The Make Available Offline c
et.If you enable this policy, the check boxes for schedules on the Schedule tab of the Web page properties are cleared and users cannot s
olicy, the Channel bar interface will be disabled, and users cannot select the Internet Explorer Channel Bar check box on the Web tab in the
to the Internet.If you enable this policy, content will not be downloaded from Web sites that users have subscribed to. However, synchro
ages it links to.If you enable this policy, the Add, Remove, and Edit buttons on the Schedule tab in the Web page Properties dialog box are
nnected to the Internet.If you enable this policy, users cannot display the schedule properties of pages that have been set up for offline vi
nnel providers in the channel definition format (.cdf) file. The .cdf file determines the schedule and other settings for downloading Web co
provider.If you enable this policy, users cannot prevent channels from being synchronized.If you disable this policy or do not configure it,
uter is not connected to the Internet.If you enable this policy, the Make Available Offline check box in the Organize Favorites Favorite dialo
of subscriptions, a prompt will appear that states that they cannot set up more Web sites for offline viewing.If you disable this policy or d
ain or per document for this security zone.If you disable this policy or do not configure it, you cannot set this limit.Note: This setting does n
domain or per document for this security zone.If you disable this policy or do not configure it, you cannot set this limit.Note: This setting d
er domain or per document for this security zone.If you disable this policy or do not configure it, you cannot set this limit.Note: This setting
er domain or per document for this security zone.If you disable this policy or do not configure it, you cannot set this limit.Note: This setting
domain or per document for this security zone.If you disable this policy or do not configure it, you cannot set this limit.Note: This setting do
e it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However, do
re it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However,
s browsing session. By default, the computer does not load them when InPrivate Browsing starts.If you enable this policy setting, toolbars
s that referenced it. It is collected during non-InPrivate (normal) browsing sessions.If you enable this policy setting, InPrivate Filtering data
et files, history, and other data.If you enable this policy setting, InPrivate Browsing is turned off.If you disable this policy setting, InPrivate
sit. InPrivate Filtering does this by identifying third-party content that is used by multiple websites that users have visited.If you enable thi
y visit. Tracking Protection does this by identifying third-party content that is used by multiple websites that users have visited.If you enab
e button, the current password value is visible until the mouse button is released (or until the tap ends).If you enable this policy setting, th
se 64 encoding. Malware filters or other network-based filters may not properly filter encapsulated data.If you enable this policy setting, D
h are specifically written to extend or enhance the functionality of the browser or web pages.This list can be used with the 'Deny all add-o
Explorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.If you
Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.By default, the 'A
esses use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user pr
r Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog b
g, the user cannot run natively implemented, scriptable XMLHTTP.If you do not configure this policy setting, the user can choose to run nati
es the connection limit of your choice for HTTP 1.1.If you disable or do not configure this policy setting, Internet Explorer uses the default
Internet Explorer will use the default connection limit for HTTP 1.0 (6 connections per host).In versions of Internet Explorer prior to Intern
r uses the WebSocket connection limit that you set with this policy setting.If you disable or do not configure this policy setting, Internet Ex
arty domains embedded in the page.If you disable or do not configure this policy setting, documents can request data across third-party d
. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also, this policy
domains through other features in Internet Explorer 8, and it does not prevent a site from requesting cross-domain data through a server.I
ve opted in to the behavior, and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page.)If y
avior Security Restriction setting is prevented or allowed.If you enable this policy setting, binary behaviors are prevented for all processes.
nd MD4 signing technologies by default, because they are not as secure as other technologies.If you enable this policy setting, Internet Ex
avior Security Restriction setting is prevented or allowed.If you enable this policy setting, binary behaviors are prevented for the File Explo
avior Security Restriction setting is prevented or allowed.This policy setting allows administrators to define applications for which they wa
puter have the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and c
ure is enabled for all processes.If you disable or do not configure this policy setting, the Mime Sniffing Safety Feature is disabled for all proc
ote a file of one type to a more dangerous file type.If you disable this policy setting, Internet Explorer processes will allow a MIME sniff pro
for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, this protection
disabled for all processes. Any use of the MK Protocol is blocked.If you disable or do not configure this policy setting, the MK Protocol is en
prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.If you disable this policy setting, applic
pplications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, us
h restricted protocols is prevented or allowed.If you enable this policy setting, restricting content obtained through restricted protocols is
t obtained through restricted protocols is prevented or allowed.If you enable this policy setting, restricting content obtained through restr
h restricted protocols is prevented or allowed.This policy setting allows administrators to define applications for which they want restricti
ar is not displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes, for which the Notifi
t Explorer processes.If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.If you disable th
when file or code installs are restricted (except for the Internet Explorer Processes, for which the Notification bar is displayed by default).If
essible when navigating within or across domains for all processes.If you disable or do not configure this policy setting, object reference is
accessible when navigating within or across domains for Internet Explorer processes.If you disable this policy setting, an object reference is
which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, references to ob
s on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone
uter have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for
computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime targ
matic prompting of ActiveX control installation for all processes.If you disable or do not configure this policy setting, the Web Browser Cont
t Explorer processes.If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer p
ng of ActiveX control installation is blocked. If you enter a Value of 0, automatic prompting of ActiveX control installation is allowed. The V
ill block automatic prompting of file downloads that are not user initiated for all processes.If you disable this policy setting, the Web Brows
ocesses.If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes
matic prompting of non-initiated file downloads is blocked. If you enter a Value of 0, automatic prompting of non-initiated file downloads i
ing windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.This policy setti
e check boxes for each button.If you disable this policy or do not configure it, the standard toolbar will be displayed with its default setting
isplayed according to which one of the following options you choose, and the user cannot change how command buttons are displayed:Sh
on. This is present under the Toolbars submenu of the View menu in Internet Explorer 6 and under the Toolbars submenu of the Tools me
d then pointing to the Toolbars command, will appear dimmed.If you disable this policy or do not configure it, users can determine which
w.If you do not configure this policy setting, the user can change where tabs are displayed.
nd bar is shown and the user cannot choose to hide it.If you do not configure this policy setting, the Command bar is shown by default, an
wn and the user cannot choose to hide it.If you do not configure this policy setting, the status bar is shown by default, and the user can ch
olbars are unlocked and the user can move them.If you do not configure this policy setting, the toolbars are locked by default, but the use
s, and the user cannot move them.If you disable this policy setting, the Stop and Refresh buttons are next to the Address bar, and the user
gure this policy setting, the user can access Developer Tools.
the tool detects an incompatible toolbar, the user is prompted to update or disable the toolbar. Specific toolbars or Browser Helper Objec
sable this policy setting, icons for command buttons are 16 x 16 pixels (the default) and cannot be made bigger (20 x 20 pixels).If you do n
remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HK
shutdown.If you disable or do not configure this policy setting, OnUnLoad script handlers do not display UI during shutdown (default beha
ar. In addition, users won't be able to change the Suggestions setting on the Settings charm.If you disable this policy setting, users won't re
es to Internet Explorer 9.In Internet Explorer 9, add-ons are defined as toolbars, Browser Helper Objects, or Explorer bars. ActiveX controls
link within Internet Explorer, the content will be played by the default media client on their system.If you enable the Media Explorer Bar o
ocking of attachments in options.If the block attachments setting is not checked, the user can specify to enable or disable the blocking of a
tting, Internet Explorer sends the current Internet Explorer version in the User Agent header (for example, "MSIE 7.0").
configure this setting, the user has the freedom to turn on the auto-complete feature for forms.To display this option, the users open the
scripts can be stored in the users' cache.
pages.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\In
or do not configure it, users can select or clear settings on the Advanced tab.If you set the "Disable the Advanced page" policy (located in
o automatic configuration. You can import your current connection settings from your machine using Internet Explorer Maintenance unde
e this policy or do not configure it, users can determine which programs to use for managing schedules and contacts, if programs that perf
rs can import new certificates, remove approved publishers, and change settings for certificates that have already been accepted.The "Dis
ou disable this policy or do not configure it, users can change the default background and text color of Web pages.If you set the "Disable th
olicy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do n
figure it, users can determine whether Internet Explorer will check to see if it is the default browser. When Internet Explorer performs this
can change the default fonts for viewing Web pages.If you set the "Disable the General page" policy (located in \User Configuration\Adm
hines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.If you disable or d
policy or do not configure it, users can change the language preference settings for viewing Web sites for languages in which the characte
e this policy or do not configure it, users can change the default color of links on Web pages.If you set the "Disable the General page" polic
olicy or do not configure it, users can determine which programs to use for sending mail, viewing newsgroups, and placing Internet calls, if
and e-mail addresses.The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Compon
settings.The "Disable the Ratings page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet E
ome pages. The user cannot set custom default secondary home pages.If you disable or do not configure this policy setting, the user can a
en click the Settings button in the Internet Options dialog box.If you disable this policy or do not configure it, users can change their cache
or do not configure it, users could install customizations from another party-for example, when signing up for Internet services.This policy
file allows the user to import favorites, feeds and cookies from a file. Exporting settings to a file allows the user to export favorites, feeds
nting to Programs, pointing to Accessories, pointing to Communications, and then clicking Internet Connection Wizard.If you disable this po
The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explore
oblems occur with proxy scripts.
icy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still manage the add-on through th
n of search tools, viewing a history of visited pages, printing, and accessing email and newsgroups. The menu bar contains menus that open
ot be able to create new identities, manage existing identities, or switch identities. The Switch Identity option will be removed from the Fi
if Internet Explorer is not the default web browser. Users cannot change the setting.If you do not configure this policy setting, users can c
domain name is allowed, so www.contoso.com is valid, but not http://www.contoso.com. Wildcards are allowed, so *.contoso.com is also
newsgroups. The menu bar contains menus that open lists of commands. The commands include options for printing, customizing Interne
icy setting is enabled, the "Fix settings" command on the Notification bar shortcut menu should be disabled.
sed from the Settings charm (starting with Internet Explorer 10 on Windows 8).If you disable or do not configure this policy setting, the Int
le this policy setting, SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting, the user can bypass S
or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
lter level by importing Privacy settings from your computer under Internet Explorer Maintenance.If you disable or do not configure this po
wing: ΓÇó Open in an existing Internet Explorer window. If tabbed browsing is enabled, a new tab is created in this scenario. ΓÇó Open
he background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select.If you disable or do not config
policy setting, the Search box appears by default in the Internet Explorer frame.Note: If you enable this policy setting, Internet Explorer doe
list.Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker s
n Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you di
shing filter uses: manual, automatic, or off.If you select manual mode, the phishing filter performs only local analysis, and the user is prom
participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.If you do not configure this polic
ΓÇó Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.Starting with Windows 8, the "Welcome to I
rd-party toolbars or in Setup, but the user can also add them from a search provider's website.If you enable this policy setting, the user ca
the user that this feature has been disabled.If you disable this policy or do not configure it, users can press F3 to search the Internet (from
licy or do not configure it, users can change their settings for the Search Assistant.This policy is designed to help administrators maintain c
nd high allows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The default setti
user can select his or her preference for this behavior. The new tab page is the default setting.
ols, including per-user controls, are installed through the standard installation process.
enable this policy setting, the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to load an Ac
Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-ons and con
er data after a program stops responding.
his policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs.If you disable or do not configure thi
Reporting continue to apply.If you disable or do not configure this policy setting, the crash detection feature for add-on management will
er. You must specify which mode the SmartScreen Filter uses: on, or off.All website addresses that are not on the filter's allow list are sent
hat host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
p windows will continue to function as they did in Windows XP Service Pack 1 or earlier, although windows launched off screen will contin
owsing Session feature.

iders that offer suggestions.
rer, and the user cannot turn them on.If you disable this policy setting, tabbed browsing and related entry points appear on the user inter
etting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.
ks in the Search box, the quick pick menu appears.
rn off ActiveX Filtering, although they may add per-site exceptions.If you disable or do not configure this policy setting, ActiveX Filtering is
u disable this policy setting, the user cannot log information that is blocked by new Internet Explorer features. The user cannot turn on log
by default, and the user cannot turn it on.If you do not configure this policy setting, the menu bar is turned off by default. The user can tur
ted Sites. The userΓÇÖs browsing history is sent to Microsoft to produce suggestions.If you disable this policy setting, the entry points and
o decide whether to select "prompt me to save passwords".If you disable this setting the user cannot change "User name and passwords o
you disable this policy or do not configure it, dial-up settings will not be configured by Automatic Detection, unless specified by the user.
Accelerators should not overlap.If you disable or do not configure this policy setting, the user has Accelerators that are provided through fi
ault Accelerators should not overlap.If you disable or do not configure this policy setting, the user has Accelerators that are provided throu
olicy setting, the user can access any Accelerators that he or she has installed.
figure it, this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for ea
hich you specify that administrator-approved controls can be run.If you disable this policy or do not configure it, this control will not be de
restricted functionality and is intended for use by web sites.If you enable this policy, this control will be available as an administrator app
sable this policy or do not configure it, these controls will not be designated as administrator-approved.Select the check boxes for the con
ontrols will not be designated as administrator-approved.To specify a control as administrator-approved, click Enabled, and then select th
specify that administrator-approved controls can be run.If you disable this policy or do not configure it, these controls will not be designa
pproved controls can be run.If you disable this policy or do not configure it, this control will not be designated as administrator-approved.T
gure it, this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for eac
ed.To specify how administrator-approved controls are handled for each security zone, carry out the following steps:1. In Group Policy, cli
not configure it, these controls will not be designated as administrator-approved.Select the check boxes for the controls that you want to d
proved.To specify how administrator-approved controls are handled for each security zone, carry out the following steps:1. In Group Polic
ecify how administrator-approved controls are handled for each security zone, carry out the following steps:1. In Group Policy, click User C
ard operation. This means that if the zone behavior is currently set to prompt, it will be bypassed and enabled.If you disable this policy setti
n the Internet Explorer process performs a Clipboard operation. In the Internet Explorer process, if the zone behavior is currently set to pro
et Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enabled, the p
ng the shortcut menu.This policy can be used in coordination with the "File menu: Disable New menu option" policy, which prevents user
med that the command is not available.If you disable this policy or do not configure it, users can download programs from their browsers.
of the program will not work; if users click the Close button, they will be informed that the command is not available.
med that the command is not available.If you disable this policy or do not configure it, users can open a new browser window from the Fil
cy or do not configure it, users can open a Web page from the browser File menu.Caution: This policy does not prevent users from right-cl
ave as Type box in the Save Web Page dialog box. Users can still save Web pages as hypertext markup language (HTML) files or as text files
he "File Menu: Disable Save As Web Page Complete" policy, which prevents users from saving the entire contents that are displayed or run
mand on the Help menu.Caution: Enabling this policy does not remove the tips for Netscape users from the Microsoft Internet Explorer Hel
ft products.
nd on the shortcut menu is disabled; when users click it, they are informed that the command is unavailable.If you disable this policy or do
t Options command on the Tools menu, they are informed that the command is unavailable.If you disable this policy or do not configure i
et Explorer will not be available. Starting with Windows 8, the Print flyout for Internet Explorer will not be available, and users will not see
ebpage.If you disable or do not configure this policy setting, users can use the shortcut menu.
y the browser in a full screen.This policy is intended to prevent users from displaying the browser without toolbars, which might be confus
View menu.Caution: This policy does not prevent users from viewing the HTML source of a Web page by right-clicking a Web page to open
isplayed in Compatibility View.If you disable this policy setting, the Microsoft-provided website lists are not used. Additionally, the user ca
ure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list.
this policy setting, the user can use the Compatibility View button.
lorer.If you enable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended).
ndards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this beha
dd and remove sites from the list.
with an additional string appended). Additionally, webpages included in this list appear in Quirks Mode.
his policy setting, deleting browsing history on exit is turned on.If you disable this policy setting, deleting browsing history on exit is turned
able this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must s
wsing History dialog box. Starting with Windows 8, users cannot click the Delete Browsing History button on the Settings charm.If you disa
rs turn on the Personalized Tracking Protection List, which blocks third-party items while the user is browsing.With at least Internet Explor
policy setting, the user can choose whether to delete or preserve cookies when he or she clicks Delete.If the "Prevent access to Delete Bro
s Delete.If you do not configure this policy setting, the user can choose whether to delete or preserve download history when he or she cl
.If you do not configure this policy setting, the user can choose whether to delete or preserve favorites site data when he or she clicks Dele
this policy setting, the user can choose whether to delete or preserve form data when he or she clicks Delete.If the "Prevent access to Dele
e Browsing History dialog box.If you enable this policy setting, InPrivate Filtering data is preserved when the user clicks Delete.If you disab
re this policy setting, the user can choose whether to delete or preserve passwords when he or she clicks Delete.If the "Prevent access to D
the user clicks Delete.If you do not configure this policy setting, the user can choose whether to delete or preserve temporary Internet file
s that the user has visited are deleted when he or she clicks Delete.If you do not configure this policy setting, the user can choose whethe
okies.If you disable or do not configure this policy setting, users will be able to delete temporary Internet files and cookies.
n you set this policy, you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administ
to set the following policies for the Content tab, because this policy removes the Connections tab from the interface:"Disable Internet Con
When you set this policy, you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Tem
need to set the following policies for the Programs tab, because this policy removes the Programs tab from the interface:"Disable changing
.When you set this policy, you do not need to set the following Internet Explorer policies, because this policy removes the Security tab fro
not configure this policy setting, the user can choose to ignore certificate errors and continue browsing.
hould be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN format o
ugh the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavior on the
nfigure this policy, users can choose whether to be prompted before running active content on a CD.
ternet Explorer components will be automatically installed as necessary.If you disable this policy setting, users will be prompted when non
d the Japanese Language Pack component if it is not already installed.If you enable this policy setting, Web components such as fonts will
disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.If you don't configure this policy setting, users can turn
ll or run files with an invalid signature.If you disable this policy setting, users cannot run or install files with an invalid signature.If you do n
er automatically launches any browser helper objects that are installed on the user's computer.If you disable this policy setting, browser h
this policy setting, Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode
er checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are avai
ou enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.If you disable this policy setting, In
check the digital signatures of executable programs and display their identities before downloading them to user computers.If you disable
ption to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced
t Internet Explorer Settings.If you disable or do not configure this policy setting, the user can use Reset Internet Explorer Settings.
ntaining secure (HTTPS) information to the cache.If you disable this policy setting, Internet Explorer will save encrypted pages containing s
ace usage.If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all b
n Web content.If you disable this policy setting, Internet Explorer will not play or download animated pictures, helping pages display more
If you disable this policy setting, Internet Explorer will not play or download sounds in Web content, helping pages display more quickly.If
u disable this policy setting, Internet Explorer will not play or download videos, helping pages display more quickly.If you do not configure t
t configure this policy setting, applications that host MSHTML render text by using the Microsoft ClearType rendering engine.
ommunication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attem
or content in the background.If you disable this policy setting, Internet Explorer preemptively loads websites and content in the backgroun
le Assistant information, users will be prompted to choose which information to share. At that time, users can also choose to allow this in
s. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the Intranet
licy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.If you disable this policy s
are used.If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on
ng is particularly useful to users who do not use a mouse.If you enable this policy setting, Caret Browsing is turned on.If you disable this po
e this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected
onfigure this policy setting, users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections.
onfigure this policy setting, Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Options dialo
Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the hom
etting, websites will not be able to store application caches on client computers. Allow website database and caches on Website Data Setti
icy setting, websites will not be able to store an indexed database on client computers. Allow website database and caches on Website Da
domain, Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum
ternet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting.If you disable or do n
e or do not configure this policy setting, users can set default data storage limits for indexed databases and application caches.
l domain, Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data sto
his policy setting, you provide the resource size limit, in MB. The default is 50 MB.If you enable this policy setting, Internet Explorer will all
or to the website. No notification will be displayed to the user. When you set this policy setting, you provide the resource limit as a numbe
puter. The default maximum storage limit for all application caches is 1 GB.If you enable this policy setting, you can set the maximum stor
eir computer. The default maximum storage limit for all indexed databases is 4 GB.If you enable this policy setting, you can set the maxim
ites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zon
p one there).If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
ped into the Intranet Zone (other rules might map one there).If you do not configure this policy setting, users choose whether sites which b
es to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set
ng, automatic detection of the intranet is turned off, and intranet mapping rules are applied however they are configured.If this policy setti
is policy setting, the certificate address mismatch warning always appears.If you disable or do not configure this policy setting, the user ca
henever the user browses to a page that loads content from an intranet site.If you disable this policy setting, a Notification bar notification
ocol Lockdown policy.If you enable this policy setting, no Trusted Sites Zone content accessed is affected, even for protocols on the restric
w Internet Explorer tiles are opened.
nfigure this policy setting, users can choose how links are opened in Internet Explorer.
go directly to an intranet site for a one-word entry in the Address bar.
his policy setting, the user can choose when to underline links.
blem connecting with an Internet server, the user does not see a detailed description or hints about how to correct the problem. The user
page transitions will be turned on. The user cannot change this behavior.If you do not configure this policy setting, the user can turn on or
g, phone number detection is turned on. Users won't be able to modify this setting.If you don't configure this policy setting, users can turn
u do not configure this policy setting, the user can turn smooth scrolling on or off.
Microsoft JScript.If you enable this policy setting, script debugging is turned on. The user cannot turn off script debugging.If you disable this
ppear properly because of problems with its scripting. The user cannot change this policy setting.If you disable this policy setting, the user
r cannot prevent the wizard from starting.If you disable this policy setting, the Internet Connection Wizard does not start automatically. Th
.If you do not configure this policy setting, the user can change the "Enable alternative codecs in HTML5 media elements" setting on the A
cy setting, placeholders appear for graphical images while the images are downloading. The user cannot change this policy setting. The "Tu
e user cannot change this setting.If you do not configure this policy setting, the user can turn on or off automatic image resizing.
nnot turn on image display. However, the user can still display an individual image by right-clicking the icon that represents the image and
t off.If you do not configure this policy setting, the user can turn on or turn off smart image dithering.
setting, the printing of background colors and images is turned on. The user cannot turn it off.If you disable this policy setting, the printing
he Address bar for searches. The user can still perform searches on the Search bar by clicking the Search button. ΓÇó Display the results
ed in the main window. ΓÇó Enable top result search: When a user performs a search in the Address bar, the user is directed to an extern
ignup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior.If you disable this policy setting, Interne
for File Explorer is turned off. The user cannot turn it on.If you disable this policy setting, Inline AutoComplete for File Explorer is turned on
ill be turned off. Users will not be able to turn on URL Suggestions.If you disable this policy setting, URL Suggestions will be turned on. Use
r Address bar.If you enable this policy setting, Internet Explorer does not use Windows Search AutoComplete for providing relevant result
The user cannot turn it off.If you disable this policy setting, inline AutoComplete is turned off. The user cannot turn it on.If you do not con
o not configure this policy setting, the user can choose the default text size in Internet Explorer.
user can specify the background color in Internet Explorer.
xt color in Internet Explorer.
cy setting, the user can turn on or turn off Windows colors for display.
ady clicked in Internet Explorer. You must specify the link color (for example: 192,192,192).If you disable or do not configure this policy se
yet clicked in Internet Explorer. You must specify the link color (for example: 192,192,192).If you disable or do not configure this policy setti
g, the user can specify the hover color.
setting, the user can turn on or turn off the hover color option.
does not allow sending the path portion of URLs as UTF-8. The user cannot change this policy setting.If you disable this policy setting, Inte
l be disabled. Users also cannot add content that is based on a channel, such as some of the Active Desktop items from Microsoft's Active
t. The Make Available Offline check box will be dimmed in the Add Favorite dialog box.If you disable this policy or do not configure it, user
re cleared and users cannot select them. To display this tab, users click the Tools menu, click Synchronize, select a Web page, click the Pro
heck box on the Web tab in the Display Properties dialog box.If you disable this policy or do not configure it, users can view and subscribe t
bscribed to. However, synchronization with the Web pages will still occur to determine if any content has been updated since the last time
page Properties dialog box are dimmed. To display this tab, users click the Tools menu, click Synchronize, select a Web page, click the Prop
have been set up for offline viewing. If users click the Tools menu, click Synchronize, select a Web page, and then click the Properties butt
ttings for downloading Web content.If you disable this policy or do not configure it, channel providers can record information about when
s policy or do not configure it, users can disable the synchronization of channels.This policy is intended to help administrators ensure that
ganize Favorites Favorite dialog box and the Make This Page Available Offline check box will be selected but dimmed. To display the Make
g.If you disable this policy or do not configure it, then users can determine the amount of content that is searched for new information an
limit.Note: This setting does not appear in the user interface.
t this limit.Note: This setting does not appear in the user interface.
set this limit.Note: This setting does not appear in the user interface.
set this limit.Note: This setting does not appear in the user interface.
this limit.Note: This setting does not appear in the user interface.
user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you ena
a user's browsing. However, doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you en
ble this policy setting, toolbars and BHOs are not loaded by default during an InPrivate Browsing session.If you disable this policy setting, to
etting, InPrivate Filtering data collection is turned off.If you disable this policy setting, InPrivate Filtering collection is turned on.If you do n
e this policy setting, InPrivate Browsing is available for use.If you do not configure this policy setting, InPrivate Browsing can be turned on
s have visited.If you enable this policy setting, InPrivate Filtering is turned off in all browsing sessions, and InPrivate Filtering data is not col
users have visited.If you enable this policy setting, Tracking Protection is disabled in all browsing sessions, and Tracking Protection data is
u enable this policy setting, the reveal password button will be hidden for all password fields. Users and developers will not be able to dep
ou enable this policy setting, Data URI support is turned off. Without Data URI support, a Data URI will be interpreted as a failed URL.If you
used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed her
nces and policy settings.If you enable this policy setting, all processes will respect add-on management user preferences and policy setting
r web pages.By default, the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. However, us
end support for these user preferences and policy settings to specific processes listed in the process list.If you enable this policy setting an
the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Interne
the user can choose to run natively implemented, scriptable XMLHTTP.
rnet Explorer uses the default connection limit for HTTP 1.1 (6 connections per host).In versions of Internet Explorer before Internet Explo
ternet Explorer prior to Internet Explorer 8, the default connection limit for HTTP 1.0 was 4.
this policy setting, Internet Explorer uses the default limit of 6 WebSocket connections per server.
quest data across third-party domains embedded in the page.
et Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a server.If you enable this policy
omain data through a server.If you enable this policy setting, websites cannot request data across domains by using the XDomainRequest
ity or behavior on a page.)If you enable this policy setting, this sets the list of behaviors permitted in each zone for which Script and Binary
e prevented for all processes. Any use of binary behaviors for HTML rendering is blocked.If you disable or do not configure this policy setti
this policy setting, Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies.If you disable or do not configure this
e prevented for the File Explorer and Internet Explorer processes.If you disable this policy setting, binary behaviors are allowed for the File
applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 bin
es to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load ma
es to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone is used
y applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to lo
Feature is disabled for all processes.
ses will allow a MIME sniff promoting a file of one type to a more dangerous file type.If you do not configure this policy setting, MIME sniffi
ter a Value of 1, this protection will be in effect. If you enter a Value of 0, any file may be promoted to more dangerous file types. The Valu
y setting, the MK Protocol is enabled.
sable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and
tting and enter a Value of 1, use of the MK protocol is prevented. If you enter a Value of 0, use of the MK protocol is allowed. If a Value Nam
hrough restricted protocols is allowed for all processes other than File Explorer or Internet Explorer.If you disable this policy setting, restri
ontent obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example, you can restrict acti
s for which they want restricting content obtained through restricted protocols to be prevented or allowed.If you enable this policy setting
Processes, for which the Notification bar is displayed by default). If you enable this policy setting, the Notification bar will be displayed for a
rer Processes.If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes.If you do not config
n bar is displayed by default).If you enable this policy setting and enter a Value of 1, the Notification bar is displayed. If you enter a Value o
cy setting, object reference is retained when navigating within or across domains in the Restricted Zone sites.
setting, an object reference is retained when navigating within or across domains for Internet Explorer processes.If you do not configure t
a Value of 1, references to objects are inaccessible after navigation. If you enter a Value of 0, references to objects are still accessible afte
he Local Machine security zone a prime target for malicious users.If you enable this policy setting, any zone can be protected from zone ele
curity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.If you enab
ine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.This p
etting, the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
locked for Internet Explorer processes.If you do not configure this policy setting, the user's preference will be used to determine whether
l installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setti
policy setting, the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
or Internet Explorer processes.If you do not configure this policy setting, the user's preference determines whether to prompt for file dow
non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1
nd status bars.If you enable this policy setting, scripted windows are restricted for all processes.If you disable or do not configure this polic
nd status bars.If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processe
nd status bars.This policy setting allows administrators to define applications for which they want this security feature to be prevented or
splayed with its default settings, unless users customize it.
mand buttons are displayed:Show all text labels: All command buttons have only text.Show selective text: Some command buttons have on
bars submenu of the Tools menu in the Command bar in subsequent versions of Internet Explorer.If you enable this policy, the Customize
t, users can determine which toolbars are displayed in File Explorer and Internet Explorer.This policy can be used in coordination with the
nd bar is shown by default, and the user can choose to hide it.
by default, and the user can choose to hide it.
locked by default, but the user can unlock them through the shortcut menu of the Command bar.
the Address bar, and the user cannot move them.If you do not configure this policy setting, the Stop and Refresh buttons are next to the A
bars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check.If you enable this policy setting,
ger (20 x 20 pixels).If you do not configure this policy setting, icons for command buttons are 16 x 16 pixels, and the user can make them b
ch providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created fr
uring shutdown (default behavior in Internet Explorer 9).
is policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the
xplorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition.If you enable this policy setting, newly installed
nable the Media Explorer Bar or do not configure it, users can show and hide the Media Explorer Bar.Administrators also have the ability to
ble or disable the blocking of attachments in options.
MSIE 7.0").
his option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.
tes\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General
anced page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Pa
et Explorer Maintenance under Admin Templates using group policy editor.If you disable or do no configure this policy setting, the user wi
contacts, if programs that perform these tasks are installed.This "Disable the Programs Page" policy (located in \User Configuration\Admin
ready been accepted.The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Compone
ages.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Int
ernet Control Panel), you do not need to set this policy, because the "Disable the Connections page" policy removes the Connections tab f
ternet Explorer performs this check, it prompts the user to specify which browser to use as the default.This policy is intended for organiza
d in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to s
page policies.If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home pag
nguages in which the character set has been installed.If you set the "Disable the General page" policy (located in \User Configuration\Adm
isable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Intern
ps, and placing Internet calls, if programs that perform these tasks are installed.The "Disable the Programs page" policy (located in \User C
Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Content tab from Internet Explorer in Con
ndows Components\Internet Explorer\Internet Control Panel), which removes the Ratings tab from Internet Explorer in Control Panel, tak
s policy setting, the user can add secondary home pages.Note: If the ΓÇ£Disable Changing Home Page SettingsΓÇ¥ policy is enabled, the us
users can change their cache settings.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Temp
or Internet services.This policy is intended for administrators who want to maintain a consistent browser across an organization.
ser to export favorites, feeds and cookies to a file.If you enable this policy setting, the user will not be able to use the Import/Export Settin
on Wizard.If you disable this policy or do not configure it, users can change their connection settings by running the Internet Connection W
Components\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Panel, takes pre
manage the add-on through the Add-On Manager.If you disable or do not configure this policy setting, the appropriate controls in the Add-
bar contains menus that open lists of commands for printing, customizing Internet Explorer, copying and pasting text, managing favorites
n will be removed from the File menu in Address Book.If you disable this policy or do not configure it, users can set up and change identiti
this policy setting, users can choose whether to be notified that Internet Explorer is not the default web browser through the Tell me if Int
owed, so *.contoso.com is also valid.If you disable this or do not configure this policy setting, you will not be able to provide a default Pop-
printing, customizing Internet Explorer, copying and pasting text, managing favorites, and accessing Help.If you enable this policy setting,
gure this policy setting, the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access
y setting, the user can bypass SmartScreen Filter warnings.
ble or do not configure this policy setting, the user can manage pop-ups by changing the filter level.You may also want to enable the "Prev
d in this scenario. ΓÇó Open a new Internet Explorer window.If you disable or do not configure this policy setting, the user can configure
If you disable or do not configure this policy setting, the user can configure how new tabs are created by default.
y setting, Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on, users ca
rer process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
ut prompting the user.If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen
analysis, and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled, all website addresses that are
you do not configure this policy setting, the user can choose to participate in the CEIP.
Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is c
this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do no
F3 to search the Internet (from Internet Explorer) or the hard disk (from File Explorer).This policy is intended for situations in which admin
help administrators maintain consistent settings for searching across an organization.
sical memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical mem
r for permission to load an ActiveX control, and Internet Explorer loads the control if it passes all other internal security checks.If you disab
ser to disable add-ons and configure the threshold.If you enable this policy setting, users are not notified when the average time to load al
disable or do not configure this policy setting, Internet Explorer uses the user's setting for pop-up windows in tabbed browsing.
e for add-on management will be functional.
n the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setting,
aunched off screen will continue to be re-positioned onscreen.If you disable or do not configure this policy setting, the popup managemen
oints appear on the user interface for Internet Explorer, and the user cannot turn them off.If you do not configure this policy setting, the u
plete for web-address setting.If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete
cy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
es. The user cannot turn on logging.If you do not configure this policy setting, the user can change the logging settings.
off by default. The user can turn on or turn off the menu bar.
y setting, the entry points and functionality associated with this feature are turned off.If you do not configure this policy setting, the user c
e "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on
, unless specified by the user.
rs that are provided through first use of the browser.
rators that are provided through first use of the browser.
ed controls are handled for each security zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Expl
e it, this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each s
ilable as an administrator approved control and can be run if the user specifies to run administrator-approved Active-X controls and plug-i
ct the check boxes for the controls that you want to designate as administrator-approved.To specify how administrator-approved controls
ck Enabled, and then select the check box for the control:-- MCSiMenu - enables Web authors to control the placement and appearance o
se controls will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each securit
d as administrator-approved.To specify how administrator-approved controls are handled for each security zone, carry out the following s
d controls are handled for each security zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Explo
ng steps:1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Z
the controls that you want to designate as administrator-approved.To specify how administrator-approved controls are handled for each s
llowing steps:1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security.2. Double-click Secu
1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and
ed.If you disable this policy setting, the user is prompted when a script that is running in any process on the computer attempts to perform
behavior is currently set to prompt, it will be bypassed and enabled.If you disable this policy setting, the user is prompted when a script th
policy setting is enabled, the processes configured in this policy setting take precedence over that policy setting.If you enable this policy se
n" policy, which prevents users from opening the browser in a new window by clicking the File menu, pointing to New, and then clicking W
ograms from their browsers.
w browser window from the File menu.Caution: This policy does not prevent users from opening a new browser window by right-clicking, a
ot prevent users from right-clicking a link on a Web page, and then clicking the Open or Open in New Window command. To prevent user
age (HTML) files or as text files, but graphics, scripts, and other elements are not saved. To display the Save Web Page dialog box, users cli
ents that are displayed or run from a Web Page, such as graphics, scripts, and linked files, but does not prevent users from saving the text
Microsoft Internet Explorer Help file.
If you disable this policy or do not configure it, users can manage their Favorites list.Note: If you enable this policy, users also cannot click
his policy or do not configure it, users can change their Internet settings from the browser Tools menu.Caution: This policy does not preven
ailable, and users will not see printers under the Devices charm.If you disable or do not configure this policy setting, the Print menu in Inte
olbars, which might be confusing for some beginning users.

ht-clicking a Web page to open the shortcut menu, and then clicking View Source. To prevent users from viewing the HTML source of a We
used. Additionally, the user cannot activate the feature by using the Compatibility View Settings dialog box.If you do not configure this pol
additional string appended). Additionally, all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option result
user cannot change this behavior through the Compatibility View Settings dialog box.If you disable this policy setting, Internet Explorer us
wsing history on exit is turned off.If you do not configure this policy setting, it can be configured on the General tab in Internet Options.If t
in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not dele
the Settings charm.If you disable or do not configure this policy setting, the user can access the Delete Browsing History dialog box. Starti
g.With at least Internet Explorer 11:This policy setting prevents users from deleting ActiveX Filtering data, Tracking Protection data, and D
"Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
load history when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is e
data when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effe
e.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
user clicks Delete.If you disable this policy setting, InPrivate Filtering data is deleted when the user clicks Delete.If you do not configure th
lete.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
eserve temporary Internet files when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled, th
, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.If the "Prevent access to Delete Browsin
s and cookies.
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the Advanced tab
nterface:"Disable Internet Connection Wizard""Disable changing connection settings""Prevent changing proxy settings""Disable changing
nfiguration\Administrative Templates\Windows Components\Internet Explorer\), because this policy removes the General tab from the in
he interface:"Disable changing Messaging settings""Disable changing Calendar and Contact settings""Disable the Reset Web Settings featu
y removes the Security tab from the interface:"Security zones: Do not allow users to change policies""Security zones: Do not allow users to
are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN format
n change this behavior on the Internet Explorer Tools menu: Click Internet Options, click the Advanced tab, and then under International, s
rs will be prompted when non-Internet Explorer components would be installed.If you do not configure this policy setting, non-Internet Ex
omponents such as fonts will be automatically installed as necessary.If you disable this policy setting, users will be prompted when Web C
is policy setting, users can turn this behavior on or off, using Internet Explorer Advanced Internet Options settings. The default is on.
n invalid signature.If you do not configure this policy, users can choose to run or install files with an invalid signature.
e this policy setting, browser helper objects do not launch.If you do not configure this policy, Internet Explorer automatically launches any
ed or inPrivate Browsing mode is used.For at least Internet Explorer 11:If you disable this policy setting, Internet Explorer only sends the D
w versions when they are available.If you disable this policy setting, Internet Explorer does not check the Internet for new versions of the b
u disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.If you do not configure th
user computers.If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display
ll websites to run in Enhanced Protected Mode.Enhanced Protected Mode provides additional protection against malicious websites by us
net Explorer Settings.
encrypted pages containing secure (HTTPS) information to the cache.If you do not configure this policy, Internet Explorer will save encryp
Internet Files folder when all browser windows are closed.If you disable this policy setting, Internet Explorer will not delete the contents o
s, helping pages display more quickly.If you do not configure this policy setting, Internet Explorer will play animated pictures found in Web
pages display more quickly.If you enable this policy setting, Internet Explorer will play sounds found in Web content.
uickly.If you do not configure this policy setting, Internet Explorer will play videos found in Web content.
rendering engine.
The browser and server attempt to match each otherΓÇÖs list of supported protocols and versions, and they select the most preferred ma
and content in the background.If you don't configure this policy setting, users can turn this behavior on or off, using Internet Explorer setti
an also choose to allow this information to be shared with the Web site in the future without being prompted.If you do not configure this
URLs that are in the Intranet zone. 3) Always encode query strings.If you disable or don't configure this policy setting, users can turn this
und.If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.If y
Enhanced Protected Mode on 64-bit versions of Windows.If you disable this policy setting, Internet Explorer 11 will use 32-bit tab process
urned on.If you disable this policy setting, Caret Browsing is turned off.If you do not configure this policy setting, Caret Browsing support ca
d will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.If you disable this policy setting, Enhance
onnections.
b of the Internet Options dialog box.
his option to start with the home page.If you disable this policy setting, Internet Explorer starts a new browsing session with the home pag
d caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting, websites will be able to store app
ase and caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting, websites will be able to sto
oup policy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting, you provide the cach
y setting.If you disable or do not configure this policy setting, Internet Explorer will use the default application cache expiration time limit f
application caches.
cy sets the maximum data storage limit for domains that are trusted by users. When you set this policy setting, you provide the cache limit
tting, Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size
the resource limit as a number. The default is 1000 resources.If you enable this policy setting, Internet Explorer will allow the creation of
you can set the maximum storage limit for all application caches. The default is 1 GB.If you disable or do not configure this policy setting, In
etting, you can set the maximum storage limit for all indexed databases. The default is 4 GB.If you disable or do not configure this policy se
typically be in the Internet Zone).If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone
o the Intranet Zone.
s choose whether sites which bypass the proxy server are mapped into the Intranet Zone.
e. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low
are configured.If this policy setting is not configured, the user can choose whether or not to automatically detect the intranet through the
this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Inte
, a Notification bar notification does not appear when the user loads content from an intranet site that is being treated as though it is in th
ed from appearing.
olicy setting, users cannot run unsigned controls.If you do not configure this policy setting, users can run unsigned controls without user int
ed from appearing.
ed from appearing.
ed from appearing.
ed from appearing.
en for protocols on the restricted list. If you select Prompt from the drop-down box, the Notification bar will appear to allow control over q
olicy setting, users cannot run unsigned controls.If you do not configure this policy setting, users are queried to choose whether to allow th
ed from appearing.
correct the problem. The user cannot change this policy setting.If you disable this policy setting, when there is a problem connecting with
etting, the user can turn on or off page transitions.This feature only applies to versions of Internet Explorer up to and including Internet Ex
s policy setting, users can turn this behavior on or off, using Internet Explorer settings. The default is on.
t debugging.If you disable this policy setting, script debugging is turned off. The user cannot turn on script debugging.If you do not configu
ble this policy setting, the user is not shown script errors when a page does not appear properly because of problems with its scripting. The
oes not start automatically. The user can start the wizard manually.If you do not configure this policy setting, the user can decide whether
dia elements" setting on the Advanced tab in the Internet Options dialog box.
nge this policy setting. The "Turn off image display" policy setting must be disabled if this policy setting is enabled.If you disable this policy
matic image resizing.
that represents the image and then clicking Show Picture. The "Allow the display of image download placeholders" policy setting must be
his policy setting, the printing of background colors and images is turned off. The user cannot turn it on.If you do not configure this policy
tton. ΓÇó Display the results in the main window: When the user searches on the Address bar, the list of search results is displayed in the
he user is directed to an external top result website determined by the search provider, if available.If you enable this policy setting, you can
able this policy setting, Internet Explorer is not started automatically to complete the signup process after the branding is complete for ISP
e for File Explorer is turned on. The user cannot turn it off.If you do not configure this policy setting, a user will have the freedom to turn o
estions will be turned on. Users will not be able to turn off URL Suggestions.If you do not configure this policy setting, URL Suggestions wil
e for providing relevant results in the Address bar. The user cannot change this setting.If you disable this policy setting, Internet Explorer u
ot turn it on.If you do not configure this policy setting, the user can turn on or turn off inline AutoComplete.By default, inline AutoComple
do not configure this policy setting, the user can specify the color of links already clicked.
do not configure this policy setting, the user can specify the color of links not yet clicked.
disable this policy setting, Internet Explorer allows sending the path portion of URLs as UTF-8. The user cannot change this policy setting.If
items from Microsoft's Active Desktop Gallery, to their desktop.If you disable this policy or do not configure it, users can add channels to t
cy or do not configure it, users can add new offline content schedules.This policy is intended for organizations that are concerned about s
elect a Web page, click the Properties button, and then click the Schedule tab.If you disable this policy, then Web pages can be updated on
users can view and subscribe to channels from the Channel bar interface.
en updated since the last time the user synchronized with or visited the page.If you disable this policy or do not configure it, content will n
ect a Web page, click the Properties button, and then click the Schedule tab.If you disable this policy or do not configure it, users can add,
then click the Properties button, no properties are displayed. Users do not receive an alert stating that the command is unavailable.If you
cord information about when their channel pages are viewed by users who are working offline.
lp administrators ensure that users' computers are being updated uniformly across their organization.Note: This policy does not prevent u
dimmed. To display the Make This Page Available Offline check box, users click the Tools menu, click Synchronize, and then click the Prope
rched for new information and downloaded.Caution: Although the Maximum Number of Offline Pages option determines how many level
nge is 3 through 30.If you enable this policy setting, the selected value is enforced.If you disable or do not configure this policy setting, the
range is 3 through 30.If you enable this policy setting, the selected value is enforced.If you disable or do not configure this policy setting, th
u disable this policy setting, toolbars and BHOs are loaded by default during an InPrivate Browsing session.If you do not configure this poli
ection is turned on.If you do not configure this policy setting, InPrivate Filtering data collection can be turned on or off on the Privacy tab in
e Browsing can be turned on or off through the registry.
Private Filtering data is not collected.If you disable this policy setting, InPrivate Filtering is available for use.If you do not configure this poli
nd Tracking Protection data is not collected.If you disable this policy setting, Tracking Protection is available for use.If you do not configure
elopers will not be able to depend on the reveal password button being displayed in any web form or web application.If you disable or do
erpreted as a failed URL.If you disable this policy setting, Data URI support is turned on.If you do not configure this policy setting, Data UR
whether add-ons not listed here are assumed to be denied.If you enable this policy setting, you can enter a list of add-ons to be allowed or
preferences and policy settings.If you disable or do not configure this policy setting, all processes will not respect add-on management use
ugh Group Policy. However, users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'Add-
ou enable this policy setting and enter a Value of 1, the process entered will respect the add-on management user preferences and policy s
able this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless
Explorer before Internet Explorer 8, the default connection limit for HTTP 1.1 was 2.
server.If you enable this policy setting, websites cannot request data across domains by using the WebSocket object.If you disable or do no
by using the XDomainRequest object.If you disable or do not configure this policy setting, websites can request data across domains by usi
one for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation, e.g., #def
o not configure this policy setting, binary behaviors are allowed for all processes.
isable or do not configure this policy setting, Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies.
haviors are allowed for the File Explorer and Internet Explorer processes.If you do not configure this policy setting, binary behaviors are pr
tting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name is the
r renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting, Consistent Mime H
r renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting, Internet Explorer r
r renames the file by saving it in the Internet Explorer cache and changing its extension.This policy setting allows administrators to define a
as an attack vector to load malicious HTML code.If you enable this policy setting, the Local Machine zone security applies to all local files a
he Local Machine zone is used as an attack vector to load malicious HTML code.If you enable this policy setting, the Local Machine zone se
used as an attack vector to load malicious HTML code.If you enable this policy setting and enter a value of 1, Local Machine Zone security
e this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting
work for the File Explorer and Internet Explorer processes.If you do not configure this policy setting, the MK Protocol is prevented for File
tocol is allowed. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer proces
sable this policy setting, restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or
r example, you can restrict active content from pages served over the http and https protocols by adding the value names http and https.I
f you enable this policy setting and enter a Value of 1, restricting content obtained through restricted protocols is allowed. If you enter a V
tion bar will be displayed for all processes.If you disable or do not configure this policy setting, the Notification bar will not be displayed fo
processes.If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
splayed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name is e
esses.If you do not configure this policy setting, an object reference is no longer accessible when navigating within or across domains for I
objects are still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 o
an be protected from zone elevation for all processes.If you disable or do not configure this policy setting, processes other than Internet E
o security context.If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.If you dis
re is no security context.This policy setting allows administrators to define applications for which they want this security feature to be prev
e used to determine whether to block ActiveX control installations for Internet Explorer processes.
ue is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Proce
ser initiated for all processes.
hether to prompt for file downloads that are not user initiated for Internet Explorer processes.
mpty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Intern
e or do not configure this policy setting, scripted windows are not restricted.
and Internet Explorer processes.If you disable this policy setting, scripts can continue to create popup windows and windows that obfusca
ty feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, such windows may not be opened. If you ent
me command buttons have only text; some have icons and text.Show only icons: All command buttons have only icons.If you disable or do
ble this policy, the Customize option will be removed from the menu.If you disable this policy or do not configure it, users can customize w
used in coordination with the "Disable customizing browser toolbar buttons" policy, which prevents users from adding or removing toolba
fresh buttons are next to the Address bar by default, and the user can choose to move them.
you enable this policy setting, the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted, and incompati
and the user can make them bigger (20 x 20 pixels).
Note: This list can be created from a custom administrative template file. For information about creating this custom administrative templa
s won't be able to change the Suggestions setting on the Settings charm.If you don't configure this policy setting, users can change the Sug
policy setting, newly installed add-ons are automatically activated in the browser.If you disable or do not configure this policy setting, new
strators also have the ability to turn the auto-play feature on or off. This setting only applies if the Media Explorer Bar is enabled.If checke
ause the "Disable the General page" policy removes the General tab from the interface.
t Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the Advanced page" policy removes the Advan
this policy setting, the user will have the freedom to automatically configure these settings.
in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) takes precedence over
Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Content tab from Internet Explorer in Con
tes\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General
emoves the Connections tab from the interface.
policy is intended for organizations that do not want users to determine which browser should be their default.The "Disable the Programs
ol Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface.No
n choose their own home page.
d in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to s
nents\Internet Explorer\Internet Control Panel), you do not need to set this policy, because the "Disable the General page" policy removes
age" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), wh
b from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
gsΓÇ¥ policy is enabled, the user cannot add secondary home pages.
guration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to set this policy, b
oss an organization.
o use the Import/Export Settings wizard.If you disable or do not configure this policy setting, the user will be able to use the Import/Export
ng the Internet Connection Wizard.Note: This policy overlaps with the "Disable the Connections page" policy (located in \User Configurati
orer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
propriate controls in the Add-On Manager will be available to the user.

sting text, managing favorites, and accessing Help. The Command bar enables the user to access and manage favorites, feeds, shortcuts to
can set up and change identities.
wser through the Tell me if Internet Explorer is not the default web browser check box on the Programs tab in the Internet Options dialog
able to provide a default Pop-up Blocker exception list.Note: You can disable users from adding or removing websites to the exception list
you enable this policy setting, the menu bar is above the navigation bar. The user cannot interchange the positions of the menu bar and th
ommand bar and F1 to access Help.
also want to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the user
etting, the user can configure how windows open when he or she clicks links from other applications.
erators are turned on, users can install search providers as Accelerators to include them on the Accelerator menu.
hether to turn on SmartScreen Filter during the first-run experience.

all website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or
regardless of which option is chosen.If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard th
fault providers installed do not appear (including providers installed from other applications). The only providers that appear are those in t
for situations in which administrators do not want users to explore the Internet or the hard disk.This policy can be used in coordination w
m and amount of physical memory. We recommend the default setting.The second algorithm must be explicitly enabled through the creati
nal security checks.If you disable or do not configure this policy setting, the ActiveX Opt-In prompt appears.
en the average time to load all the user's enabled add-ons exceeds the threshold.If you disable or do not configure this policy setting, user
n tabbed browsing.
ot configure this policy setting, the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience.
etting, the popup management feature will be functional.
figure this policy setting, the user can turn on or turn off tabbed browsing.
ose to turn the auto-complete setting for web-addresses on or off.
e this policy setting, the user can turn on and turn off the Suggested Sites feature.
User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.If you do not configure this
nfiguration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import th
ontrols are handled for each security zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Explorer
ed Active-X controls and plug-ins under security zones.If you disable this policy or do not configure it, this control will not be designated as
ministrator-approved controls are handled for each security zone, carry out the following steps:1. In Group Policy, click User Configuration
placement and appearance of Windows pop-up menus on Web pages-- Popup Menu Object - enables Web authors to add pop-up menus
s are handled for each security zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Explorer Main
zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security
figuration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import th
urity.2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3.
ontrols are handled for each security zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Explore
Security.2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settin
ouble-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select th
computer attempts to perform a Clipboard operation.If you do not configure this policy setting, current values of the URL action for the ap
is prompted when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation.If you do not config
tting.If you enable this policy setting and enter a value of 1, prompts are bypassed. If you enter a value of 0, prompts are not bypassed. Val
ng to New, and then clicking Window.Note: When users click the Open in New Window command, the link will not open in a new window a
ser window by right-clicking, and then clicking the Open in New Window command. To prevent users from using the shortcut menu to ope
w command. To prevent users from opening Web pages by using the shortcut menu, set the "Disable Open in New Window menu option"
Web Page dialog box, users click the File menu, and then click the Save As command.If you disable this policy or do not configure it, users c
ent users from saving the text of a Web page.Caution: If you enable this policy, users are not prevented from saving Web content by pointi
policy, users also cannot click Synchronize on the Tools menu (in Internet Explorer 6) to manage their favorite links that are set up for offli
on: This policy does not prevent users from viewing and changing Internet settings by clicking the Internet Options icon in Windows Contro
setting, the Print menu in Internet Explorer will be available. Starting with Windows 8, the Print flyout for Internet Explorer will be availab
wing the HTML source of a Web page from the shortcut menu, set the "Turn off Shortcut Menu" policy, which disables the entire shortcut
f you do not configure this policy setting, the Microsoft-provided website lists are not active. The user can activate the feature by using the
dards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet stand
cy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Ad
eral tab in Internet Options.If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.
History List. Users can not delete browsing history.If you disable or do not configure this policy setting, a user can set the number of days t
wsing History dialog box. Starting with Windows 8, users can click the Delete Browsing History button on the Settings charm.
acking Protection data, and Do Not Track exceptions stored for visited websites. This feature is available in the Delete Browsing History di
enabled, this policy setting is enabled by default.

, this policy setting has no effect.
ete.If you do not configure this policy setting, the user can choose whether to delete or preserve InPrivate Filtering data when he or she c
by default.
ry" policy setting is enabled, this policy setting is enabled by default.
event access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.
icy removes the Advanced tab from the interface.

xy settings""Disable changing Automatic Configuration settings"
es the General tab from the interface:"Disable changing home page settings""Disable changing Temporary Internet files settings""Disable c
e the Reset Web Settings feature""Disable changing default browser check"

y zones: Do not allow users to add/delete sites"
s are converted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to IDN fo
nd then under International, select the "Use UTF-8 for mailto links" check box.
policy setting, non-Internet Explorer components will be automatically installed as necessary.

will be prompted when Web Components such as fonts would be downloaded.If you do not configure this policy, users will be prompted w
ttings. The default is on.
er automatically launches any browser helper objects that are installed on the user's computer.
rnet Explorer only sends the Do Not Track header if inPrivate Browsing mode is used.If you don't configure the policy setting, users can sel
ernet for new versions of the browser, so does not prompt users to install them.If you do not configure this policy setting, Internet Explore
ked.If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.
ecutable programs or display their identities before downloading them to user computers.If you do not configure this policy, Internet Expl
ainst malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced P
ernet Explorer will save encrypted pages containing secure (HTTPS) information to the cache.
will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.If you do not configure this p
imated pictures found in Web content.
select the most preferred match.If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by us
off, using Internet Explorer settings. This feature is turned on by default
d.If you do not configure this policy setting, a user will have the freedom to accept requests from Web sites for Profile Assistant informatio
licy setting, users can turn this behavior on or off, using Internet Explorer Advanced Options settings. The default is to encode all query str
aded into the background.If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
r 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.If you don't configure this pol
tting, Caret Browsing support can be turned on or off through the registry.
ble this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Pro
ng session with the home page. Users cannot change this option to start with the tabs from the last browsing session.If you do not configu
bsites will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be ava
g, websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings w
y setting, you provide the cache limit, in MB. The default is 50 MB.If you enable this policy setting, Internet Explorer will allow trusted dom
n cache expiration time limit for all application caches. The default is 30 days.
ng, you provide the cache limit, in MB. The default is 500 MB.If you enable this policy setting, Internet Explorer will allow trusted domains
e less than or equal to the size set in this policy setting.If you disable or do not configure this policy setting, Internet Explorer will use the d
orer will allow the creation of application caches whose manifest file contains the number of resources, including the page that referenced
configure this policy setting, Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB.
do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed databases. The default is
cal sites into the Intranet Zone.
s are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zo
tect the intranet through the intranet settings dialog in Control Panel.
the Advanced page in the Internet Control panel).
ng treated as though it is in the Internet zone.If this policy setting is not configured, a Notification bar notification appears for intranet con

ownload prompt.
unsigned controls.

unsigned controls.
e automatically.
gned controls without user intervention.

ownload prompt.
unsigned controls.

ownload prompt.
unsigned controls.
e automatically.
ownload prompt.
unsigned controls.

ownload prompt.
ot be downloaded.
unsigned controls.
e automatically.
ownload prompt.
unsigned controls.
appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If yo

ownload prompt.
ot be downloaded.
unsigned controls.
e automatically.
to choose whether to allow the unsigned control to run.
is a problem connecting with an Internet server, the user sees a detailed description with hints about how to correct the problem. The use
up to and including Internet Explorer 8.
ebugging.If you do not configure this policy setting, the user can turn on or turn off script debugging.
roblems with its scripting. The user cannot change this policy setting.If you do not configure this policy setting, the user can turn on or tur
g, the user can decide whether the Internet Connection Wizard should start automatically.
abled.If you disable this policy setting, placeholders will not appear for graphical images while the images are downloading. The user cann
olders" policy setting must be disabled if this policy setting is enabled.If you disable this policy setting, images appear. The user cannot turn
u do not configure this policy setting, the user can turn on or turn off the printing of background colors and images.
arch results is displayed in the main window.If you disable or do not configure this policy setting, the user can specify what action applies
able this policy setting, you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results
e branding is complete for ISPs (IEAK). The user cannot change this behavior.If you do not configure this policy setting, the user can decide
will have the freedom to turn on or off Inline AutoComplete for File Explorer.
y setting, URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By de
icy setting, Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot change t
By default, inline AutoComplete is turned off for Windows Vista, Windows 7, Internet Explorer 7, and Internet Explorer 8. By default, inline
ot change this policy setting.If you do not configure this policy setting, the user can allow or prevent the sending of the path portion of URL
it, users can add channels to the Channel bar or to their desktop.Note: Most channel providers use the words Add Active Channel for this
ns that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Admini
Web pages can be updated on the schedules specified on the Schedule tab.This policy is intended for organizations that are concerned ab
not configure it, content will not be prevented from being downloaded.The "Disable downloading of site subscription content" policy and
ot configure it, users can add, remove, and edit schedules for Web sites and groups of Web sites.The "Disable editing schedules for offline
ommand is unavailable.If you disable this policy or do not configure it, users can edit an existing schedule for downloading Web content f
This policy does not prevent users from removing active content from the desktop interface.
onize, and then click the Properties button.If you disable this policy or do not configure it, users can remove the preconfigured settings for
n determines how many levels of a Web site are searched for new information, it does not change the user interface in the Offline Favorit
onfigure this policy setting, the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate F
configure this policy setting, the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Trackin
you do not configure this policy setting, it can be configured on the Privacy tab in Internet Options.
d on or off on the Privacy tab in Internet Options.
you do not configure this policy setting, it can be configured through the registry.
for use.If you do not configure this policy setting, it can be configured through the registry.
pplication.If you disable or do not configure this policy setting, the reveal password button can be shown by the application as a user types
re this policy setting, Data URI support can be turned on or off through the registry.
st of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:Name o
spect add-on management user preferences or policy settings.
ons not listed within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assumed
t user preferences and policy settings. If you enter a Value of 0, the add-on management user preferences and policy settings are ignored
and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. If you disable, or do not configure this policy setting,
t object.If you disable or do not configure this policy setting, websites can request data across domains by using the WebSocket object. By
est data across domains by using the XDomainRequest object.
#behavior notation, e.g., #default#vml.If you disable this policy setting, no behaviors will be allowed in zones set to 'admin-approved', just
MD4 signing technologies.

etting, binary behaviors are prevented for the File Explorer and Internet Explorer processes.
owed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do
icy setting, Consistent Mime Handling is enabled for all processes.If you disable or do not configure this policy setting, Consistent Mime Ha
icy setting, Internet Explorer requires consistent MIME data for all received files.If you disable this policy setting, Internet Explorer will not
ows administrators to define applications for which they want this security feature to be prevented or allowed.If you enable this policy setti
urity applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list.If you dis
tting, the Local Machine zone security applies to all local files and content processed by Internet Explorer.If you disable this policy setting, Lo
, Local Machine Zone security applies. If you enter a value of 0, Local Machine Zone security does not apply. If a Value Name is empty or th
s not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Process
Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
r the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All P
ses other than File Explorer or Internet Explorer.If you do not configure this policy setting, no policy is enforced for processes other than F
e value names http and https.If you disable this policy setting, restricting content obtained through restricted protocols is prevented for Fil
ols is allowed. If you enter a Value of 0, restricting content obtained through restricted protocols is blocked. The Value Name is the name
on bar will not be displayed for all processes other than Internet Explorer or those listed in the Process List.
rer Processes.
ecutable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in t
within or across domains for Internet Explorer processes.

s empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Inte
rocesses other than Internet Explorer or those listed in the Process List receive no such protection.
et Explorer processes.If you disable this policy setting, no zone receives such protection for Internet Explorer processes.If you do not config
this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1, elevation to more privileged zones
elated Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes con
this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, th
ws and windows that obfuscate other windows.If you do not configure this policy setting, popup windows and other restrictions apply for
may not be opened. If you enter a Value of 0, windows have none of these restrictions. The Value Name is the name of the executable. If a
only icons.If you disable or do not configure this policy setting, the command buttons show selective text by default, and the user can cha
figure it, users can customize which buttons appear on the Internet Explorer and File Explorer toolbars.This policy can be used in coordinati
om adding or removing toolbars from Internet Explorer.
not prompted, and incompatible toolbars run unless previously disabled through policy settings or user choice.If you disable or do not con
custom administrative template file, see the Internet Explorer documentation on search providers.If you disable or do not configure this p
tting, users can change the Suggestions setting on the Settings charm.
nfigure this policy setting, newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user when
plorer Bar is enabled.If checked, the Media Explorer Bar will automatically display and play the media content when the user clicks on a me
ge" policy removes the Advanced tab from the interface.
Panel) takes precedence over this policy. If it is enabled, this policy is ignored.
from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.Caution: If you enable this
ause the "Disable the General page" policy removes the General tab from the interface.Note: The default Web page colors are ignored on
ult.The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Exp
eral tab from the interface.Note: The default font settings colors are ignored in cases in which the Web page author has specified the font
ol Panel), you do not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface.
General page" policy removes the General tab from the interface.Note: The default link colors are ignored on Web pages on which the au
er\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Panel, takes precedence over this policy. If
o not need to set this policy, because the "Disable the General page" policy removes the General tab from the interface.
able to use the Import/Export Settings wizard.

y (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which remo
e favorites, feeds, shortcuts to home page, and more. Full-screen mode disables not only these three bars, but also the shortcuts to these
in the Internet Options dialog box. Note that starting with Internet Explorer 10 on Windows 8, the check box is located on the Advanced t
websites to the exception list by enabling "Turn off Managing Pop-up Allow list" policy.
ositions of the menu bar and the navigation bar.If you disable this policy setting, the menu bar is below the navigation bar. The user canno
y settings to prevent the user from configuring pop-up behavior.

pting the user.If you disable or do not configure this policy setting, the user is prompted to decide the mode of operation for the phishing fi
may run the First Run wizard the first time the browser is started after installation.
ders that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative tem
can be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templ
itly enabled through the creation of an integer setting. In this case, each Internet Explorer isolation setting will quickly grow to use the spe
nfigure this policy setting, users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is th
ing the first-run experience.
ds.If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and t
ontent Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select the content zone in which you wa
uration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import the C
ntrol will not be designated as administrator-approved.
Policy, click User Configuration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Rati
authors to add pop-up menus to Web pagesTo specify how administrator-approved controls are handled for each security zone, carry out
n, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import the Curren
enance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones Settings, and th
ontent Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select the content zone in which you wan
d then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the
uration, click Internet Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import the C
s, and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.4.
ck Modify Settings.3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run Ac
es of the URL action for the application or process on the computer prevail.
operation.If you do not configure this policy setting, current values of the URL action for the Internet Explorer process prevail.
prompts are not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1, the policy setti
ill not open in a new window and they will be informed that the command is not available.
sing the shortcut menu to open new browser windows, you should also set the "Disable Open in New Window menu option" policy, which
in New Window menu option" policy, which disables this command on the shortcut menu, or the "Turn off Shortcut Menu" policy, which d
y or do not configure it, users can save all elements on a Web page.The "File menu: Disable Save As... menu option" policy, which removes
m saving Web content by pointing to a link on a Web page, clicking the right mouse button, and then clicking Save Target As.
te links that are set up for offline viewing.

ptions icon in Windows Control Panel.Also, see policies for Internet options in the \Administrative Templates\Windows Components\Inter
ternet Explorer will be available, and users will see installed printers under the Devices charm.
ch disables the entire shortcut menu.

tivate the feature by using the Compatibility View Settings dialog box.
tten to common Internet standards may be displayed incorrectly.If you disable this policy setting, Internet Explorer uses a current user age
) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user
olicy setting has no effect.

r can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
Settings charm.
he Delete Browsing History dialog box.If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is pres
iltering data when he or she clicks Delete.
ternet files settings""Disable changing history settings""Disable changing color settings""Disable changing link color settings""Disable chan
are always converted to IDN format.If you disable or do not configure this policy setting, the user can control this setting by using Advance
olicy, users will be prompted when Web Components such as fonts would be downloaded.
he policy setting, users can select the Always send Do Not Track header option, in Internet Explorer settings. By selecting this option, Intern
policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them.
y have been revoked.
figure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloadi
least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.W
d.If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser win
ate an encryption tunnel by using the encryption methods that you select from the drop-down list.If you disable or do not configure this p
for Profile Assistant information.

fault is to encode all query strings in UTF-8.
Settings charm.
If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by
led will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.If you do not configure this policy, users w
g session.If you do not configure this policy setting, Internet Explorer starts with the home page. Users can change this option to start with
ebsite Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
es on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computer
Explorer will allow trusted domains to store additional files in application caches, up to the limit set in this policy setting.If you disable or do
er will allow trusted domains to store additional data in indexed databases, up to the limit set in this group policy.If you disable or do not
nternet Explorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB.
uding the page that referenced the manifest, that are less than or equal to the limit set in this policy setting.If you disable or do not configu
caches. The default is 1 GB.
xed databases. The default is 4 GB.
mplate), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings t
cation appears for intranet content loaded on a browser on a computer that is not a domain member, until the user turns off the Notificati

lently downloaded.
applets cannot run.If you do not configure this policy setting, the permission is set to High Safety.


lently downloaded.


lently downloaded.

lently downloaded.



er protocols is unaffected.If you disable this policy setting, all attempts to access such content over the restricted protocols is blocked.If yo

applets cannot run.If you do not configure this policy setting, the permission is set to Low Safety.
will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting, a warning is issue
o correct the problem. The user cannot change this policy setting.If you do not configure this policy setting, the user can turn on or turn off
ng, the user can turn on or turn off the display of script errors.
e downloading. The user cannot change this policy setting.If you do not configure this policy setting, the user can allow or prevent the disp
s appear. The user cannot turn off image display.If you do not configure this policy setting, the user can turn on or turn off image display.
n specify what action applies to searches on the Address bar.

ult website or a search-results webpage in the main window.If you disable or do not configure this policy setting, the user can select their p
cy setting, the user can decide whether to start Internet Explorer automatically to complete the signup process after the branding is comp
Internet Options dialog. By default, URL Suggestions are turned on.

bar. The user cannot change this setting.If you do not configure this policy setting, the user can choose to turn the Use Windows Search se
et Explorer 8. By default, inline AutoComplete is turned on for Internet Explorer 9.
ding of the path portion of URLs as UTF-8.

ds Add Active Channel for this option; however, a few use different words, such as Subscribe.
in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enable
zations that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Ad
bscription content" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Compo
e editing schedules for offline pages" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Template
r downloading Web content for offline viewing.This policy is intended for organizations that are concerned about server load for downloa
the preconfigured settings for pages to be downloaded for offline viewing.This policy is intended for organizations that are concerned abo
interface in the Offline Favorites wizard.Note: The begin and end times for downloading are measured in minutes after midnight. The Max
on and then clicking InPrivate Filtering.
utton and then clicking Tracking Protection.
the application as a user types in a password. The reveal password button is visible by default.On at least Windows 8, if the "Do not displa
following information:Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in br
sers - all add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting.If you enable this p
nd policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Val
ot configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate
sing the WebSocket object. By default, the WebSocket object is enabled.
s set to 'admin-approved', just as if those zones were set to 'disable'.If you do not configure this policy setting, only VML will be allowed in
e policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to en
cy setting, Consistent Mime Handling is prevented for all processes.
tting, Internet Explorer will not require consistent MIME data for all received files.If you do not configure this policy setting, Internet Explor
ed.If you enable this policy setting and enter a Value of 1, MIME handling is in effect. If you enter a Value of 0 file-type information is allow
fined in a process list.If you disable or do not configure this policy setting, Local Machine zone security is not applied to local files or conten
u disable this policy setting, Local Machine zone security is not applied to local files or content processed by Internet Explorer.If you do no
If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: us
ated Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes config
isable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.If y
ced for processes other than File Explorer and Internet Explorer.
protocols is prevented for File Explorer and Internet Explorer processes.If you do not configure this policy setting, the policy setting is ign
The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not en
nternet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Proc
n this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled,
processes.If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
ation to more privileged zones can be prevented. If you enter a Value of 0, elevation to any zone is allowed. The Value Name is the name o
is enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the
ses policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this p
nd other restrictions apply for File Explorer and Internet Explorer processes.
he name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explo
y default, and the user can change this.

olicy can be used in coordination with the "Disable customizing browser toolbars" policy, which prevents users from determining which to
ce.If you disable or do not configure this policy setting, the toolbar upgrade tool checks for incompatible toolbars. The user can enable or
able or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such
xplorer notifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the noti
nt when the user clicks on a media link.If unchecked, the content will be played by the default media client on their system.
red.Caution: If you enable this policy, users can still run the Certificate Manager Import Wizard by double-clicking a software publishing ce
eb page colors are ignored on Web pages in which the author has specified the background and text colors.
ows Components\Internet Explorer\Internet Control Panel), which removes the Programs tab from Internet Explorer in Control Panel, take
e author has specified the font attributes.
eral tab from the interface.

n Web pages on which the author has specified link colors.
precedence over this policy. If it is enabled, this policy is ignored.
he interface.
et Control Panel), which removes the Connections tab from the interface. Removing the Connections tab from the interface, however, doe
but also the shortcuts to these bars.If you enable this policy setting, the navigation bar, the menu bar, and the Command bar are not visibl
x is located on the Advanced tab in the Internet Options dialog box. For more information, see "Group Policy Settings in Internet Explorer 1
avigation bar. The user cannot interchange the positions of the menu bar and the navigation bar.If you do not configure this policy setting
of operation for the phishing filter.
gh a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explore
uration\Administrative Templates\Windows Components\Internet Explorer\Browser Menus), which prevents users from opening files by
will quickly grow to use the specified integer number of tab processes, regardless of the physical memory on the computer or how many In
ceeds the threshold. This is the default.
and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialo
content zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area,
ent Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select the content zone in which you want t
ecurity Zones and Content Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select the content zo
r each security zone, carry out the following steps:1. In Group Policy, click User Configuration, click Internet Explorer Maintenance, and the
atings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select the content zone in which you want to man
ecurity Zones Settings, and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls, and then
content zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area,
en click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
ent Ratings, click Import the Current Security Zones Settings, and then click Modify Settings.3. Select the content zone in which you want t
nd then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
Custom Level.4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
er process prevail.
ue is not 0 or 1, the policy setting is ignored.If you enable this policy setting for an application or process in the list, a script can perform a C
ow menu option" policy, which disables this command on the shortcut menu, or the "Turn off Shortcut Menu" policy, which disables the en
hortcut Menu" policy, which disables the entire shortcut menu.
option" policy, which removes the Save As command, takes precedence over this policy. If it is enabled, this policy is ignored.
Save Target As.
\Windows Components\Internet Explorer and in \Administrative Templates\Windows Components\Internet Explorer\Internet Control Pa
plorer uses a current user agent string. Additionally, all Standards Mode webpages appear in the Standards Mode available in the latest ve
r 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.If you do not configure this p
browsing history.
and Do Not Track data is preserved when the user clicks Delete.If you disable this policy setting, ActiveX Filtering, Tracking Protection and
nk color settings""Disable changing font settings""Disable changing language settings""Disable changing accessibility settings"
this setting by using Advanced Options in Internet Control Panel. By default, domain names are converted to IDN format only for address
By selecting this option, Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific ex
mpt users to install them.
ir identities before downloading them to user computers.

registry and the file system.When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX
Files folder when browser windows are closed.
able or do not configure this policy setting, the user can select which encryption method the browser supports.Note: SSL 2.0 is off by defau
. This feature is turned off by default.
t configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dial
hange this option to start with the tabs from the last session.
ta on their computers.
store data on their computers.
licy setting.If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all applica
policy.If you disable or do not configure this policy setting, Internet Explorer will use the default maximum storage limit for all indexed data
urces. The default is 50 MB.
f you disable or do not configure this policy setting, Internet Explorer will use the default maximum application cache resource list size for
have special security settings that protect your local computer.)If you enable this policy setting, you can enter a list of sites and their relate
he user turns off the Notification bar.



usted zones.


usted zones.
d automatically.


usted zones.
d automatically.



usted zones.



usted zones.
d automatically.



usted zones.
d automatically.



usted zones.


usted zones.
d automatically.

cted protocols is blocked.If you do not configure this policy setting, all attempts to access such content over the restricted protocols is blo


usted zones.



usted zones.
d automatically.

olicy setting, a warning is issued to the user that potentially risky navigation is about to occur.
he user can turn on or turn off details in these error messages.
r can allow or prevent the display of placeholders for graphical images while the images are downloading.
on or turn off image display.
tting, the user can select their preference for this behavior. Browsing to the top-result website is the default.
ess after the branding is complete for ISPs (IEAK).
rn the Use Windows Search setting on or off.Note: If you enable this policy setting, feeds do not appear in the Address bar. This does not a
e over this policy. If it is enabled, this policy is ignored.

cated in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is e
e Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled, this policy is ignored.
tion\Administrative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled, this
about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Win
ations that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Adm
nutes after midnight. The Maximum Offline Page Crawl Depth setting specifies how many levels of a Web site are searched for new inform
ndows 8, if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Templates\W
ist. The CLSID should be in brackets for example, ΓÇÿ{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obta
licy setting.If you enable this policy setting, Internet Explorer only allows add-ons that are specifically listed (and allowed) through the 'Add
alue Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter Internet Explorer processes in this list because the
lorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. Note that Adobe Flash c
g, only VML will be allowed in zones set to 'admin-approved'.Note. If this policy is set in both Computer Configuration and User Configura
xplorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box
policy setting, Internet Explorer requires consistent MIME data for all received files.
0 file-type information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the Value
applied to local files or content processed by any process other than Internet Explorer or those defined in a process list.
Internet Explorer.If you do not configure this policy setting, the Local Machine zone security applies to all local files and content processed
plorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy s
enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the se
ecedence over that setting.If you disable or do not configure this policy setting, the policy setting is ignored.
etting, the policy setting is ignored.

cy setting is ignored.Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processes po
for IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting. If you
esses policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do not configure thi
rnet Explorer processes.

The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not ente
onfigure this policy setting, the security feature is allowed.
able or do not configure this policy setting, the security feature is allowed.
o not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes
ers from determining which toolbars are displayed in Internet Explorer and File Explorer.
olbars. The user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo these
er policy setting restricts such configuration.
hem by responding to the notification, using Manage Add-ons, or using other methods.
n their system.
cking a software publishing certificate (.spc) file. This wizard enables users to import and configure settings for certificates from software p
Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
m the interface, however, does not prevent users from running the Internet Connection Wizard from the desktop or the Start menu.
e Command bar are not visible, and the user cannot access them.If you disable or do not configure this policy setting, the user can view an
Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
ot configure this policy setting, the user can interchange the positions of the menu bar and the navigation bar.
e file, see the Internet Explorer documentation on search providers.If you disable or do not configure this policy setting, the user can config
ts users from opening files by using the browser.
the computer or how many Internet Explorer isolation settings are running.If you enable this policy setting, you set the rate at which Inter
pen the Internet Options dialog box, click the Contents Tab and click the Settings button.
eX Controls and Plug-ins area, click Administrator Approved.

tent zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, clic
ettings.3. Select the content zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Control
Explorer Maintenance, and then click Security.2. Double-click Security Zones and Content Ratings, click Import the Current Security Zones S
one in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, click Adm
ge ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
eX Controls and Plug-ins area, click Administrator Approved.
ntent zone in which you want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, clic
he list, a script can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to prom
u" policy, which disables the entire shortcut menu.Note: the user will still be able to open New Tabs.
policy is ignored.
t Explorer\Internet Control Panel folders.
Mode available in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer.If you do not config
x.If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appen
ering, Tracking Protection and Do Not Track data is deleted when the user clicks Delete.If you don't configure this policy setting, users can
ssibility settings"
o IDN format only for addresses that are not in the Intranet zone.
e user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default, this option is
at attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives
ts.Note: SSL 2.0 is off by default. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality
ab of the Internet Options dialog.

um storage limit for all application caches. The default is 50 MB.
orage limit for all indexed databases. The default is 500 MB.
on cache resource list size for all application caches. The default is 1000 resources.
r a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified
or scripted.

the restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
afety.If you do not configure this policy setting, permissions are set to High safety.
or scripted.
e Address bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center.
dence over this policy. If it is enabled, this policy is ignored.
nabled, this policy is ignored.

f either policy is enabled, this policy is ignored.
Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled, this policy is ignore
ated in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is en
e are searched for new information.
n\Administrative Templates\Windows Components\Credential User Interface is enabled for the system, it will override this policy setting.
LSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.Value - A number indic
and allowed) through the 'Add-on List' policy setting.If you disable or do not configure this policy setting, users may use Add-on Manager t
ocesses in this list because these processes always respect add-on management user preferences and policy settings. If the All Processes p
g box. Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on
figuration and User Configuration, both lists of behaviors will be allowed as appropriate.
rocesses configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the security feature
ue Name is empty or the Value is not 0 or 1, the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the re
process list.
cal files and content processed by Internet Explorer.
es. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do
figure this policy setting, the security feature is allowed.
nternet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled, the processes configur
dence over that setting. If you disable or do not configure this policy setting, the Notification bar is not displayed for the specified process
disable or do not configure this policy setting, the security feature is allowed.
y setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or
enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take precedence over that
settings do not undergo these checks.

or certificates from software publishers that haven't already been configured for Internet Explorer.
sktop or the Start menu.
y setting, the user can view and access the navigation bar, the menu bar, and the Command bar.
licy setting, the user can configure his or her list of search providers.
you set the rate at which Internet Explorer creates new tab processes to low, medium, or high, or to an integer.If you disable or do not con
Controls and Plug-ins area, click Administrator Approved.
l.4. In the Run ActiveX Controls and Plug-ins area, click Administrator Approved.
rt the Current Security Zones Settings, and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX cont
ols and Plug-ins area, click Administrator Approved.
nistrator Approved.
Controls and Plug-ins area, click Administrator Approved.
ehavior is currently set to prompt, it will be bypassed and enabled.If you disable this policy setting for an application or process in the list, a
et Explorer.If you do not configure this policy setting, the user can turn on and turn off Internet Explorer 7 Standards Mode.
with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Expl
e this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do No
tion. By default, this option is turned on.
rer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.If you enable this policy setting,
erformance and functionality of TLS 1.0.

urity settings for the specified zone are applied to the site. á┬For each entry that you add to the list, enter the following information:Value
eature is enabled.
ng for the process.
(http://) content.
eature is enabled.
(http://) content.
eature is enabled.
(http://) content.
ng for the process.
(http://) content.
ng for the process.

(http://) content.
ng for the process.
(http://) content.
ng for the process.
(http://) content.
ng for the process.
(http://) content.
ng for the process.

(http://) content.
eature is enabled.
(http://) content.
s enabled, this policy is ignored.
ence over this policy. If it is enabled, this policy is ignored.

ill override this policy setting.
renced.Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on sho
ers may use Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting.Note: If an add-on is liste
settings. If the All Processes policy setting is enabled, the processes configured in this policy setting take precedence over that setting.If yo
ecifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disa
y setting, the security feature is allowed.
rocesses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting i
hat setting.If you disable or do not configure this policy setting, the security feature is allowed.
nabled, the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the sec
ayed for the specified processes.
Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled, the processes configured in this box take p
box take precedence over that setting.If you disable or do not configure this policy setting, the security feature is allowed.
er.If you disable or do not configure this policy setting, the tab process growth is set to the default. The user can change this value by usin
want to manage ActiveX controls, and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area, click Administrator Appro
lication or process in the list, a script that is running in the application or process cannot bypass the prompt for delete, copy, or paste ope
andards Mode.
pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer c
racking Protection, and Do Not Track data when clicking Delete.

you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode

e following information:Valuename ΓÇô A host for an intranet site, or a fully qualified domain name for other sites. The valuename may al
hange this setting.
hange this setting.

hange this setting.

hange this setting.
hange this setting.
hange this setting.

hange this setting.

hange this setting.

hange this setting.
hange this setting.

. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) in
etting.Note: If an add-on is listed in the 'Add-on List' policy setting, the user cannot change its state through Add-on Manager (unless its va
cedence over that setting.If you do not configure this policy, processes other than the Internet Explorer processes will not be affected by a
However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy se
e All Processes policy setting is enabled, the processes configured in this box take precedence over that setting.If you disable or do not con
gure this policy setting, the security feature is allowed.

s configured in this box take precedence over that setting.If you disable or do not configure this policy setting, the security feature is allow
re is allowed.
can change this value by using the registry key. Note: On Terminal Server, the default value is the integer ΓÇ£1ΓÇ¥.
rea, click Administrator Approved.
for delete, copy, or paste operations from the Clipboard.If you do not configure this policy setting, current values of the URL action for an
xisting webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the defaul
ted Mode. All Protected Mode websites will run in Enhanced Protected Mode.If you disable or do not configure this policy setting, Internet
er sites. The valuename may also include áa
┬ specific áprotocol.
┬ For example, if you enter http://www.contoso.com áas
┬ the valuename,





be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on thr
Add-on Manager (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
esses will not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
ed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiat
ng.If you disable or do not configure this policy setting, the security feature is allowed.
g, the security feature is allowed.
alues of the URL action for an application or process in the list prevail.
his option matches the default behavior of Internet Explorer.

ure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regula
oso.com áas
┬ the valuename, other protocols are not affected. áIf
┬ you enter just www.contoso.com, áthen
┬ all protocols áare
┬ affected
user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.If you disable this policy setting, the list is deleted. The
ore details).
is enabled).
plorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the
tible ActiveX controls in regular Protected Mode. This is the default behavior.
n all protocols áare
┬ affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0
setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether ad
in Internet Explorer 10" in the Internet Explorer TechNet library.

d as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters

will still determine whether add-ons not in this list are assumed to be denied.
include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and
ngs for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would there
net Explorer, and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security
ould be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy,
r do not configure this policy, users may choose their own site-to-zone assignments.

This Workbook Displays The Group Policy Settings For Windows Server 2012 R2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

This Workbook Displays The Group Policy Settings For Windows Server 2012 R2

Uploaded by

Copyright:

Available Formats

General Information

Local Policies\Security Options Network access: Remotely accessible registry paths

Local Policies\Security Options Network access: Restrict anonymous access to Named

Default on Windows Vista: Enabled.

cept from WINS servers

est is not acknowledged

Not a registry key

d/restarted, but the system does not have to be rebooted.

ailable through the Security Configuration Manager tools on these computers.

onal which are not joined to a domain.

y with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.

sta; Does not require reboot on XP, 2003 with CAPI

ws Server 2003, and Windows XP.

ns" in the Windows Server 2003 Help.

y that is joined to a domain, this setting is inherited by computers

software during installation

NetBIOS domain names

pps (not desktop apps)

Enabled: All Drives

008, Windows 7, Windows Server 200

er 2008 and Windows Vista)

ws 7, Windows Server 2008 R2)

Enabled: Application Opt

At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

At least Windows Vista

At least Windows Server 2012, Windows 8 or Windows RT

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Random Delay

at least Windows NetMeeting v3.0

Windows Server 2003 and Windows XP only

At least Windows 2000

At least Windows 2000

at Reader, and Oracle Java

n system activity is high. Default is disabled.

nd the user will not see them in search results.

etting, the network protection will be disabled.

ise it is outside the network.

etting overrides this one.

change this setting.

bers user's choice of what to do when a device is connected.

Microsoft document filters (iFilters). This policy is disabled by default.

p Policy will take priority over the local preference setting.

s policy setting, the default number is five users.

devices are usable on your computer.

may select the types of symbolic links to be evaluated.

o not configure this policy setting, users control this setting.

e this policy setting, users control this setting.

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."

ific color for window frames that cannot be changed by users.

ministrator using the Log Properties dialog and it defaults to 20 megabytes.

ministrator using the Log Properties dialog and it defaults to 20 megabytes.

ly when full" ┬¥ policy setting.

ministrator using the Log Properties dialog and it defaults to 20 megabytes.

ly when full" ┬¥ policy setting.

ministrator using the Log Properties dialog and it defaults to 20 megabytes.

ugh the Power Options Control Panel.

tions Control Panel.

this policy setting.

emote shutdown interface.

tificates will not be propagated from the smart card.

"sync your settings" is on by default and configurable by the user.

pplications can be launched from a hardware button.

recommended that this be set to 0.

o take actions on malware detections.